I am struggling to get the "OSSEC Agent Management" page to display my remote agents. Testing using the ossec_agent_status.py and ossecservers.py scripts shows expected results. The listagents.py script states that "...OSSEC Server is not configured for agent management...". Interestingly, if the MANAGE_AGENTS entry in the ossec_servers.conf file is outside a stanza (precedes the [_local]) the script returns expected results. Any ideas?
That functionality is pretty new, so it could be a bug, or it may be a case sensitivity issue.
What build number of the OSSEC app are you using - have you already downloaded the latest release from SplunkBase?
Putting it outside of any stanza makes it a default value. To rule out an issue with the
_local macro, enter the hostname in instead of using
_local. Does that work correctly?
Try this in
local/ossec_servers.conf and let me know if anything changes:
[_local] # Turn off default settings for local machine MANAGE_AGENTS = AGENT_CONTROL = [yourservername] # Explicitly configure for your system MANAGE_AGENTS = <your command line here> AGENT_CONTROL = <your command line here>
Don't forget to run
[OSSEC - Rebuild OSSEC Server Lookup Table] after making the change.
If an error is occurring in the backend, it may be masked by the Agent Management screen.
Go to Search, and issue the following command:
| listagents ossec_server=yourhostname
If we're hitting an error, you should see a backtrace here that would be hidden in the other view.
There was a hidden error related to the ssh command not being found. I reconfigured using the full path to ssh and executed the search you indicated and got the follow error. (Posted separately).
Error : Traceback: Traceback (most recent call last): File "/opt/splunk/etc/apps/ossec/bin/listagents.py", line 34, in
EOF (str(e) + '\n' + str(self)) EOF: End Of File (EOF) in readnonblocking(). Exception style platform.
MemoryError " after:
It's timing out waiting for the manage_agents prompt. Usually that means it's getting hung up on an SSH key or password prompt. It's strange though that you would have a successful connection when you tried it from the command-line. When you tested from the command line, did you by any chance have an SSH key agent running? I just uploaded an experimental build 1.1.76 - try that version and see if it helps. The new build has better handling of certain types of connection error.
The application, OSSEC, is currently at 1.1.74. The OSSEC server is remote to the server which is running the splunk software. I have configured a remote server explicitly. The use of a local server would be invalid in this configuration.