All Apps and Add-ons

OSSECNotConfiguredError after upgrade

att35
Builder

Hi,

We recently upgraded our Splunk instances to latest version (6.1.0). Now, whenever I do "List Agents" from OSSEC App in Splunk, following message is displayed.

OSSECNotConfiguredError This OSSEC Server is not configured for agent management. Error

I tried to initialize and re-built OSSEC lookup table but that doesn't fix it. We are using multiple splunk instances and I noticed this issue on all.(Each upgraded to 6.1.0)

Please Advise.

Thanks,

Abhi

0 Karma
1 Solution

rivy4321
Engager

Hi Abhi,

I fixed it like this.

->1. Change the following lines in /opt/splunk/etc/apps/ossec/bin/pyOSSEC.py

Original:
cfg = parse_config_file('../local/ossec_servers.conf', cfg)


New:
cfg = parse_config_file(os.environ['SPLUNK_HOME'] + '/etc/apps/ossec/local/ossec_servers.conf')

->2. Create a file /opt/splunk/etc/apps/ossec/bin/sshwrap



#!/bin/sh

LD_LIBRARY_PATH=/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

/usr/bin/ssh "$@"


And make is executable :
chmod 755 /opt/splunk/etc/apps/ossec/bin/sshwrap

->3. Adapt the ssh executable in /opt/splunk/etc/apps/ossec/local/ossec_servers.conf to point to the wrappers script.

Old:
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents

New:
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents

That did the trick for me.

Best regards,


Thomas Elsen

View solution in original post

rivy4321
Engager

Hi Abhi,

I fixed it like this.

->1. Change the following lines in /opt/splunk/etc/apps/ossec/bin/pyOSSEC.py

Original:
cfg = parse_config_file('../local/ossec_servers.conf', cfg)


New:
cfg = parse_config_file(os.environ['SPLUNK_HOME'] + '/etc/apps/ossec/local/ossec_servers.conf')

->2. Create a file /opt/splunk/etc/apps/ossec/bin/sshwrap



#!/bin/sh

LD_LIBRARY_PATH=/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

/usr/bin/ssh "$@"


And make is executable :
chmod 755 /opt/splunk/etc/apps/ossec/bin/sshwrap

->3. Adapt the ssh executable in /opt/splunk/etc/apps/ossec/local/ossec_servers.conf to point to the wrappers script.

Old:
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents

New:
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents

That did the trick for me.

Best regards,


Thomas Elsen

Bloodnite
Path Finder

A thousand times.... THANK YOU. Followed your steps and the OSSEC agent Management piece is working again now!!!!!

0 Karma

bkcarter
Path Finder

Step 1 also fixed the issues I was having with it erroring out on the List Agents button with v6.01 and 1.189 version of the app.

Thanks!

0 Karma

att35
Builder

Hi Thomas,

It's working fine now.

In my case, Step 1 fixes the issue. I had to add the line you mentioned so that Splunk uses the correct ossec_servers.conf file.

Thanks again for all the help.

Abhi

0 Karma

rivy4321
Engager

Hi Abhi,

I suggest you first follow the steps in this answer.

http://answers.splunk.com/answers/42717/how-do-i-enable-remote-agent-management-in-splunk-for-ossec

Afterwards you have to apply the above fixes.

Best regards,
Thomas

0 Karma

att35
Builder

Then I changed both entries to exactly as they worked for you, i.e.

[_local]
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents

Still no change. Restarted Splunk but OSSEC app still comes not configured.

Did I do any step incorrectly?

Many Thanks,

Abhi

0 Karma

att35
Builder

Now, in this file, instead of
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents

It had:

[_local]
AGENT_CONTROL = sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = sudo /var/ossec/bin/manage_agents

Could it be because both OSSEC and Splunk are on the same server?

I appended the above lines with the sshwrap entry as you mentioned but that did not help.

0 Karma

att35
Builder

Hi Thomas,

Thanks for replying.

I tried these steps but it is still showing OSSEC not configured. I did notice few differences in the configuration I have.
Steps 1 & 2 done exactly as mentioned in your response.

On Step 3, ossec_servers.conf is under /opt/splunk/etc/apps/ossec/default. "local" directory is not present.

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...