Splunk Search

Getting the wrong list of OSSEC server when rebuilding lookup table?

New Member

Hi,

I have only one the OSSEC server (manager) where I install Splunk. When I access OSSEC Agent Status from the Dashboards & Views, I expected there are two items on the OSSEC server dropdownlist: "All OSSEC servers" and the hostname of my OSSEC manager. But in fact, it shows almost of my OSSEC agents and OSSEC manager itself. Look at the default/savesearchs.conf file, I know the list is rebuilt hourly with below search:

search = eventtype=ossec | dedup ossec_server | eval description=host | inputlookup append=t lookup_ossec_servers | append [ ossecservers ] | stats last(description) as description max(managed) as managed by ossec_server | eval description=coalesce(description, ossec_server) | eval managed=coalesce(managed,0) | fields ossec_server,description,managed | outputlookup lookup_ossec_servers

and writes to lookups/ossec_servers.csv file:

"ossec_server",description,managed
"*","All OSSEC Servers",0
"192.168.3.140","192.168.3.140",0
"192.168.3.182","192.168.3.182",0
...
"SVR040-763.localdomain","SVR040-763.localdomain",1

Did you build this list with the wrong 'search' syntax or I miss something?

Moreover, there is no OSSEC server in the OSSEC Agent Management. So, I got the error "This OSSEC Server is not configured for agent management." when clicking on "List Agents". Same result when running listagents.py from the command line. I'm trying to edit.

PS: CentOS 5.4 64 bits, Splunk 4.2.1, OSSEC 1.1.84.

Tags (2)
0 Karma

Motivator

How do you have OSSEC sending events to Splunk? Are you forwarding them via syslog, or is Splunk installed on the OSSEC server and indexing the alerts file directly?

It sounds more like Splunk is getting the wrong value for ossec_server in the raw events, and using those to populate the lookup. Try running the following and see if you still get the wrong list:

sourcetype=ossec OR sourcetype=ossec_alerts | stats count by sourcetype, ossec_server

Also, be aware that once a server is in the lookup table, it will stay there indefinitely. Running the following search will reset the lookup:

| inputlookup lookup_ossec_servers | where description="All OSSEC Servers" | outputlookup lookup_ossec_servers

For the agent management screen, try to get the CSV issue sorted out first. Once that's right, see if version of 1.1.85 of the app resolves the remaining issue.

0 Karma

New Member

No one got this problem when integrating Splunk with OSSEC?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!