Running the ossec commands directly work. The issue only shows up when splunk tries to run the commands, which makes the splunk interface mostly worthless. My test lab is a lot like yours and in there everything works, but in the production side where there are a bunch of agents the issue becomes apparent.
On Aug 29, 9:38 am, Blauch Armand <[email protected]> wrote: > hello, > > I use the same as you: Ossec 2.6, Splunk splunk-4.2.3-105575 and > Splunk app ossec-1.1.88. > I have less than 10 agents actually, but no issue with column drops > letters or word like - "disco" instead of "disconnected". > Did you tried the same commands than splunk without problem? > (sudo /opt/ossec/bin/agent_control -l' and 'sudo /opt/ossec/bin/ > manage_agents) > Do you have the same issue? (Timeout exceeded?) > > AB > > On 29 août, 15:01, Patrick <[email protected]> wrote: > > > > > > > > > I am looking for a web frontend that managers and non-system users can > > create reports from without needing direct access to the OSSEC > > server. I have setup Splunk with the Ossec4splunk app and it looks > > very promising except for a huge glaring issue that isn't being > > answered by the app owner. (see my postings > > --http://splunk-base.splunk.com/answers/29021/ossec_agent_statuspy-v-on...). > > > So my questions to this group ... > > Is there something else besides Splunk or Base (which the integration > > with OSSEC seems to be dead)? > > Is anyone else using Splunk with large number of clients (>1500)? > > Or is there another way to accomplish this without a web interface? > > > Thanks!
