Solved: Error: Unable to run data collection

favadi · ‎12-29-2011

Hi,
I've config my ossec_servers.conf like that.

Both AGENT_CONTROL and MANAGE_AGENTS commands run correctly in command line.

But when I run ./ossec_agent_status.py -v, the output is Server: s_3_118, Error: Unable to run data collection. Error: Password prompt encountered. Aborting.

I'm sure that I can access to my server via ssh without password with user root (I run splunk with root).

So how can I solve this problem?

favadi · ‎01-05-2012

A very stupid issue. 😐
Seem that Splunk for OSSEC doesn't care about -l option of ssh command.
Change:

AGENT_CONTROL = ssh -t 192.168.3.118 -l ossec_for_splunk 'sudo /var/ossec/bin/agent_control -l'
MANAGE_AGENTS = ssh -t 192.168.3.118 -l ossec_for_splunk 'sudo /var/ossec/bin/manage_agents'

To:

AGENT_CONTROL = ssh -t ossec_for_splunk@192.168.3.118 'sudo /var/ossec/bin/agent_control -l'
MANAGE_AGENTS = ssh -t ossec_for_splunk@192.168.3.118 'sudo /var/ossec/bin/manage_agents'

Am I the only one in this world who use ssh -l? :((

View solution in original post

favadi · ‎01-05-2012

A very stupid issue. 😐
Seem that Splunk for OSSEC doesn't care about -l option of ssh command.
Change:

AGENT_CONTROL = ssh -t 192.168.3.118 -l ossec_for_splunk 'sudo /var/ossec/bin/agent_control -l'
MANAGE_AGENTS = ssh -t 192.168.3.118 -l ossec_for_splunk 'sudo /var/ossec/bin/manage_agents'

To:

AGENT_CONTROL = ssh -t ossec_for_splunk@192.168.3.118 'sudo /var/ossec/bin/agent_control -l'
MANAGE_AGENTS = ssh -t ossec_for_splunk@192.168.3.118 'sudo /var/ossec/bin/manage_agents'

Am I the only one in this world who use ssh -l? :((

favadi · ‎01-05-2012

Yes, please fix that in the next version.
My boss laugh a lot when he find out the reason.

southeringtonp · ‎01-05-2012

Good catch! You're not the only one to use that parameter though. I have it configured with -l on my production system and it works fine, but I'm also using a slightly newer build than the public release. Sounds like your immediate issue is resolved though, so I'll make a note of it as a possible bug.

southeringtonp · ‎12-30-2011

The first thing to try is running the whole command (everything after the AGENT_CONTROL=) manually, while logged in as the Splunk service account (i.e., as root). Make sure that it runs and does not prompt you for a password.

If you've already established that you don't get a password prompt logging into the remote server, then it's probably sudo on the remote system that's prompting you for the password. On the remote OSSEC server, make sure that you have the following in /etc/sudoers:

        splunk  ALL = NOPASSWD: /var/ossec/bin/agent_control -l
        splunk  ALL = NOPASSWD: /var/ossec/bin/manage_agents

Note also that these do grant the Splunk account additional access to OSSEC itself. You don't have to set this part up if all you want is basic monitoring of alerts.

As a third possibility, be sure to disable running the commands locally if you don't need it. In your posted config, it looks like you have two stanzas active -- both [_local] and [s_3_118]. If you're only using the remote server, you can disable it as shown:

        [_local]
        AGENT_CONTROL = sudo /var/ossec/bin/agent_control -l
        MANAGE_AGENTS = sudo /var/ossec/bin/manage_agents
        DISABLED = True

Otherwise, if you have not configured sudo on the local machine to allow the commands to run, the local sudo is may be prompting you.

favadi · ‎01-02-2012

That log entry is relative with this problem. Whenever I run ./ossec_agent_status.py in the splunk server machine, that log entry appear in /var/log/secure in the ossec server machine.

Thanks for looking at my config. I've already added the commands in sudoer file. The command run well in ossec server machine.

southeringtonp · ‎12-31-2011

Even stranger - if anything you should be seeing failed password for 'ossec_for_splunk', not for 'root'! Maybe that log entry is something else? Looking again at your sample config, I think I see another issue though. You have the commands enabled both for the local Splunk server and for the remote OSSEC server. Perhaps you're getting the password prompt from sudo on the local system?

favadi · ‎12-30-2011

No, I don't have passphrase.
And the problem seem to bee ssh.

Dec 31 10:51:33 [hostname] sshd[31189]: Failed password for root from xxx.xxx.xxx.xxx port 59853 ssh2

Strange, because I can use ssh without a password.

southeringtonp · ‎12-30-2011

Hmm, very strange. A long shot, but do you have a passphrase on your SSH key? Do you see anything in the system logs on the OSSEC server, either from sudo or sshd?

favadi · ‎12-30-2011

The first thing to try is running the whole command (everything after the AGENT_CONTROL=) manually, while logged in as the Splunk service account (i.e., as root).
--> It runs well with no password prompt. And I've already modified sudoers.
Another reason cause this problem?

Error: Unable to run data collection

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!