Hi,
I have only one the OSSEC server (manager) where I install Splunk. When
I access OSSEC Agent Status from the Dashboards & Views, I expected
there are two items on the OSSEC server dropdownlist: "All OSSEC
servers" and the hostname of my OSSEC manager. But in fact, it shows
almost of my OSSEC *agents* and OSSEC manager itself. Look at the
/default/savesearchs.conf/ file, I know the list is rebuilt hourly with
below search:
|search = eventtype=ossec | dedup ossec_server | eval description=host |
inputlookup append=t lookup_ossec_servers | append [ ossecservers ]
| stats last(description) as description max(managed) as managed by
ossec_server | eval description=coalesce(description, ossec_server)
| eval managed=coalesce(managed,0) | fields
ossec_server,description,managed | outputlookup lookup_ossec_servers
|and writes to /lookups/ossec_servers.csv/ file:
|"ossec_server",description,managed
"*","All OSSEC Servers",0
"192.168.3.140","192.168.3.140",0
"192.168.3.182","192.168.3.182",0
...
"SVR040-763.localdomain","SVR040-763.localdomain",1|
Did you build this list with the wrong 'search' syntax or I miss something?
Moreover, there is no OSSEC server in the OSSEC Agent Management. So, I
got the error "This OSSEC Server is not configured for agent
management." when clicking on "List Agents". Same result when running
listagents.py <http://listagents.py> from the command line. I'm trying
to edit.
PS: CentOS 5.4 64 bits, Splunk 4.2.1, OSSEC 1.1.84.
