When I look in my OSSEC Dashbard all 600 agents are disconnected. Im also seeing the msgs not parsed correctly. The top signatures over time shows all sigs with a _ Null value.
I have ossec set to forward its syslog messages to splunk on a specific port with source_type set to ossec.
Running # ./ossec_agent_status.py -v
Gives:
Querying ossec1
OSSEC interface initialized.
Server: ossec1, Error: Unable to run data collection. Error: Password prompt encountered. Aborting.
Querying ossec
OSSEC interface initialized.
Server: ossec, Error: Unable to run data collection. Error: Password prompt encountered. Aborting.
Querying splunk1
OSSEC interface initialized.
Server: splunk1, Error: Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform.
version: 2.3 ($Revision: 399 $)
command: /usr/bin/sudo
args: ['/usr/bin/sudo', '/var/ossec/bin/agent_control', '-l']
searcher: searcher_re:
0: re.compile("ID:(.*)List of agentless devices:")
1: re.compile("(?i)password")
buffer (last 100 chars):
before (last 100 chars): sudo: /var/ossec/bin/agent_control: command not found
... View more