ossec_agent_status.py fails

Question

Following the provided documentation, I'm having problems setting up a remote OSSEC server, step 6. When I run the ossec_agent_status.py script I get the following output...

# sudo -u splunk ./ossec_agent_status.py -v
Server config: 
{'ossecserver.tamu.edu': {'AGENT_CONTROL': 'ssh ossecserver.tamu.edu -t -l splunk "sudo /var/ossec/bin/agent_control -l', 'MANAGE_AGENTS': 'ssh ossecserver.tamu.edu -t -l splunk "sudo /var/ossec/bin/manage_agents'}}

Querying ossecserver.tamu.edu
OSSEC interface initialized.
Server: ossecserver.tamu.edu, Error: Unable to run data collection. End Of File (EOF) in read_nonblocking(). Exception style platform.
<pexpect.spawn object at 0x3b83d90>
version: 2.3 ($Revision: 399 $)
command: /usr/bin/ssh
args: ['/usr/bin/ssh', 'ossecserver.tamu.edu', '-t', 'splunk', 'sudo /var/ossec/bin/agent_control -l']
searcher: searcher_re:
    0: re.compile("ID:(.*)List of agentless devices:")
    1: re.compile("(?i)password")
buffer (last 100 chars): 
before (last 100 chars): bash: splunk: command not found
Connection to ossecserver.tamu.edu closed.

after: <class 'pexpect.EOF'>
match: None
match_index: None
exitstatus: None
flag_eof: True
pid: 16998
child_fd: 3
closed: False
timeout: 5
delimiter: <class 'pexpect.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1

I'm not really sure what to make of this. I read the docs for 3rdparty/pexpect-2.3 about this error and not really sure how to troubleshoot this. Splunk is 4.2.1, build 98164, OSSEC app is latest. Both the Splunk server and OSSEC server are CentOS 5.6. Here's the output of the "AGENT_CONTROL" command run manually from command line (hostnames altered and IPs removed):

# ssh ossecserver.tamu.edu -t -l splunk sudo /var/ossec/bin/agent_control -l

OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: ossecserver (server), IP: 127.0.0.1, Active/Local
   ID: 002, Name: ossecagent1, IP: ....., Active
   ID: 003, Name: ossecagent2, IP: ...., Active
   ID: 004, Name: ossecagent3, IP: ....., Active

List of agentless devices:

Connection to ossecserver.tamu.edu closed.

Any help is greatly appreciated.

Answer 1

Looks like the script is barfing on the command line you have provided. Try using the following in your ossec_servers.conf:

###
### Remote server, with SSH key-based authentication and sudo
###
[ossecserver.tamu.edu]
MANAGE_AGENTS = ssh splunk@ossecserver.tamu.edu -t 'sudo /var/ossec/bin/manage_agents'
AGENT_CONTROL = ssh splunk@ossecserver.tamu.edu -t 'sudo /var/ossec/bin/agent_control -l'

Answer 2

0	Bump I have the same error, but for a local server. Did adding the FQDN to the command line help the remote execution? Thanks, link answered 18 Aug '11, 05:19 phswartz 11●1 accept rate: 0%

Answer 3

0	This error can also be caused by a bug that has been identified in version 1.1.88, which should be fixed as of 1.1.89. link answered 13 Mar '12, 18:39 southeringtonp ♦ 4.9k●2●5●24 accept rate: 35% edited 13 Mar '12, 18:40

ossec_agent_status.py fails

Follow this question

Splunk Resources

Related questions