../bin/listagents.py ossec_server=naadmp04

wpz1599 · ‎10-06-2010

I am struggling to get the "OSSEC Agent Management" page to display my remote agents. Testing using the ossec_agent_status.py and ossecservers.py scripts shows expected results. The listagents.py script states that "...OSSEC Server is not configured for agent management...". Interestingly, if the MANAGE_AGENTS entry in the ossec_servers.conf file is outside a stanza (precedes the [_local]) the script returns expected results. Any ideas?

southeringtonp · ‎03-13-2012

More detailed instructions are now in a separate Answers post.

http://splunk-base.splunk.com/answers/42717/how-do-i-enable-remote-agent-management-in-splunk-for-os...

wpz1599 · ‎10-08-2010

After making the suggested modification to turn off the default settings, the behavior remains the same. The listagent.py script returns the error stating that it is not configured. The ossecserver.py and ossec_agent_status.py script return expected values. After executing the configuration changes and performing the [OSSEC - Rebuild OSSEC Server Lookup Table] function, the webapp is behaving a bit better. The [OSSEC Agent Status] dashboard now lists the OSSEC Server, but returns no data. It does not state that there was "no result" and its legend has "NULL" as its value. The [OSSEC Agent Management] portion now has the OSSEC server listed in its OSSEC Server pulldown. It does not return any data and shows "no results found" for the List Agents action. Making progress. Next thougths?

southeringtonp · ‎10-08-2010

It's possible that an error is occurring somewhere in the backend and the error message is being masked by that view. What happens if you call it directly? (see edits above)

wpz1599 · ‎10-08-2010

The application, OSSEC, is currently at 1.1.74. The OSSEC server is remote to the server which is running the splunk software. I have configured a remote server explicitly. The use of a local server would be invalid in this configuration.

southeringtonp · ‎10-06-2010

That functionality is pretty new, so it could be a bug, or it may be a case sensitivity issue.

What build number of the OSSEC app are you using - have you already downloaded the latest release from SplunkBase?

Putting it outside of any stanza makes it a default value. To rule out an issue with the _local macro, enter the hostname in instead of using _local. Does that work correctly?

Try this in local/ossec_servers.conf and let me know if anything changes:

[_local]
# Turn off default settings for local machine
MANAGE_AGENTS =
AGENT_CONTROL =

[yourservername]
# Explicitly configure for your system
MANAGE_AGENTS = <your command line here>
AGENT_CONTROL = <your command line here>

Don't forget to run [OSSEC - Rebuild OSSEC Server Lookup Table] after making the change.

If an error is occurring in the backend, it may be masked by the Agent Management screen.

Go to Search, and issue the following command:

| listagents ossec_server=yourhostname

If we're hitting an error, you should see a backtrace here that would be hidden in the other view.

southeringtonp · ‎10-11-2010

It's timing out waiting for the manage_agents prompt. Usually that means it's getting hung up on an SSH key or password prompt. It's strange though that you would have a successful connection when you tried it from the command-line. When you tested from the command line, did you by any chance have an SSH key agent running? I just uploaded an experimental build 1.1.76 - try that version and see if it helps. The new build has better handling of certain types of connection error.

wpz1599 · ‎10-11-2010

I also noticed that in the traceback for the search line "| listagents ..." it shows that the MANAGE_AGENTS command line is being executed.

wpz1599 · ‎10-11-2010

From within the /opt/splunk/etc/apps/ossec/local directory the following works (running as root).

../bin/listagents.py ossec_server=naadmp04

wpz1599 · ‎10-11-2010

MemoryError " after: match: None match_index: None exitstatus: None flag_eof: True pid: 348198 child_fd: 7 closed: False timeout: 5 delimiter: logfile: None logfile_read: None logfile_send: None maxread: 2000 ignorecase: False searchwindowsize: None delaybeforesend: 0.05 delayafterclose: 0.1 delayafterterminate: 0.1

wpz1599 · ‎10-11-2010

EOF (str(e) + '\n' + str(self)) EOF: End Of File (EOF) in read_nonblocking(). Exception style platform. version: 2.3 ($Revision: 399 $) command: /usr/local/bin/ssh args: ['/usr/local/bin/ssh', '-xt', 'naadmp04', '/var/ossec/bin/manage_agents'] searcher: searcher_string: 0: "Choose your action:" buffer (last 100 chars): before (last 100 chars): ty/pexpect-2.3/pexpect.py"", line 545, in _spawn for i in range (3, max_fd):

wpz1599 · ‎10-11-2010

Error : Traceback: Traceback (most recent call last): File "/opt/splunk/etc/apps/ossec/bin/listagents.py", line 34, in ossec.cache_agents() File "/opt/splunk/etc/apps/ossec/bin/pyOSSEC.py", line 342, in cache_agents self.connect() File "/opt/splunk/etc/apps/ossec/bin/pyOSSEC.py", line 331, in connect self.c.expect_exact('Choose your action:') File "../3rdparty/pexpect-2.3/pexpect.py", line 1343, in expect_exact return self.expect_loop(searcher_string(pattern_list), timeout, searchwindowsize) File "../3rdparty/pexpect-2.3/pexpect.py", line 1396, in expect_loop raise

wpz1599 · ‎10-11-2010

There was a hidden error related to the ssh command not being found. I reconfigured using the full path to ssh and executed the search you indicated and got the follow error. (Posted separately).

Configuing remote OSSEC Agent Management

../bin/listagents.py ossec_server=naadmp04

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...