Getting Data In

Configuing remote OSSEC Agent Management

wpz1599
New Member

I am struggling to get the "OSSEC Agent Management" page to display my remote agents. Testing using the ossec_agent_status.py and ossecservers.py scripts shows expected results. The listagents.py script states that "...OSSEC Server is not configured for agent management...". Interestingly, if the MANAGE_AGENTS entry in the ossec_servers.conf file is outside a stanza (precedes the [_local]) the script returns expected results. Any ideas?

Tags (2)
0 Karma

southeringtonp
Motivator
0 Karma

wpz1599
New Member

After making the suggested modification to turn off the default settings, the behavior remains the same. The listagent.py script returns the error stating that it is not configured. The ossecserver.py and ossec_agent_status.py script return expected values. After executing the configuration changes and performing the [OSSEC - Rebuild OSSEC Server Lookup Table] function, the webapp is behaving a bit better. The [OSSEC Agent Status] dashboard now lists the OSSEC Server, but returns no data. It does not state that there was "no result" and its legend has "NULL" as its value. The [OSSEC Agent Management] portion now has the OSSEC server listed in its OSSEC Server pulldown. It does not return any data and shows "no results found" for the List Agents action. Making progress. Next thougths?

0 Karma

southeringtonp
Motivator

It's possible that an error is occurring somewhere in the backend and the error message is being masked by that view. What happens if you call it directly? (see edits above)

0 Karma

wpz1599
New Member

The application, OSSEC, is currently at 1.1.74. The OSSEC server is remote to the server which is running the splunk software. I have configured a remote server explicitly. The use of a local server would be invalid in this configuration.

0 Karma

southeringtonp
Motivator

That functionality is pretty new, so it could be a bug, or it may be a case sensitivity issue.

What build number of the OSSEC app are you using - have you already downloaded the latest release from SplunkBase?


Putting it outside of any stanza makes it a default value. To rule out an issue with the _local macro, enter the hostname in instead of using _local. Does that work correctly?

Try this in local/ossec_servers.conf and let me know if anything changes:

[_local]
# Turn off default settings for local machine
MANAGE_AGENTS =
AGENT_CONTROL =

[yourservername]
# Explicitly configure for your system
MANAGE_AGENTS = <your command line here>
AGENT_CONTROL = <your command line here>

Don't forget to run [OSSEC - Rebuild OSSEC Server Lookup Table] after making the change.


If an error is occurring in the backend, it may be masked by the Agent Management screen.

Go to Search, and issue the following command:

| listagents ossec_server=yourhostname

If we're hitting an error, you should see a backtrace here that would be hidden in the other view.

0 Karma

southeringtonp
Motivator

It's timing out waiting for the manage_agents prompt. Usually that means it's getting hung up on an SSH key or password prompt. It's strange though that you would have a successful connection when you tried it from the command-line. When you tested from the command line, did you by any chance have an SSH key agent running? I just uploaded an experimental build 1.1.76 - try that version and see if it helps. The new build has better handling of certain types of connection error.

0 Karma

wpz1599
New Member

I also noticed that in the traceback for the search line "| listagents ..." it shows that the MANAGE_AGENTS command line is being executed.

0 Karma

wpz1599
New Member

From within the /opt/splunk/etc/apps/ossec/local directory the following works (running as root).

../bin/listagents.py ossec_server=naadmp04

0 Karma

wpz1599
New Member

MemoryError " after: match: None match_index: None exitstatus: None flag_eof: True pid: 348198 child_fd: 7 closed: False timeout: 5 delimiter: logfile: None logfile_read: None logfile_send: None maxread: 2000 ignorecase: False searchwindowsize: None delaybeforesend: 0.05 delayafterclose: 0.1 delayafterterminate: 0.1

0 Karma

wpz1599
New Member

EOF (str(e) + '\n' + str(self)) EOF: End Of File (EOF) in read_nonblocking(). Exception style platform. version: 2.3 ($Revision: 399 $) command: /usr/local/bin/ssh args: ['/usr/local/bin/ssh', '-xt', 'naadmp04', '/var/ossec/bin/manage_agents'] searcher: searcher_string: 0: "Choose your action:" buffer (last 100 chars): before (last 100 chars): ty/pexpect-2.3/pexpect.py"", line 545, in _spawn for i in range (3, max_fd):

0 Karma

wpz1599
New Member

Error : Traceback: Traceback (most recent call last): File "/opt/splunk/etc/apps/ossec/bin/listagents.py", line 34, in ossec.cache_agents() File "/opt/splunk/etc/apps/ossec/bin/pyOSSEC.py", line 342, in cache_agents self.connect() File "/opt/splunk/etc/apps/ossec/bin/pyOSSEC.py", line 331, in connect self.c.expect_exact('Choose your action:') File "../3rdparty/pexpect-2.3/pexpect.py", line 1343, in expect_exact return self.expect_loop(searcher_string(pattern_list), timeout, searchwindowsize) File "../3rdparty/pexpect-2.3/pexpect.py", line 1396, in expect_loop raise

0 Karma

wpz1599
New Member

There was a hidden error related to the ssh command not being found. I reconfigured using the full path to ssh and executed the search you indicated and got the follow error. (Posted separately).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...