Deployment Architecture

How do I enable remote agent management in Splunk for OSSEC?

southeringtonp
Motivator

This page is a placeholder for people having difficulty configuring remote agent management when using Splunk for OSSEC.

See answer and troubleshooting steps below.

Tags (1)
0 Karma

akeneratlanticu
Engager

Minor correction, when editing local/ossec_servers.conf in order to add a new server, the AGENT_CONTROL command is missing the -l option.

0 Karma

southeringtonp
Motivator

Warnings:

  • By following the steps below, you will be granting the Splunk service account access to log into your OSSEC server and run commands. Be sure you fully understand any security implications for your environment before proceeding.

  • In particular, enabling the MANAGE_AGENTS option will allow anyone with sufficient access in Splunk to see and modify your OSSEC agent keys.

  • Examples below assume the default configuration (Splunk running as root and installed in /opt/splunk, OSSEC installed in /var/ossec), and that you will use an account named splunk to log into the OSSEC server.

  • Basic familiarity with unix and OSSEC is assumed. Basic commands to log in and out, etc. are not shown.

Remote Access Configuration:

First, you will need to make sure that the Splunk server can log into the OSSEC server to run management commands.

  • On the OSSEC server, create a new login account for the Splunk server to use when connecting.


    root@ossec_server$ useradd splunk

  • On the Splunk server, create an SSH keypair for the root user (or whichever account splunkd is running as), and copy the public key to the OSSEC server.


    user@splunk_server$ sudo su -
    root@splunk_server# ssh-keygen
    root@splunk_server# scp .ssh/id_rsa.pub splunk@ossec_server:authorized_keys

  • On the OSSEC server, log in as the splunk account and configure the authorized_keys file to allow SSH logins without a password:


    splunk@ossecserver$ mkdir .ssh
    splunk@ossecserver$ mv authorized_keys .ssh/
    splunk@ossecserver$ chmod -R go-rwx .ssh

  • Verify that the Splunk server can log into the OSSEC server without a password prompt.

    You MUST do this at least once and say yes to the SSH key prompt.

    The second run should not prommpt.

    root@splunkserver#    ssh splunk@ossec_server
    splunk@ossecserver$   exit
    root@splunkserver#    ssh splunk@ossec_server
    splunk@ossecserver$   exit
  • On the OSSEC server, configure sudo to allow the splunk login account to run agent management commands without prompting.


    root@ossecserver# /usr/sbin/visudo
    (Add the following two lines):
    splunk ALL=NOPASSWD: /var/ossec/bin/agent_control -l
    splunk ALL=NOPASSWD: /var/ossec/bin/manage_agents

  • On the OSSEC server, verify that the new splunk account can run the agent management commands without prompting. If either of the following commands prompts for a password, you may have made a mistake in the previous step:


    splunk@ossec_server$ sudo /var/ossec/bin/agent_control -l
    splunk@ossec_server$ sudo /var/ossec/bin/manage_agents

  • On the Splunk server, verify that you can remotely run the commands without a password:


    root@splunk-server$ ssh ossec-server -t -l splunk sudo /var/ossec/bin/agent_control -l
    root@splunk-server$ ssh ossec-server -t -l splunk sudo /var/ossec/bin/manage_agents



App Configuration:

All of the following steps are performed on the Splunk server.

  • Check to see if you already have a local copy of ossec_servers.conf:


    root@splunk_server# cd /opt/splunk/etc/apps/ossec
    root@splunk_server# ls -l local

  • Create the local directory and ossec_servers.conf file if they are missing:


    root@splunk_server# mkdir local
    root@splunk_server# cp default/ossec_servers.conf local/

  • Edit local/ossec_servers.conf and disable the local machine if you do not have an OSSEC server on the local machine.


    [_local]
    DISABLED = True

  • In local/ossec_servers.conf, add your new server:

    (If your ssh key is in the default path, the '-i' parameter used in some examples is not reuquired)


    [ossec_server]
    AGENT_CONTROL = ssh ossec-server -t -l splunk sudo /var/ossec/bin/agent_control
    MANAGE_AGENTS = ssh ossec-server -t -l splunk sudo /var/ossec/bin/manage_agents



Final Steps:

  • Optional: Restart the Splunk daemon to force the scripted inputs to run immediately.


    /opt/splunk/bin/splunk restart splunkd

  • Optional: In the Splunk for OSSEC app, run the saved searches to regenerate lookup tables. Run each of the following searches from the menu under Searches & Reports -> Utility:

    • OSSEC - Initialize Server Lookup Table
    • OSSEC - Rebuild Server Lookup Table
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...