Archive
Highlighted

Configuing remote OSSEC Agent Management

New Member

I am struggling to get the "OSSEC Agent Management" page to display my remote agents. Testing using the ossec_agent_status.py and ossecservers.py scripts shows expected results. The listagents.py script states that "...OSSEC Server is not configured for agent management...". Interestingly, if the MANAGE_AGENTS entry in the ossec_servers.conf file is outside a stanza (precedes the [_local]) the script returns expected results. Any ideas?

Tags (2)
0 Karma
Highlighted

Re: Configuing remote OSSEC Agent Management

Motivator

That functionality is pretty new, so it could be a bug, or it may be a case sensitivity issue.

What build number of the OSSEC app are you using - have you already downloaded the latest release from SplunkBase?


Putting it outside of any stanza makes it a default value. To rule out an issue with the _local macro, enter the hostname in instead of using _local. Does that work correctly?

Try this in local/ossec_servers.conf and let me know if anything changes:

[_local]
# Turn off default settings for local machine
MANAGE_AGENTS =
AGENT_CONTROL =

[yourservername]
# Explicitly configure for your system
MANAGE_AGENTS = <your command line here>
AGENT_CONTROL = <your command line here>

Don't forget to run [OSSEC - Rebuild OSSEC Server Lookup Table] after making the change.


If an error is occurring in the backend, it may be masked by the Agent Management screen.

Go to Search, and issue the following command:

| listagents ossec_server=yourhostname

If we're hitting an error, you should see a backtrace here that would be hidden in the other view.

0 Karma
Highlighted

Re: Configuing remote OSSEC Agent Management

New Member

There was a hidden error related to the ssh command not being found. I reconfigured using the full path to ssh and executed the search you indicated and got the follow error. (Posted separately).

0 Karma
Highlighted

Re: Configuing remote OSSEC Agent Management

New Member

Error : Traceback: Traceback (most recent call last): File "/opt/splunk/etc/apps/ossec/bin/listagents.py", line 34, in ossec.cacheagents() File "/opt/splunk/etc/apps/ossec/bin/pyOSSEC.py", line 342, in cacheagents self.connect() File "/opt/splunk/etc/apps/ossec/bin/pyOSSEC.py", line 331, in connect self.c.expectexact('Choose your action:') File "../3rdparty/pexpect-2.3/pexpect.py", line 1343, in expectexact return self.expectloop(searcherstring(patternlist), timeout, searchwindowsize) File "../3rdparty/pexpect-2.3/pexpect.py", line 1396, in expectloop raise

0 Karma
Highlighted

Re: Configuing remote OSSEC Agent Management

New Member

EOF (str(e) + '\n' + str(self)) EOF: End Of File (EOF) in readnonblocking(). Exception style platform. version: 2.3 ($Revision: 399 $) command: /usr/local/bin/ssh args: ['/usr/local/bin/ssh', '-xt', 'naadmp04', '/var/ossec/bin/manageagents'] searcher: searcherstring: 0: "Choose your action:" buffer (last 100 chars): before (last 100 chars): ty/pexpect-2.3/pexpect.py"", line 545, in _spawn for i in range (3, maxfd):

0 Karma
Highlighted

Re: Configuing remote OSSEC Agent Management

New Member

MemoryError " after: match: None matchindex: None exitstatus: None flageof: True pid: 348198 childfd: 7 closed: False timeout: 5 delimiter: logfile: None logfileread: None logfile_send: None maxread: 2000 ignorecase: False searchwindowsize: None delaybeforesend: 0.05 delayafterclose: 0.1 delayafterterminate: 0.1

0 Karma
Highlighted

Re: Configuing remote OSSEC Agent Management

New Member

From within the /opt/splunk/etc/apps/ossec/local directory the following works (running as root).

../bin/listagents.py ossec_server=naadmp04

0 Karma
Highlighted

Re: Configuing remote OSSEC Agent Management

New Member

I also noticed that in the traceback for the search line "| listagents ..." it shows that the MANAGE_AGENTS command line is being executed.

0 Karma
Highlighted

Re: Configuing remote OSSEC Agent Management

Motivator

It's timing out waiting for the manage_agents prompt. Usually that means it's getting hung up on an SSH key or password prompt. It's strange though that you would have a successful connection when you tried it from the command-line. When you tested from the command line, did you by any chance have an SSH key agent running? I just uploaded an experimental build 1.1.76 - try that version and see if it helps. The new build has better handling of certain types of connection error.

0 Karma
Highlighted

Re: Configuing remote OSSEC Agent Management

New Member

The application, OSSEC, is currently at 1.1.74. The OSSEC server is remote to the server which is running the splunk software. I have configured a remote server explicitly. The use of a local server would be invalid in this configuration.

0 Karma