All Apps and Add-ons

OSSECNotConfiguredError after upgrade

att35
Builder

Hi,

We recently upgraded our Splunk instances to latest version (6.1.0). Now, whenever I do "List Agents" from OSSEC App in Splunk, following message is displayed.

OSSECNotConfiguredError This OSSEC Server is not configured for agent management. Error

I tried to initialize and re-built OSSEC lookup table but that doesn't fix it. We are using multiple splunk instances and I noticed this issue on all.(Each upgraded to 6.1.0)

Please Advise.

Thanks,

Abhi

0 Karma
1 Solution

rivy4321
Engager

Hi Abhi,

I fixed it like this.

->1. Change the following lines in /opt/splunk/etc/apps/ossec/bin/pyOSSEC.py

Original:
cfg = parse_config_file('../local/ossec_servers.conf', cfg)


New:
cfg = parse_config_file(os.environ['SPLUNK_HOME'] + '/etc/apps/ossec/local/ossec_servers.conf')

->2. Create a file /opt/splunk/etc/apps/ossec/bin/sshwrap



#!/bin/sh

LD_LIBRARY_PATH=/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

/usr/bin/ssh "$@"


And make is executable :
chmod 755 /opt/splunk/etc/apps/ossec/bin/sshwrap

->3. Adapt the ssh executable in /opt/splunk/etc/apps/ossec/local/ossec_servers.conf to point to the wrappers script.

Old:
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents

New:
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents

That did the trick for me.

Best regards,


Thomas Elsen

View solution in original post

rivy4321
Engager

Hi Abhi,

I fixed it like this.

->1. Change the following lines in /opt/splunk/etc/apps/ossec/bin/pyOSSEC.py

Original:
cfg = parse_config_file('../local/ossec_servers.conf', cfg)


New:
cfg = parse_config_file(os.environ['SPLUNK_HOME'] + '/etc/apps/ossec/local/ossec_servers.conf')

->2. Create a file /opt/splunk/etc/apps/ossec/bin/sshwrap



#!/bin/sh

LD_LIBRARY_PATH=/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

/usr/bin/ssh "$@"


And make is executable :
chmod 755 /opt/splunk/etc/apps/ossec/bin/sshwrap

->3. Adapt the ssh executable in /opt/splunk/etc/apps/ossec/local/ossec_servers.conf to point to the wrappers script.

Old:
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents

New:
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents

That did the trick for me.

Best regards,


Thomas Elsen

Bloodnite
Path Finder

A thousand times.... THANK YOU. Followed your steps and the OSSEC agent Management piece is working again now!!!!!

0 Karma

bkcarter
Path Finder

Step 1 also fixed the issues I was having with it erroring out on the List Agents button with v6.01 and 1.189 version of the app.

Thanks!

0 Karma

att35
Builder

Hi Thomas,

It's working fine now.

In my case, Step 1 fixes the issue. I had to add the line you mentioned so that Splunk uses the correct ossec_servers.conf file.

Thanks again for all the help.

Abhi

0 Karma

rivy4321
Engager

Hi Abhi,

I suggest you first follow the steps in this answer.

http://answers.splunk.com/answers/42717/how-do-i-enable-remote-agent-management-in-splunk-for-ossec

Afterwards you have to apply the above fixes.

Best regards,
Thomas

0 Karma

att35
Builder

Then I changed both entries to exactly as they worked for you, i.e.

[_local]
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents

Still no change. Restarted Splunk but OSSEC app still comes not configured.

Did I do any step incorrectly?

Many Thanks,

Abhi

0 Karma

att35
Builder

Now, in this file, instead of
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents

It had:

[_local]
AGENT_CONTROL = sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = sudo /var/ossec/bin/manage_agents

Could it be because both OSSEC and Splunk are on the same server?

I appended the above lines with the sshwrap entry as you mentioned but that did not help.

0 Karma

att35
Builder

Hi Thomas,

Thanks for replying.

I tried these steps but it is still showing OSSEC not configured. I did notice few differences in the configuration I have.
Steps 1 & 2 done exactly as mentioned in your response.

On Step 3, ossec_servers.conf is under /opt/splunk/etc/apps/ossec/default. "local" directory is not present.

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...