Following the provided documentation, I'm having problems setting up a remote OSSEC server, step 6. When I run the ossec_agent_status.py script I get the following output...
# sudo -u splunk ./ossec_agent_status.py -v
Server config:
{'ossecserver.tamu.edu': {'AGENT_CONTROL': 'ssh ossecserver.tamu.edu -t -l splunk "sudo /var/ossec/bin/agent_control -l', 'MANAGE_AGENTS': 'ssh ossecserver.tamu.edu -t -l splunk "sudo /var/ossec/bin/manage_agents'}}
Querying ossecserver.tamu.edu
OSSEC interface initialized.
Server: ossecserver.tamu.edu, Error: Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform.
<pexpect.spawn object at 0x3b83d90>
version: 2.3 ($Revision: 399 $)
command: /usr/bin/ssh
args: ['/usr/bin/ssh', 'ossecserver.tamu.edu', '-t', 'splunk', 'sudo /var/ossec/bin/agent_control -l']
searcher: searcher_re:
0: re.compile("ID:(.*)List of agentless devices:")
1: re.compile("(?i)password")
buffer (last 100 chars):
before (last 100 chars): bash: splunk: command not found
Connection to ossecserver.tamu.edu closed.
after: <class 'pexpect.EOF'>
match: None
match_index: None
exitstatus: None
flag_eof: True
pid: 16998
child_fd: 3
closed: False
timeout: 5
delimiter: <class 'pexpect.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
I'm not really sure what to make of this. I read the docs for 3rdparty/pexpect-2.3 about this error and not really sure how to troubleshoot this. Splunk is 4.2.1, build 98164, OSSEC app is latest. Both the Splunk server and OSSEC server are CentOS 5.6. Here's the output of the "AGENT_CONTROL" command run manually from command line (hostnames altered and IPs removed):
# ssh ossecserver.tamu.edu -t -l splunk sudo /var/ossec/bin/agent_control -l
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: ossecserver (server), IP: 127.0.0.1, Active/Local
ID: 002, Name: ossecagent1, IP: ....., Active
ID: 003, Name: ossecagent2, IP: ...., Active
ID: 004, Name: ossecagent3, IP: ....., Active
List of agentless devices:
Connection to ossecserver.tamu.edu closed.
Any help is greatly appreciated.
... View more