- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- OSSEC Agent Management configuration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OSSEC Agent Management configuration
I'm new to OSSEC. I've got version 2.6 of OSSEC installed, running, and sending me alerts. Since I'm only monitoring one host with OSSEC, I did a local install. I'm running Splunk 4.2.3, and your Splunk for OSSEC plugin. When I went to the Agent Management page, and clicked on "List Agents", I received the message "This OSSEC Server is not configured for agent management."
How do I configure agent management?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The agent screens in Splunk for OSSEC are really meant for dealing with OSSEC agent keys, which are used to identify individual remote OSSEC agents and protect data in transit.
As ddpbsd pointed out, these are really more applicable for multi-system installations. If you are only going to run a single system, the agent management screens will not be particularly useful.
That said, you configure agent management by creating/editing the file called ossec_servers.conf in your $SPLUNK_HOME/etc/apps/ossec/local directory.
Take a look at the README file included with Splunk for OSSEC for more detail, and if anything doesn't make sense feel free to ask. But essentially you need to provide a path for Splunk to execute OSSEC's manage_agents and agent_control commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Agents" in this context refers to OSSEC agents. OSSEC agents are systems running OSSEC and reporting log messages, file integrity checksums, and other information to a centralized OSSEC server.
A local OSSEC install will not have any agents.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. Thanks ddpbsd. I think that part of my concern was, being new to this app, I didn't see any data when I went to the dashboard for it. But as of right now I'm seeing data. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's entirely up to you. If you don't want to monitor another system, adding it as an agent is probably not a good idea.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since I'm only monitoring a single server, would it make any sense for me to add an agent onto it so that I can use Splunk for OSSEC to its potential?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
