All Apps and Add-ons fails

New Member

Following the provided documentation, I'm having problems setting up a remote OSSEC server, step 6. When I run the script I get the following output...

# sudo -u splunk ./ -v
Server config: 
{'': {'AGENT_CONTROL': 'ssh -t -l splunk "sudo /var/ossec/bin/agent_control -l', 'MANAGE_AGENTS': 'ssh -t -l splunk "sudo /var/ossec/bin/manage_agents'}}

OSSEC interface initialized.
Server:, Error: Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform.
<pexpect.spawn object at 0x3b83d90>
version: 2.3 ($Revision: 399 $)
command: /usr/bin/ssh
args: ['/usr/bin/ssh', '', '-t', 'splunk', 'sudo /var/ossec/bin/agent_control -l']
searcher: searcher_re:
    0: re.compile("ID:(.*)List of agentless devices:")
    1: re.compile("(?i)password")
buffer (last 100 chars): 
before (last 100 chars): bash: splunk: command not found
Connection to closed.

after: <class 'pexpect.EOF'>
match: None
match_index: None
exitstatus: None
flag_eof: True
pid: 16998
child_fd: 3
closed: False
timeout: 5
delimiter: <class 'pexpect.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1

I'm not really sure what to make of this. I read the docs for 3rdparty/pexpect-2.3 about this error and not really sure how to troubleshoot this. Splunk is 4.2.1, build 98164, OSSEC app is latest. Both the Splunk server and OSSEC server are CentOS 5.6. Here's the output of the "AGENT_CONTROL" command run manually from command line (hostnames altered and IPs removed):

# ssh -t -l splunk sudo /var/ossec/bin/agent_control -l

OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: ossecserver (server), IP:, Active/Local
   ID: 002, Name: ossecagent1, IP: ....., Active
   ID: 003, Name: ossecagent2, IP: ...., Active
   ID: 004, Name: ossecagent3, IP: ....., Active

List of agentless devices:

Connection to closed.

Any help is greatly appreciated.

0 Karma

Path Finder

Its not a BUG! Just figured it out! It's because the agent count never had been past 000. Once you had an agent, it works great!

0 Karma

Path Finder

I have the same problem for a local server. I tried using the single quotes, but that didn't fix it. I get one accurate log from sourcetype ossec_agent_control, but then a bunch of jumbled incorrect logs after. Does anybody know of any other fixes?

0 Karma

New Member

Adding the '' around the sudo command fixed it for me... It only took 2 days to fix. Running the latest ossec plugin for splunk. SO still a bug...

0 Karma


This error can also be caused by a bug that has been identified in version 1.1.88, which should be fixed as of 1.1.89.

0 Karma

New Member


I have the same error, but for a local server. Did adding the FQDN to the command line help the remote execution?

0 Karma

New Member

Looks like the script is barfing on the command line you have provided. Try using the following in your ossec_servers.conf:

### Remote server, with SSH key-based authentication and sudo
MANAGE_AGENTS = ssh -t 'sudo /var/ossec/bin/manage_agents'
AGENT_CONTROL = ssh -t 'sudo /var/ossec/bin/agent_control -l'
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!