All Apps and Add-ons

OSSEC Agent stats blank, but rebuild scripts work

gfrjonp
Explorer

When I look in my OSSEC Dashbard all 600 agents are disconnected. Im also seeing the msgs not parsed correctly. The top signatures over time shows all sigs with a _ Null value.

I have ossec set to forward its syslog messages to splunk on a specific port with source_type set to ossec.

Running # ./ossec_agent_status.py -v

Gives:

Querying ossec1
OSSEC interface initialized.
Server: ossec1, Error: Unable to run data collection. Error: Password prompt encountered. Aborting.
Querying ossec
OSSEC interface initialized.
Server: ossec, Error: Unable to run data collection. Error: Password prompt encountered. Aborting.
Querying splunk1
OSSEC interface initialized.
Server: splunk1, Error: Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform.

version: 2.3 ($Revision: 399 $)
command: /usr/bin/sudo
args: ['/usr/bin/sudo', '/var/ossec/bin/agent_control', '-l']
searcher: searcher_re:
0: re.compile("ID:(.*)List of agentless devices:")
1: re.compile("(?i)password")
buffer (last 100 chars):
before (last 100 chars): sudo: /var/ossec/bin/agent_control: command not found

0 Karma

j0shrice
Path Finder

Just figured it out! It's because the agent count never had been past 000. Once you had an agent, it works great!

southeringtonp
Motivator

Ah, that makes sense now that you say it. Nice catch. I'd still consider this a bug -- shouldn't be hard to fix in a subsequent app release.

To clarify for any others who may read this post -- the agent counter being 000 is the right fix for the problem you (j0shrice) are having, but the answer I posted earlier is still the right solution for the question originally asked by grfjonp.

0 Karma

j0shrice
Path Finder

I also do not get the password prompt error. I just get the "Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform" ERROR.

0 Karma

southeringtonp
Motivator

Look closely at the error message -- it's telling you the problem is that it's receiving a password prompt. For the remote collection commands to work, Splunk must be able to log into the OSSEC server and run commands without a password. That means you need to verify two things:

  1. The Splunk user (usually root) must be able to log into the OSSEC server without a password
  2. The user on the OSSEC server must be able to run the specific sudo commands required without a password

In this case the problem references sudo, so focus on the second bullet point. It sounds like either you forgot to add the required configuration to the sudoers file, or there's a typo somewhere.

Refer to this post for what needs to be configured, in the section under Remote Access Configuration:
http://answers.splunk.com/answers/42717/how-do-i-enable-remote-agent-management-in-splunk-for-ossec....

0 Karma

j0shrice
Path Finder

I am not trying to connect remote. This is for local access. I get the following error when running this command as root.

python ossec_agent_status.py

Server: hostname, Error: Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform.

version: 2.3 ($Revision: 399 $)
command: /usr/bin/sudo
args: ['/usr/bin/sudo', '/var/ossec/bin/agent_control', '-l']

0 Karma

j0shrice
Path Finder

Have the same problem. Still no answer Gfrjonp?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!