Archive

Question on debugging of OSSEC App Agent Management issues...

Contributor

First off, to the author, thanks for a great app. We've found the dashboard views a great asset... especially when compared to ossec-ui. The one big issue that we're having though is that the Agent Management functions don't seem to be working properly. The only action that seems to work fine is the simple list of agents. Trying to extract a key, add an agent or remove an agent all don't seem to work properly. In particular, it seems that not all the required entry boxes are displaying for these actions. For example, when I select "Extract Key", initially it will show two entry fields (for agent name and agent ID I believe), but then the next time I select the "Extract Key" option, only one input field will show. Similar things happen with the other two actions as well. I'm more than willing to help debug/diagnose the issues to get this working 100%, but really need so help from you on where to start looking.

Thanks in advance.

Tags (2)
0 Karma
1 Solution

Motivator

There was a bug in the way one of the calls to jQuery was written, causing the agent ID field to get lost under some conditions. I just uploaded an updated version, or you can just replace application.js with the fixed version.

Give it a try and let me if you still have issues. If you do still have trouble, please edit your question above to indicate which OS and browser you are using.

Updated app on SplunkBase:
http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+for+OSSEC+-+Splunk+v4+version

or Single File to Replace:
http://www.southerington.com/redir.php?id=26

You will most likely need to flush your browser's cache before the updated JavaScript file will take effect.

View solution in original post

New Member

I am struggling to get the "OSSEC Agent Management" page to display my remote agents. Testing using the ossec_agent_status.py and ossecservers.py scripts shows expected results. The listagents.py script states that "...OSSEC Server is not configured for agent management...". Interestingly, if the MANAGE_AGENTS entry in the ossec_servers.conf file is outside a stanza (precedes the [_local]) the script returns expected results. Any ideas?

0 Karma

Motivator

There was a bug in the way one of the calls to jQuery was written, causing the agent ID field to get lost under some conditions. I just uploaded an updated version, or you can just replace application.js with the fixed version.

Give it a try and let me if you still have issues. If you do still have trouble, please edit your question above to indicate which OS and browser you are using.

Updated app on SplunkBase:
http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+for+OSSEC+-+Splunk+v4+version

or Single File to Replace:
http://www.southerington.com/redir.php?id=26

You will most likely need to flush your browser's cache before the updated JavaScript file will take effect.

View solution in original post

Motivator

I just went back and looked at the XML. The one under Paginator is in fact the one you want; it's overriding the one farther down. Sorry to lead you astray. I was thinking of maxPages under Paginator instead of count.

0 Karma

Contributor

Thanks, the new version does indeed appear to handle the other operations just fine 🙂 However, I've attempted several times now to change that display value from 10 to 20 (both manually in the XML files themselves, even under the default directory side, and through the Splunk Manager interface... which did indeed create the customized file under the local directory). It never appears to have any effect on the display no matter what I try. Always restricted to 10 lines it seems. I've also tried clearing the cache and restarting each time to no avail. Any suggestions? Thanks.

0 Karma

Motivator

For the original issue, go ahead and update the app from SplunkBase. There were a couple of script fixes in the most recent couple of updates. Make sure you're on 1.1.74 or higher. After you upgrade, if the server list is empty, re-run Searches&Reports->Utility->OSSEC - Rebuild Server Lookup Table. You might also need to clear your cache again.

0 Karma

Motivator

For the result count, change the count under SimpleResultsTable. The one under Paginator controls the number of page links displayed, not the number of rows per page. Be aware that changes you make under the default/... directory will be overwritten on upgrade, so you may want to put them under local/... instead. Alternately, make your change via the Manager, which will do that for you.

0 Karma

Contributor

Unrelated, I'd like to get all result lists in the Agent Management section to show at least 20-25 results per screen instead of the default 10. To change this, would it just be a matter of manually changing the lines which have "10" under the module name "JobStatus" section of "ossec/local/data/ui/views/OSSEC_Agent_Management.xml"? Or is only changing one of those fields necessary... don't want to mess-up anything further if it can be avoided. Thanks again.

0 Karma

Contributor

Thanks for the file. That did seem to help the fields at least show up consistently now for all actions. And Extract Keys is now working. However, Remove Agent appears to have no effect. I'll enter the ID in the box and hit "Remove Agent". Something appears to be happening, and then it will come back with "No results found" in the Results field. Executing "List Agents" again reveals that the Agent still exists in the list (this is confirmed by manually running "manage_agents" on the actual OSSEC server as well). Haven't attempted to add one yet. Awaiting any further instructions. Thanks.

0 Karma