I have only one the OSSEC server (manager) where I install Splunk. When I access OSSEC Agent Status from the Dashboards & Views, I expected there are two items on the OSSEC server dropdownlist: "All OSSEC servers" and the hostname of my OSSEC manager. But in fact, it shows almost of my OSSEC agents and OSSEC manager itself. Look at the default/savesearchs.conf file, I know the list is rebuilt hourly with below search:
Did you build this list with the wrong 'search' syntax or I miss something?
Moreover, there is no OSSEC server in the OSSEC Agent Management. So, I got the error "This OSSEC Server is not configured for agent management." when clicking on "List Agents". Same result when running listagents.py from the command line. I'm trying to edit.