All Apps and Add-ons

Can not get agent configuration in wazuh app for splunk

vlvov
Explorer

Hi all, a have a some problem in using wazuh app (3.3.1), when i successfully connect wazuh manager in splunk app by api, a want to get agent configuration in agent->configuration (wazuh app), but when i choose some agent a got nothing information.
/opt/splunk/var/log/splunk/web_access.log give me some inform like this when i trying get config info from web splunk(Credentials info was removed from this):
...
127.0.0.1 - admin [23/Jul/2018:02:32:27.002 -0700] "GET /en-GB/custom/SplunkAppForWazuh/agents/info?ip=MANAGER_FQDN&port=PORT&user=USER&pass=PASS&id=029&=1532339993775 HTTP/1.1" 200 407 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" - 5b55a0ab222f221475ca50 890ms
127.0.0.1 - admin [23/Jul/2018:02:32:27.900 -0700] "GET /en-GB/custom/SplunkAppForWazuh/agents/group_configuration?ip=MANAGER_FQDN&port=PORT&user=USER&pass=PASS&id=host&
=1532339993776 HTTP/1.1" 200 68 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" - 5b55a0ab222f225853d350 436ms

wazuh
Explorer

Hi @vlvov,

In order to check if you currently have group configurations, please, execute the following curl commands to Wazuh API and paste here the results:

Get your list of groups:
curl -u <api-user>:<api-pass> http(s)://<wazuh-api-address>:<wazuh-api-port>/agents/groups?pretty
Example:
curl -u foo:bar http://10.0.0.5:55000/agents/groups?pretty

And:

Get the content of configuration files on each group:
curl -u <api-user>:<api-pass> http(s)://<wazuh-api-address>:<wazuh-api-port>/agents/groups/<group-name>/files/agent.conf?pretty
Example:
curl -u foo:bar http://10.0.0.5:55000/agents/groups/default/files/agent.conf?pretty

Thanks for your patience,

Best regards

0 Karma

vlvov
Explorer
  1. request

    {
    "error": 0,
    "data": {
    "totalItems": 3,
    "items": [
    {
    "count": 0,
    "conf_sum": "xxx",
    "merged_sum": "yyy",
    "name": "default"
    },
    {
    "count": 49,
    "conf_sum": "xxx1",
    "merged_sum": "yyy1",
    "name": "guest"
    },
    {
    "count": 11,
    "conf_sum": "xxx2",
    "merged_sum": "yyy2",
    "name": "host"
    }
    ]
    }
    }

  2. request in "guest"
    {
    "error": 0,
    "data": {
    "totalItems": 1,
    "items": [
    {
    "config": {},
    "filters": {}
    }
    ]
    }
    }

0 Karma

vlvov
Explorer

in "host" and "default" same response

0 Karma

wazuh
Explorer

Hi @vlvov,

The reason you're not seeing any configuration is that the configuration group in your agent.conf file is empty. You can check our official documentation in order to set a centralized configuration. https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html

Regards

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...