Minemeld Syslog Miner Not parsing Messages

mmatos — Tue, 28 Apr 2020 17:03:11 GMT

Hi, I am working with a new installation of Minemeld running on ubuntu 16.04. if I do a TCP dump I can see the Syslog but minemeld is not parsing them. I check the /var/log/Syslog and found this.

It seems that some modules are missing and that gives an error. please let me know how can I install the missing Modules or how to fix this.

Thanks

Apr 28 11:29:23 Minemeld-01 systemd[1]: Starting Process Monitoring and Control Daemon...

Apr 28 11:29:23 Minemeld-01 rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="26659" x-info="http://www.rsyslog.com"] exiting on signal 15.
Apr 28 11:29:23 Minemeld-01 rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="20727" x-info="http://www.rsyslog.com"] start
Apr 28 11:29:23 Minemeld-01 rsyslogd-2222: command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http://www.rsyslog.com/e/2222 ]
Apr 28 11:29:23 Minemeld-01 rsyslogd-2066: could not load module '/usr/lib/rsyslog/pmpanngfw.so', dlopen: /usr/lib/rsyslog/pmpanngfw.so: cannot open shared object file: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2066 ]
Apr 28 11:29:23 Minemeld-01 rsyslogd-2066: could not load module '/usr/lib/rsyslog/mmnormalize.so', dlopen: /usr/lib/rsyslog/mmnormalize.so: cannot open shared object file: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2066 ]
Apr 28 11:29:23 Minemeld-01 rsyslogd-2066: could not load module '/usr/lib/rsyslog/omrabbitmq.so', dlopen: /usr/lib/rsyslog/omrabbitmq.so: cannot open shared object file: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2066 ]
Apr 28 11:29:23 Minemeld-01 rsyslogd-2209: module name 'mmnormalize' is unknown [v8.16.0 try http://www.rsyslog.com/e/2209 ]
Apr 28 11:29:23 Minemeld-01 rsyslogd-2207: error during parsing file /etc/rsyslog.d/60-syslog-minemeld.conf, on or before line 9: errors occured in file '/etc/rsyslog.d/60-syslog-minemeld.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Apr 28 11:29:23 Minemeld-01 rsyslogd-2209: module name 'omrabbitmq' is unknown [v8.16.0 try http://www.rsyslog.com/e/2209 ]
Apr 28 11:29:23 Minemeld-01 rsyslogd-2207: error during parsing file /etc/rsyslog.d/60-syslog-minemeld.conf, on or before line 22: errors occured in file '/etc/rsyslog.d/60-syslog-minemeld.conf' around line 22 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Apr 28 11:29:23 Minemeld-01 rsyslogd-2159: error: parser 'rsyslog.panngfw' unknown at this time (maybe defined too late in rsyslog.conf?) [v8.16.0 try http://www.rsyslog.com/e/2159 ]
Apr 28 11:29:23 Minemeld-01 rsyslogd: rsyslogd's groupid changed to 108
Apr 28 11:29:23 Minemeld-01 rsyslogd: rsyslogd's userid changed to 104
Apr 28 11:29:23 Minemeld-01 rsyslogd-2039: Could not open output pipe '/dev/xconsole':: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2039 ]
Apr 28 11:29:23 Minemeld-01 rsyslogd-2007: action 'action 10' suspended, next retry is Tue Apr 28 11:29:53 2020 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
Apr 28 11:29:23 Minemeld-01 systemd[1]: Stopping System Logging Service...
Apr 28 11:29:23 Minemeld-01 systemd[1]: Stopped System Logging Service.
Apr 28 11:29:23 Minemeld-01 systemd[1]: Starting System Logging Service...
Apr 28 11:29:23 Minemeld-01 mkdir[20706]: /bin/mkdir: cannot create directory ‘/var/run/minemeld’: File exists
Apr 28 11:29:23 Minemeld-01 systemd[1]: Started System Logging Service.
Apr 28 11:29:24 Minemeld-01 supervisord[20735]: /opt/minemeld/engine/0.9.68/local/lib/python2.7/site-packages/supervisor/options.py:383: PkgResourcesDeprecationWarning: Parameters to load are deprecated. Call .resolve and .require separately.
Apr 28 11:29:24 Minemeld-01 supervisord[20735]: return pkg_resources.EntryPoint.parse("x="+spec).load(False)
Apr 28 11:29:24 Minemeld-01 systemd[1]: minemeld.service: Can't open PID file /var/run/minemeld/minemeld.pid (yet?) after start: No such file or directory
Apr 28 11:29:24 Minemeld-01 systemd[1]: Started Process Monitoring and Control Daemon.

Re: Minemeld Syslog Miner Not parsing Messages

mivaldi — Wed, 06 May 2020 23:17:12 GMT

Please post this question in the MineMeld Discussions forum

https://live.paloaltonetworks.com/t5/MineMeld-Discussions/bd-p/MineMeldDiscussions

topic Minemeld Syslog Miner Not parsing Messages in Advanced Threat Prevention Discussions

Minemeld Syslog Miner Not parsing Messages

Re: Minemeld Syslog Miner Not parsing Messages