ossec_agent_status.py fails

treydock · ‎05-26-2011

Following the provided documentation, I'm having problems setting up a remote OSSEC server, step 6. When I run the ossec_agent_status.py script I get the following output...

# sudo -u splunk ./ossec_agent_status.py -v
Server config: 
{'ossecserver.tamu.edu': {'AGENT_CONTROL': 'ssh ossecserver.tamu.edu -t -l splunk "sudo /var/ossec/bin/agent_control -l', 'MANAGE_AGENTS': 'ssh ossecserver.tamu.edu -t -l splunk "sudo /var/ossec/bin/manage_agents'}}

Querying ossecserver.tamu.edu
OSSEC interface initialized.
Server: ossecserver.tamu.edu, Error: Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform.
<pexpect.spawn object at 0x3b83d90>
version: 2.3 ($Revision: 399 $)
command: /usr/bin/ssh
args: ['/usr/bin/ssh', 'ossecserver.tamu.edu', '-t', 'splunk', 'sudo /var/ossec/bin/agent_control -l']
searcher: searcher_re:
    0: re.compile("ID:(.*)List of agentless devices:")
    1: re.compile("(?i)password")
buffer (last 100 chars): 
before (last 100 chars): bash: splunk: command not found
Connection to ossecserver.tamu.edu closed.

after: <class 'pexpect.EOF'>
match: None
match_index: None
exitstatus: None
flag_eof: True
pid: 16998
child_fd: 3
closed: False
timeout: 5
delimiter: <class 'pexpect.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1

I'm not really sure what to make of this. I read the docs for 3rdparty/pexpect-2.3 about this error and not really sure how to troubleshoot this. Splunk is 4.2.1, build 98164, OSSEC app is latest. Both the Splunk server and OSSEC server are CentOS 5.6. Here's the output of the "AGENT_CONTROL" command run manually from command line (hostnames altered and IPs removed):

# ssh ossecserver.tamu.edu -t -l splunk sudo /var/ossec/bin/agent_control -l

OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: ossecserver (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: ossecagent1, IP: ....., Active
   ID: 003, Name: ossecagent2, IP: ...., Active
   ID: 004, Name: ossecagent3, IP: ....., Active

List of agentless devices:

Connection to ossecserver.tamu.edu closed.

Any help is greatly appreciated.

j0shrice · ‎04-09-2015

Its not a BUG! Just figured it out! It's because the agent count never had been past 000. Once you had an agent, it works great!

j0shrice · ‎04-08-2015

I have the same problem for a local server. I tried using the single quotes, but that didn't fix it. I get one accurate log from sourcetype ossec_agent_control, but then a bunch of jumbled incorrect logs after. Does anybody know of any other fixes?

lenicotra · ‎04-01-2015

Adding the '' around the sudo command fixed it for me... It only took 2 days to fix. Running the latest ossec plugin for splunk. SO still a bug...

southeringtonp · ‎03-13-2012

This error can also be caused by a bug that has been identified in version 1.1.88, which should be fixed as of 1.1.89.

phswartz · ‎08-18-2011

Bump

I have the same error, but for a local server. Did adding the FQDN to the command line help the remote execution?
Thanks,

ptaylor999 · ‎06-07-2011

Looks like the script is barfing on the command line you have provided. Try using the following in your ossec_servers.conf:

###
### Remote server, with SSH key-based authentication and sudo
###
[ossecserver.tamu.edu]
MANAGE_AGENTS = ssh splunk@ossecserver.tamu.edu -t 'sudo /var/ossec/bin/manage_agents'
AGENT_CONTROL = ssh splunk@ossecserver.tamu.edu -t 'sudo /var/ossec/bin/agent_control -l'

ossec_agent_status.py fails

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

ossec_agent_status.py fails

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?