All Apps and Add-ons

Can not get agent configuration in wazuh app for splunk

vlvov
Explorer

Hi all, a have a some problem in using wazuh app (3.3.1), when i successfully connect wazuh manager in splunk app by api, a want to get agent configuration in agent->configuration (wazuh app), but when i choose some agent a got nothing information.
/opt/splunk/var/log/splunk/web_access.log give me some inform like this when i trying get config info from web splunk(Credentials info was removed from this):
...
127.0.0.1 - admin [23/Jul/2018:02:32:27.002 -0700] "GET /en-GB/custom/SplunkAppForWazuh/agents/info?ip=MANAGER_FQDN&port=PORT&user=USER&pass=PASS&id=029&=1532339993775 HTTP/1.1" 200 407 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" - 5b55a0ab222f221475ca50 890ms
127.0.0.1 - admin [23/Jul/2018:02:32:27.900 -0700] "GET /en-GB/custom/SplunkAppForWazuh/agents/group_configuration?ip=MANAGER_FQDN&port=PORT&user=USER&pass=PASS&id=host&
=1532339993776 HTTP/1.1" 200 68 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" - 5b55a0ab222f225853d350 436ms

wazuh
Explorer

Hi @vlvov,

In order to check if you currently have group configurations, please, execute the following curl commands to Wazuh API and paste here the results:

Get your list of groups:
curl -u <api-user>:<api-pass> http(s)://<wazuh-api-address>:<wazuh-api-port>/agents/groups?pretty
Example:
curl -u foo:bar http://10.0.0.5:55000/agents/groups?pretty

And:

Get the content of configuration files on each group:
curl -u <api-user>:<api-pass> http(s)://<wazuh-api-address>:<wazuh-api-port>/agents/groups/<group-name>/files/agent.conf?pretty
Example:
curl -u foo:bar http://10.0.0.5:55000/agents/groups/default/files/agent.conf?pretty

Thanks for your patience,

Best regards

0 Karma

vlvov
Explorer
  1. request

    {
    "error": 0,
    "data": {
    "totalItems": 3,
    "items": [
    {
    "count": 0,
    "conf_sum": "xxx",
    "merged_sum": "yyy",
    "name": "default"
    },
    {
    "count": 49,
    "conf_sum": "xxx1",
    "merged_sum": "yyy1",
    "name": "guest"
    },
    {
    "count": 11,
    "conf_sum": "xxx2",
    "merged_sum": "yyy2",
    "name": "host"
    }
    ]
    }
    }

  2. request in "guest"
    {
    "error": 0,
    "data": {
    "totalItems": 1,
    "items": [
    {
    "config": {},
    "filters": {}
    }
    ]
    }
    }

0 Karma

vlvov
Explorer

in "host" and "default" same response

0 Karma

wazuh
Explorer

Hi @vlvov,

The reason you're not seeing any configuration is that the configuration group in your agent.conf file is empty. You can check our official documentation in order to set a centralized configuration. https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html

Regards

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...