Hi, I have only one the OSSEC server (manager) where I install Splunk. When I access OSSEC Agent Status from the Dashboards & Views, I expected there are two items on the OSSEC server dropdownlist: "All OSSEC servers" and the hostname of my OSSEC manager. But in fact, it shows almost of my OSSEC agents and OSSEC manager itself. Look at the default/savesearchs.conf file, I know the list is rebuilt hourly with below search: search = eventtype=ossec | dedup ossec_server | eval description=host | inputlookup append=t lookup_ossec_servers | append [ ossecservers ] | stats last(description) as description max(managed) as managed by ossec_server | eval description=coalesce(description, ossec_server) | eval managed=coalesce(managed,0) | fields ossec_server,description,managed | outputlookup lookup_ossec_servers and writes to lookups/ossec_servers.csv file: "ossec_server",description,managed "*","All OSSEC Servers",0 "192.168.3.140","192.168.3.140",0 "192.168.3.182","192.168.3.182",0 ... "SVR040-763.localdomain","SVR040-763.localdomain",1 Did you build this list with the wrong 'search' syntax or I miss something? Moreover, there is no OSSEC server in the OSSEC Agent Management. So, I got the error "This OSSEC Server is not configured for agent management." when clicking on "List Agents". Same result when running listagents.py from the command line. I'm trying to edit. PS: CentOS 5.4 64 bits, Splunk 4.2.1, OSSEC 1.1.84. ... View more