I am running Splunk for OSSEC, v4. OSSEC 2.5.1 is installed and running on the same server as Splunk. I originally started Splunk as root with
/opt/splunk/bin/splunk start
but then decided I wanted to run it as a non-root user (splunk user). I chown'ed the entire /opt/splunk directory as the splunk user and then restarted Splunk. When I go to Searches & Reports > Utilities > Initialize OSSEC Server Lookup Table, and/or Rebuild Table, I get these errors:
The lookup table 'lookup_ossec_servers' is invalid.
Found no results to write to file 'lookup_ossec_servers'.
Whats the best way to "clear" everything out and start fresh? Seems like I need to delete this lookup table and start over. Any help is appreciated.
The initialize
option currently still requires that the table is valid (this is a known issue, planned to be updated in a later release). Right now, it just clears out anything other than the default "All OSSEC Servers" entry.
The simplest thing would be to open the file in a text editor and replace its contents with:
"ossec_server",description,managed
"*","All OSSEC Servers",0
Then, run the Rebuild OSSEC Server Lookup Table
search again. Alternately, you can manually add a line for your server while you're editing the file, e.g.:
myserver,"This is my managed OSSEC server",1
The initialize
option currently still requires that the table is valid (this is a known issue, planned to be updated in a later release). Right now, it just clears out anything other than the default "All OSSEC Servers" entry.
The simplest thing would be to open the file in a text editor and replace its contents with:
"ossec_server",description,managed
"*","All OSSEC Servers",0
Then, run the Rebuild OSSEC Server Lookup Table
search again. Alternately, you can manually add a line for your server while you're editing the file, e.g.:
myserver,"This is my managed OSSEC server",1
I tried your two suggestions and edited /opt/splunk/etc/apps/ossec/lookups/lookup_ossec_servers.csv, but I still got the same "table is invalid" error. I reinstalled the app and that worked for me. Thanks for the reply...looking forward to using the app!