Developing for Splunk Enterprise

Python fcntl module only available on Unix

groundLoop
New Member

Would it be possible to remove the fcntl Python module dependency from the pyOSSEC.py script? The fcntl module is only available on Unix.

Perhaps the README should be updated, in the meantime, to indicate that the OSSEC app is not 100% compatible with Windows.

Example error from a Windows Splunk install:

[subsearch]: External search command 'ossecservers' returned error code 1. Script output = "Traceback (most recent call last): File "X:\Splunk\bin\runScript.py", line 69, in execfile(REAL_SCRIPT_NAME) File "X:\Splunk\etc\apps\ossec\bin\ossecservers.py", line 13, in from pyOSSEC import * File "X:\Splunk\etc\apps\ossec\bin\pyOSSEC.py", line 12, in import fcntl ImportError: No module named fcntl "

Tags (2)
0 Karma

southeringtonp
Motivator

Possible but not trivial.

The limitation on Windows is listed in the KNOWN_ISSUES file, but I will add it to the README for the next release. Interestingly enough, Splunkbase asks you to identify whether a file is platform-dependent when you upload the app, but afterwards doesn't appear to show that information.

It's more than just fcntl. The pyOSSEC library included with the app uses pexpect to communicate with the OSSEC agent management tools, and pexpect needs a unix-like system.

The good thing about this model is that it's fairly easy to do remote management over SSH; the bad thing is that that it doesn't work on Windows, and it can be overkill when Splunk is running directly on the OSSEC server. For now, the goal has been to limit platform-dependent code to the pyOSSEC library and worry about Windows later. The longer-term goal is to move to more of a client-server model, which will remove that dependency.

Since the OSSEC server itself doesn't run on Windows, I don't consider this a huge sticking point. You can still use the reporting functions on syslog or alerts file data.

That said, if you're willing to share some information on how your Splunk/OSSEC deployment is laid out, I'll take it into consideration for future development.

0 Karma

southeringtonp
Motivator

All of the general searching and reporting should work once you have data coming in and properly sourcetyped. You'll want to configure OSSEC to output via syslog, and make sure that Splunk is listening for it (the input is included but disabled by default). The Agent Status and Agent Management dashboards rely on pyOSSEC, so they will not work. Also, the malware check will never find anything -- OSSEC's syslog output does not include file hashes.

0 Karma

groundLoop
New Member

Thank you kindly for the explanation. The environment I am working on is mixed, with OSSEC agents running on Linux and Windows servers. Splunk is currently hosted on Windows, however, hence the confusion.

Are there any other features, other than OSSEC agent management, that are not compatible with Splunk on Windows?

0 Karma