Ossec 2.6, Splunk splunk-4.2.3-105575 and Splunk app ossec-1.1.88
Recently upgraded Ossec from 2.0 to 2.6 and added Splunk. Both reside on the same server which has over 900 active agents. When using the Splunk web interface only a few (36) agents show up and as part of troubleshooting running the ossec_agent_status.py I see that it gets an error.
Also, even when in the web interface under "Agent Status" the status column drops letters (doesn't finish the word like - "disco" instead of "disconnected" or "Never con" instead of "Never connected" for some of the agents. I don't know if that is part of this same problem or something different.
I hope someone can help with this as I would really like to show off Splunk using an existing Ossec installation base.
Thanks,
Here is the output from the ossec_agent_status.py
splunk@n1pvir006 > ./ossec_agent_status.py -v
Server config:
{'n1pvir006': {'AGENT_CONTROL': 'sudo /opt/ossec/bin/agent_control -l', 'MANAGE_AGENTS': 'sudo /opt/ossec/bin/manage_agents'}}
Querying n1pvir006
OSSEC interface initialized.
Server: n1pvir006, Error: Unable to run data collection. Timeout exceeded in expect_any().
version: 2.3 ($Revision: 399 $)
command: /usr/bin/sudo
args: ['/usr/bin/sudo', '/opt/ossec/bin/agent_control', '-l']
searcher: searcher_re:
0: re.compile("ID:(.*)List of agentless devices:")
1: re.compile("(?i)password")
buffer (last 100 chars): pvap020, IP: 10.180.5.151, Active
ID: 1036, Name: w1pvap003, IP: 10.180.5.152, Active
ID: 10
before (last 100 chars): pvap020, IP: 10.180.5.151, Active
ID: 1036, Name: w1pvap003, IP: 10.180.5.152, Active
ID: 10
after:
match: None
match_index: None
exitstatus: None
flag_eof: False
pid: 11189
child_fd: 3
closed: False
timeout: 5
delimiter:
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
... View more