Hi,
I've config my ossec_servers.conf like that.
Both AGENT_CONTROL and MANAGE_AGENTS commands run correctly in command line.
But when I run ./ossec_agent_status.py -v
, the output is Server: s_3_118, Error: Unable to run data collection. Error: Password prompt encountered. Aborting.
I'm sure that I can access to my server via ssh without password with user root (I run splunk with root).
So how can I solve this problem?
A very stupid issue. 😐
Seem that Splunk for OSSEC doesn't care about -l
option of ssh
command.
Change:
AGENT_CONTROL = ssh -t 192.168.3.118 -l ossec_for_splunk 'sudo /var/ossec/bin/agent_control -l'
MANAGE_AGENTS = ssh -t 192.168.3.118 -l ossec_for_splunk 'sudo /var/ossec/bin/manage_agents'
To:
AGENT_CONTROL = ssh -t ossec_for_splunk@192.168.3.118 'sudo /var/ossec/bin/agent_control -l'
MANAGE_AGENTS = ssh -t ossec_for_splunk@192.168.3.118 'sudo /var/ossec/bin/manage_agents'
Am I the only one in this world who use ssh -l
? :((
A very stupid issue. 😐
Seem that Splunk for OSSEC doesn't care about -l
option of ssh
command.
Change:
AGENT_CONTROL = ssh -t 192.168.3.118 -l ossec_for_splunk 'sudo /var/ossec/bin/agent_control -l'
MANAGE_AGENTS = ssh -t 192.168.3.118 -l ossec_for_splunk 'sudo /var/ossec/bin/manage_agents'
To:
AGENT_CONTROL = ssh -t ossec_for_splunk@192.168.3.118 'sudo /var/ossec/bin/agent_control -l'
MANAGE_AGENTS = ssh -t ossec_for_splunk@192.168.3.118 'sudo /var/ossec/bin/manage_agents'
Am I the only one in this world who use ssh -l
? :((
Yes, please fix that in the next version.
My boss laugh a lot when he find out the reason.
Good catch! You're not the only one to use that parameter though. I have it configured with -l on my production system and it works fine, but I'm also using a slightly newer build than the public release. Sounds like your immediate issue is resolved though, so I'll make a note of it as a possible bug.
The first thing to try is running the whole command (everything after the AGENT_CONTROL=
) manually, while logged in as the Splunk service account (i.e., as root). Make sure that it runs and does not prompt you for a password.
If you've already established that you don't get a password prompt logging into the remote server, then it's probably sudo
on the remote system that's prompting you for the password. On the remote OSSEC server, make sure that you have the following in /etc/sudoers:
splunk ALL = NOPASSWD: /var/ossec/bin/agent_control -l
splunk ALL = NOPASSWD: /var/ossec/bin/manage_agents
Note also that these do grant the Splunk account additional access to OSSEC itself. You don't have to set this part up if all you want is basic monitoring of alerts.
As a third possibility, be sure to disable running the commands locally if you don't need it. In your posted config, it looks like you have two stanzas active -- both [_local]
and [s_3_118]
. If you're only using the remote server, you can disable it as shown:
[_local]
AGENT_CONTROL = sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = sudo /var/ossec/bin/manage_agents
DISABLED = True
Otherwise, if you have not configured sudo on the local machine to allow the commands to run, the local sudo
is may be prompting you.
That log entry is relative with this problem. Whenever I run ./ossec_agent_status.py in the splunk server machine, that log entry appear in /var/log/secure in the ossec server machine.
Thanks for looking at my config. I've already added the commands in sudoer file. The command run well in ossec server machine.
Even stranger - if anything you should be seeing failed password for 'ossec_for_splunk', not for 'root'! Maybe that log entry is something else? Looking again at your sample config, I think I see another issue though. You have the commands enabled both for the local Splunk server and for the remote OSSEC server. Perhaps you're getting the password prompt from sudo on the local system?
No, I don't have passphrase.
And the problem seem to bee ssh.
Dec 31 10:51:33 [hostname] sshd[31189]: Failed password for root from xxx.xxx.xxx.xxx port 59853 ssh2
Strange, because I can use ssh without a password.
Hmm, very strange. A long shot, but do you have a passphrase on your SSH key? Do you see anything in the system logs on the OSSEC server, either from sudo or sshd?
The first thing to try is running the whole command (everything after the AGENT_CONTROL=) manually, while logged in as the Splunk service account (i.e., as root).
--> It runs well with no password prompt. And I've already modified sudoers.
Another reason cause this problem?