All Apps and Add-ons

OSSECNotConfiguredError after upgrade

att35
Builder

Hi,

We recently upgraded our Splunk instances to latest version (6.1.0). Now, whenever I do "List Agents" from OSSEC App in Splunk, following message is displayed.

OSSECNotConfiguredError This OSSEC Server is not configured for agent management. Error

I tried to initialize and re-built OSSEC lookup table but that doesn't fix it. We are using multiple splunk instances and I noticed this issue on all.(Each upgraded to 6.1.0)

Please Advise.

Thanks,

Abhi

0 Karma
1 Solution

rivy4321
Engager

Hi Abhi,

I fixed it like this.

->1. Change the following lines in /opt/splunk/etc/apps/ossec/bin/pyOSSEC.py

Original:
cfg = parse_config_file('../local/ossec_servers.conf', cfg)


New:
cfg = parse_config_file(os.environ['SPLUNK_HOME'] + '/etc/apps/ossec/local/ossec_servers.conf')

->2. Create a file /opt/splunk/etc/apps/ossec/bin/sshwrap



#!/bin/sh

LD_LIBRARY_PATH=/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

/usr/bin/ssh "$@"


And make is executable :
chmod 755 /opt/splunk/etc/apps/ossec/bin/sshwrap

->3. Adapt the ssh executable in /opt/splunk/etc/apps/ossec/local/ossec_servers.conf to point to the wrappers script.

Old:
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents

New:
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents

That did the trick for me.

Best regards,


Thomas Elsen

View solution in original post

rivy4321
Engager

Hi Abhi,

I fixed it like this.

->1. Change the following lines in /opt/splunk/etc/apps/ossec/bin/pyOSSEC.py

Original:
cfg = parse_config_file('../local/ossec_servers.conf', cfg)


New:
cfg = parse_config_file(os.environ['SPLUNK_HOME'] + '/etc/apps/ossec/local/ossec_servers.conf')

->2. Create a file /opt/splunk/etc/apps/ossec/bin/sshwrap



#!/bin/sh

LD_LIBRARY_PATH=/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

/usr/bin/ssh "$@"


And make is executable :
chmod 755 /opt/splunk/etc/apps/ossec/bin/sshwrap

->3. Adapt the ssh executable in /opt/splunk/etc/apps/ossec/local/ossec_servers.conf to point to the wrappers script.

Old:
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents

New:
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents

That did the trick for me.

Best regards,


Thomas Elsen

Bloodnite
Path Finder

A thousand times.... THANK YOU. Followed your steps and the OSSEC agent Management piece is working again now!!!!!

0 Karma

bkcarter
Path Finder

Step 1 also fixed the issues I was having with it erroring out on the List Agents button with v6.01 and 1.189 version of the app.

Thanks!

0 Karma

att35
Builder

Hi Thomas,

It's working fine now.

In my case, Step 1 fixes the issue. I had to add the line you mentioned so that Splunk uses the correct ossec_servers.conf file.

Thanks again for all the help.

Abhi

0 Karma

rivy4321
Engager

Hi Abhi,

I suggest you first follow the steps in this answer.

http://answers.splunk.com/answers/42717/how-do-i-enable-remote-agent-management-in-splunk-for-ossec

Afterwards you have to apply the above fixes.

Best regards,
Thomas

0 Karma

att35
Builder

Then I changed both entries to exactly as they worked for you, i.e.

[_local]
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents

Still no change. Restarted Splunk but OSSEC app still comes not configured.

Did I do any step incorrectly?

Many Thanks,

Abhi

0 Karma

att35
Builder

Now, in this file, instead of
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents

It had:

[_local]
AGENT_CONTROL = sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = sudo /var/ossec/bin/manage_agents

Could it be because both OSSEC and Splunk are on the same server?

I appended the above lines with the sshwrap entry as you mentioned but that did not help.

0 Karma

att35
Builder

Hi Thomas,

Thanks for replying.

I tried these steps but it is still showing OSSEC not configured. I did notice few differences in the configuration I have.
Steps 1 & 2 done exactly as mentioned in your response.

On Step 3, ossec_servers.conf is under /opt/splunk/etc/apps/ossec/default. "local" directory is not present.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...