I'd recommend upgrading to the latest as of June 12th , v1.1.85. I was able to get everything except listagents.py to work prior and after upgrading everything works just fine.
- Trey On Jun 10, 4:06 am, quanta <[email protected]> wrote: > Hi, > > I have only one the OSSEC server (manager) where I install Splunk. When > I access OSSEC Agent Status from the Dashboards & Views, I expected > there are two items on the OSSEC server dropdownlist: "All OSSEC > servers" and the hostname of my OSSEC manager. But in fact, it shows > almost of my OSSEC *agents* and OSSEC manager itself. Look at the > /default/savesearchs.conf/ file, I know the list is rebuilt hourly with > below search: > > |search = eventtype=ossec | dedup ossec_server | eval description=host | > inputlookup append=t lookup_ossec_servers | append [ ossecservers ] > | stats last(description) as description max(managed) as managed by > ossec_server | eval description=coalesce(description, ossec_server) > | eval managed=coalesce(managed,0) | fields > ossec_server,description,managed | outputlookup lookup_ossec_servers > > |and writes to /lookups/ossec_servers.csv/ file: > > |"ossec_server",description,managed > "*","All OSSEC Servers",0 > "192.168.3.140","192.168.3.140",0 > "192.168.3.182","192.168.3.182",0 > ... > "SVR040-763.localdomain","SVR040-763.localdomain",1| > > Did you build this list with the wrong 'search' syntax or I miss something? > > Moreover, there is no OSSEC server in the OSSEC Agent Management. So, I > got the error "This OSSEC Server is not configured for agent > management." when clicking on "List Agents". Same result when running > listagents.py <http://listagents.py> from the command line. I'm trying > to edit. > > PS: CentOS 5.4 64 bits, Splunk 4.2.1, OSSEC 1.1.84.
