By following the steps below, you will be granting the Splunk service account access to log into your OSSEC server and run commands. Be sure you fully understand any security implications for your environment before proceeding.
In particular, enabling the MANAGE_AGENTS option will allow anyone with sufficient access in Splunk to see and modify your OSSEC agent keys.
Examples below assume the default configuration (Splunk running as root and installed in /opt/splunk, OSSEC installed in /var/ossec), and that you will use an account named splunk to log into the OSSEC server.
Basic familiarity with unix and OSSEC is assumed. Basic commands to log in and out, etc. are not shown.
Remote Access Configuration:
First, you will need to make sure that the Splunk server can log into the OSSEC server to run management commands.
On the OSSEC server, create a new login account for the Splunk server to use when connecting.
root@ossec_server$ useradd splunk
On the Splunk server, create an SSH keypair for the root user (or whichever account splunkd is running as), and copy the public key to the OSSEC server.
user@splunk_server$ sudo su -
root@splunk_server# scp .ssh/id_rsa.pub splunk@ossec_server:authorized_keys
On the OSSEC server, log in as the splunk account and configure the authorized_keys file to allow SSH logins without a password:
On the OSSEC server, configure sudo to allow the splunk login account to run agent management commands without prompting.
root@ossecserver# /usr/sbin/visudo (Add the following two lines):
splunk ALL=NOPASSWD: /var/ossec/bin/agent_control -l
splunk ALL=NOPASSWD: /var/ossec/bin/manage_agents
On the OSSEC server, verify that the new splunk account can run the agent management commands without prompting. If either of the following commands prompts for a password, you may have made a mistake in the previous step: