Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting the wrong list of OSSEC server when rebuilding lookup table?

quanta
New Member
‎06-06-2011 04:22 AM

Hi,

I have only one the OSSEC server (manager) where I install Splunk. When I access OSSEC Agent Status from the Dashboards & Views, I expected there are two items on the OSSEC server dropdownlist: "All OSSEC servers" and the hostname of my OSSEC manager. But in fact, it shows almost of my OSSEC agents and OSSEC manager itself. Look at the default/savesearchs.conf file, I know the list is rebuilt hourly with below search:

search = eventtype=ossec | dedup ossec_server | eval description=host | inputlookup append=t lookup_ossec_servers | append [ ossecservers ] | stats last(description) as description max(managed) as managed by ossec_server | eval description=coalesce(description, ossec_server) | eval managed=coalesce(managed,0) | fields ossec_server,description,managed | outputlookup lookup_ossec_servers

and writes to lookups/ossec_servers.csv file:

"ossec_server",description,managed
"*","All OSSEC Servers",0
"192.168.3.140","192.168.3.140",0
"192.168.3.182","192.168.3.182",0
...
"SVR040-763.localdomain","SVR040-763.localdomain",1

Did you build this list with the wrong 'search' syntax or I miss something?

Moreover, there is no OSSEC server in the OSSEC Agent Management. So, I got the error "This OSSEC Server is not configured for agent management." when clicking on "List Agents". Same result when running listagents.py from the command line. I'm trying to edit.

PS: CentOS 5.4 64 bits, Splunk 4.2.1, OSSEC 1.1.84.

Tags (2)
0 Karma
Reply

southeringtonp
Motivator
‎06-14-2011 08:26 AM

How do you have OSSEC sending events to Splunk? Are you forwarding them via syslog, or is Splunk installed on the OSSEC server and indexing the alerts file directly?

It sounds more like Splunk is getting the wrong value for ossec_server in the raw events, and using those to populate the lookup. Try running the following and see if you still get the wrong list:

sourcetype=ossec OR sourcetype=ossec_alerts | stats count by sourcetype, ossec_server

Also, be aware that once a server is in the lookup table, it will stay there indefinitely. Running the following search will reset the lookup:

| inputlookup lookup_ossec_servers | where description="All OSSEC Servers" | outputlookup lookup_ossec_servers

For the agent management screen, try to get the CSV issue sorted out first. Once that's right, see if version of 1.1.85 of the app resolves the remaining issue.

0 Karma
Reply

quanta
New Member
‎06-08-2011 03:55 AM

No one got this problem when integrating Splunk with OSSEC?

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...