A thousand times.... THANK YOU. Followed your steps and the OSSEC agent Management piece is working again now!!!!!

Step 1 also fixed the issues I was having with it erroring out on the List Agents button with v6.01 and 1.189 version of the app.

Thanks!

Hi Thomas,

It's working fine now.

In my case, Step 1 fixes the issue. I had to add the line you mentioned so that Splunk uses the correct ossec_servers.conf file.

Thanks again for all the help.

Abhi

Hi Abhi,

I suggest you first follow the steps in this answer.

http://answers.splunk.com/answers/42717/how-do-i-enable-remote-agent-management-in-splunk-for-ossec

Afterwards you have to apply the above fixes.

Best regards,
Thomas

Then I changed both entries to exactly as they worked for you, i.e.

[_local]
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents

Still no change. Restarted Splunk but OSSEC app still comes not configured.

Did I do any step incorrectly?

Many Thanks,

Abhi

Now, in this file, instead of
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents

It had:

[_local]
AGENT_CONTROL = sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = sudo /var/ossec/bin/manage_agents

Could it be because both OSSEC and Splunk are on the same server?

I appended the above lines with the sshwrap entry as you mentioned but that did not help.

Hi Thomas,

Thanks for replying.

I tried these steps but it is still showing OSSEC not configured. I did notice few differences in the configuration I have.
Steps 1 & 2 done exactly as mentioned in your response.

On Step 3, ossec_servers.conf is under /opt/splunk/etc/apps/ossec/default. "local" directory is not present.