When I look in my OSSEC Dashbard all 600 agents are disconnected. Im also seeing the msgs not parsed correctly. The top signatures over time shows all sigs with a _ Null value.
I have ossec set to forward its syslog messages to splunk on a specific port with source_type set to ossec.
Running # ./ossec_agent_status.py -v
Gives:
Querying ossec1
OSSEC interface initialized.
Server: ossec1, Error: Unable to run data collection. Error: Password prompt encountered. Aborting.
Querying ossec
OSSEC interface initialized.
Server: ossec, Error: Unable to run data collection. Error: Password prompt encountered. Aborting.
Querying splunk1
OSSEC interface initialized.
Server: splunk1, Error: Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform.
version: 2.3 ($Revision: 399 $)
command: /usr/bin/sudo
args: ['/usr/bin/sudo', '/var/ossec/bin/agent_control', '-l']
searcher: searcher_re:
0: re.compile("ID:(.*)List of agentless devices:")
1: re.compile("(?i)password")
buffer (last 100 chars):
before (last 100 chars): sudo: /var/ossec/bin/agent_control: command not found
Just figured it out! It's because the agent count never had been past 000. Once you had an agent, it works great!
Ah, that makes sense now that you say it. Nice catch. I'd still consider this a bug -- shouldn't be hard to fix in a subsequent app release.
To clarify for any others who may read this post -- the agent counter being 000 is the right fix for the problem you (j0shrice) are having, but the answer I posted earlier is still the right solution for the question originally asked by grfjonp.
I also do not get the password prompt error. I just get the "Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform" ERROR.
Look closely at the error message -- it's telling you the problem is that it's receiving a password prompt. For the remote collection commands to work, Splunk must be able to log into the OSSEC server and run commands without a password. That means you need to verify two things:
In this case the problem references sudo, so focus on the second bullet point. It sounds like either you forgot to add the required configuration to the sudoers file, or there's a typo somewhere.
Refer to this post for what needs to be configured, in the section under Remote Access Configuration:
http://answers.splunk.com/answers/42717/how-do-i-enable-remote-agent-management-in-splunk-for-ossec....
I am not trying to connect remote. This is for local access. I get the following error when running this command as root.
python ossec_agent_status.py
Server: hostname, Error: Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform.
version: 2.3 ($Revision: 399 $)
command: /usr/bin/sudo
args: ['/usr/bin/sudo', '/var/ossec/bin/agent_control', '-l']
Have the same problem. Still no answer Gfrjonp?