I am struggling to get the "OSSEC Agent Management" page to display my remote agents. Testing using the ossec_agent_status.py and ossecservers.py scripts shows expected results. The listagents.py script states that "...OSSEC Server is not configured for agent management...". Interestingly, if the MANAGE_AGENTS entry in the ossec_servers.conf file is outside a stanza (precedes the [_local]) the script returns expected results. Any ideas?
More detailed instructions are now in a separate Answers post.
After making the suggested modification to turn off the default settings, the behavior remains the same. The listagent.py script returns the error stating that it is not configured. The ossecserver.py and ossec_agent_status.py script return expected values. After executing the configuration changes and performing the [OSSEC - Rebuild OSSEC Server Lookup Table] function, the webapp is behaving a bit better. The [OSSEC Agent Status] dashboard now lists the OSSEC Server, but returns no data. It does not state that there was "no result" and its legend has "NULL" as its value. The [OSSEC Agent Management] portion now has the OSSEC server listed in its OSSEC Server pulldown. It does not return any data and shows "no results found" for the List Agents action. Making progress. Next thougths?
It's possible that an error is occurring somewhere in the backend and the error message is being masked by that view. What happens if you call it directly? (see edits above)
The application, OSSEC, is currently at 1.1.74. The OSSEC server is remote to the server which is running the splunk software. I have configured a remote server explicitly. The use of a local server would be invalid in this configuration.
That functionality is pretty new, so it could be a bug, or it may be a case sensitivity issue.
What build number of the OSSEC app are you using - have you already downloaded the latest release from SplunkBase?
Putting it outside of any stanza makes it a default value. To rule out an issue with the _local
macro, enter the hostname in instead of using _local
. Does that work correctly?
Try this in local/ossec_servers.conf
and let me know if anything changes:
[_local]
# Turn off default settings for local machine
MANAGE_AGENTS =
AGENT_CONTROL =
[yourservername]
# Explicitly configure for your system
MANAGE_AGENTS = <your command line here>
AGENT_CONTROL = <your command line here>
Don't forget to run [OSSEC - Rebuild OSSEC Server Lookup Table]
after making the change.
If an error is occurring in the backend, it may be masked by the Agent Management screen.
Go to Search, and issue the following command:
| listagents ossec_server=yourhostname
If we're hitting an error, you should see a backtrace here that would be hidden in the other view.
It's timing out waiting for the manage_agents prompt. Usually that means it's getting hung up on an SSH key or password prompt. It's strange though that you would have a successful connection when you tried it from the command-line. When you tested from the command line, did you by any chance have an SSH key agent running? I just uploaded an experimental build 1.1.76 - try that version and see if it helps. The new build has better handling of certain types of connection error.
I also noticed that in the traceback for the search line "| listagents ..." it shows that the MANAGE_AGENTS command line is being executed.
From within the /opt/splunk/etc/apps/ossec/local directory the following works (running as root).
MemoryError " after:
EOF (str(e) + '\n' + str(self)) EOF: End Of File (EOF) in read_nonblocking(). Exception style platform.
Error : Traceback: Traceback (most recent call last): File "/opt/splunk/etc/apps/ossec/bin/listagents.py", line 34, in
There was a hidden error related to the ssh command not being found. I reconfigured using the full path to ssh and executed the search you indicated and got the follow error. (Posted separately).