All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

OSSEC Agent Management configuration

dlynum
Explorer
‎10-12-2011 12:05 PM

I'm new to OSSEC. I've got version 2.6 of OSSEC installed, running, and sending me alerts. Since I'm only monitoring one host with OSSEC, I did a local install. I'm running Splunk 4.2.3, and your Splunk for OSSEC plugin. When I went to the Agent Management page, and clicked on "List Agents", I received the message "This OSSEC Server is not configured for agent management."

How do I configure agent management?

Thanks

Reply

southeringtonp
Motivator
‎10-14-2011 02:47 PM

The agent screens in Splunk for OSSEC are really meant for dealing with OSSEC agent keys, which are used to identify individual remote OSSEC agents and protect data in transit.

As ddpbsd pointed out, these are really more applicable for multi-system installations. If you are only going to run a single system, the agent management screens will not be particularly useful.

That said, you configure agent management by creating/editing the file called ossec_servers.conf in your $SPLUNK_HOME/etc/apps/ossec/local directory.

Take a look at the README file included with Splunk for OSSEC for more detail, and if anything doesn't make sense feel free to ask. But essentially you need to provide a path for Splunk to execute OSSEC's manage_agents and agent_control commands.

0 Karma
Reply

ddpbsd
Engager
‎10-12-2011 05:19 PM

"Agents" in this context refers to OSSEC agents. OSSEC agents are systems running OSSEC and reporting log messages, file integrity checksums, and other information to a centralized OSSEC server.

A local OSSEC install will not have any agents.

Reply

dlynum
Explorer
‎10-14-2011 03:24 PM

Ok. Thanks ddpbsd. I think that part of my concern was, being new to this app, I didn't see any data when I went to the dashboard for it. But as of right now I'm seeing data. Thanks

0 Karma
Reply

ddpbsd
Engager
‎10-13-2011 04:42 PM

That's entirely up to you. If you don't want to monitor another system, adding it as an agent is probably not a good idea.

0 Karma
Reply

dlynum
Explorer
‎10-13-2011 04:37 PM

Since I'm only monitoring a single server, would it make any sense for me to add an agent onto it so that I can use Splunk for OSSEC to its potential?

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...