Hi,
We recently upgraded our Splunk instances to latest version (6.1.0). Now, whenever I do "List Agents" from OSSEC App in Splunk, following message is displayed.
OSSECNotConfiguredError This OSSEC Server is not configured for agent management. Error
I tried to initialize and re-built OSSEC lookup table but that doesn't fix it. We are using multiple splunk instances and I noticed this issue on all.(Each upgraded to 6.1.0)
Please Advise.
Thanks,
Abhi
Hi Abhi,
I fixed it like this.
->1. Change the following lines in /opt/splunk/etc/apps/ossec/bin/pyOSSEC.py
Original:
cfg = parse_config_file('../local/ossec_servers.conf', cfg)
New:
cfg = parse_config_file(os.environ['SPLUNK_HOME'] + '/etc/apps/ossec/local
/ossec_servers.conf')
->2. Create a file /opt/splunk/etc/apps/ossec/bin/sshwrap
#!/bin/sh
LD_LIBRARY_PATH=/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH
/usr/bin/ssh "$@"
And make is executable :
chmod 755 /opt/splunk/etc/apps/ossec/bin/sshwrap
->3. Adapt the ssh executable in /opt/splunk/etc/apps/ossec/local/ossec_servers.conf to point to the wrappers script.
Old:
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents
New:
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents
That did the trick for me.
Best regards,
Thomas Elsen
Hi Abhi,
I fixed it like this.
->1. Change the following lines in /opt/splunk/etc/apps/ossec/bin/pyOSSEC.py
Original:
cfg = parse_config_file('../local/ossec_servers.conf', cfg)
New:
cfg = parse_config_file(os.environ['SPLUNK_HOME'] + '/etc/apps/ossec/local
/ossec_servers.conf')
->2. Create a file /opt/splunk/etc/apps/ossec/bin/sshwrap
#!/bin/sh
LD_LIBRARY_PATH=/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH
/usr/bin/ssh "$@"
And make is executable :
chmod 755 /opt/splunk/etc/apps/ossec/bin/sshwrap
->3. Adapt the ssh executable in /opt/splunk/etc/apps/ossec/local/ossec_servers.conf to point to the wrappers script.
Old:
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents
New:
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents
That did the trick for me.
Best regards,
Thomas Elsen
A thousand times.... THANK YOU. Followed your steps and the OSSEC agent Management piece is working again now!!!!!
Step 1 also fixed the issues I was having with it erroring out on the List Agents button with v6.01 and 1.189 version of the app.
Thanks!
Hi Thomas,
It's working fine now.
In my case, Step 1 fixes the issue. I had to add the line you mentioned so that Splunk uses the correct ossec_servers.conf file.
Thanks again for all the help.
Abhi
Hi Abhi,
I suggest you first follow the steps in this answer.
http://answers.splunk.com/answers/42717/how-do-i-enable-remote-agent-management-in-splunk-for-ossec
Afterwards you have to apply the above fixes.
Best regards,
Thomas
Then I changed both entries to exactly as they worked for you, i.e.
[_local]
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents
Still no change. Restarted Splunk but OSSEC app still comes not configured.
Did I do any step incorrectly?
Many Thanks,
Abhi
Now, in this file, instead of
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents
It had:
[_local]
AGENT_CONTROL = sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = sudo /var/ossec/bin/manage_agents
Could it be because both OSSEC and Splunk are on the same server?
I appended the above lines with the sshwrap entry as you mentioned but that did not help.
Hi Thomas,
Thanks for replying.
I tried these steps but it is still showing OSSEC not configured. I did notice few differences in the configuration I have.
Steps 1 & 2 done exactly as mentioned in your response.
On Step 3, ossec_servers.conf is under /opt/splunk/etc/apps/ossec/default. "local" directory is not present.