https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130374#M98591 <P>I've created it but I dont see COMMIT active and cannot commit.. So I dont see it as avail node yet</P> Thu, 01 Dec 2016 18:30:33 GMT niuk 2016-12-01T18:30:33Z https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130295#M98588 <P>I have syslog analyzer created from&nbsp;prototype stdlib.localSyslog. Now I want it to send &nbsp;matching results to logstash but on remote not local server where MM is running. Default is I think below (host is 127.0.0.1), where do I change host address ?</P> <PRE>input {<BR /> tcp {<BR /> port =&gt; 5514<BR /> host =&gt; '127.0.0.1' <BR /> codec =&gt; 'json_lines'<BR /> }<BR />}</PRE> <P>&nbsp;</P> Thu, 01 Dec 2016 14:54:21 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130295#M98588 niuk 2016-12-01T14:54:21Z https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130368#M98589 <P>Looks like that configuraiton is under /opt/minemeld/prototypes/current/stdlib.yml</P> <P>&nbsp;</P> <P>So I would think you could clone the prototype of stdlib.yml to the&nbsp;<EM>/opt/<SPAN class="lia-search-match-lithium">minemeld</SPAN>/local/<SPAN class="lia-search-match-lithium">prototypes</SPAN></EM> and then modify as needed?</P> <P>&nbsp;</P> <P>localSyslogToLogStash:<BR /> author: MineMeld Core Team<BR /> development_status: EXPERIMENTAL<BR /> node_type: processor<BR /> description: &gt;<BR /> Syslog node connection to the local syslog server to receive PAN-OS logs.<BR /> This prototype also logs matching sessions/indicators pairs to a Logstash<BR /> instance on localhost:5514<BR /> class: minemeld.ft.syslog.SyslogMatcher<BR /> config:<BR /> logstash_host: 127.0.0.1<BR /> logstash_port: 5514</P> <P>&nbsp;</P> Thu, 01 Dec 2016 18:03:35 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130368#M98589 Rich_G 2016-12-01T18:03:35Z https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130371#M98590 <P>Looking at this deeper looks like you can find the current prototype then create a new one from it and change the host.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2016-12-01 12_06_49-MineMeld.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/6657i66601E959FB10B06/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2016-12-01 12_06_49-MineMeld.png" alt="2016-12-01 12_06_49-MineMeld.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2016-12-01 12_05_26-MineMeld.png" style="width: 791px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/6656iECBEB33C45DB6A5C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2016-12-01 12_05_26-MineMeld.png" alt="2016-12-01 12_05_26-MineMeld.png" /></span></P> Thu, 01 Dec 2016 18:07:36 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130371#M98590 Rich_G 2016-12-01T18:07:36Z https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130374#M98591 <P>I've created it but I dont see COMMIT active and cannot commit.. So I dont see it as avail node yet</P> Thu, 01 Dec 2016 18:30:33 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130374#M98591 niuk 2016-12-01T18:30:33Z https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130390#M98592 <P>I believe once you create the new prototype you then have to create a new Node that utilizes that prototype, then you can commit.</P> Thu, 01 Dec 2016 18:40:00 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130390#M98592 Rich_G 2016-12-01T18:40:00Z https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130391#M98593 <P>Also once you have created the new prototype it will store the config in /opt/minemeld/local/prototypes so if you need to change the logstash host and port you can edit the minemeldlocal.yml file.</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 01 Dec 2016 18:45:35 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130391#M98593 Rich_G 2016-12-01T18:45:35Z https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130663#M98594 <P>Shouldn't my new prototype be visabl ein th elist of new prototypes (in CONFIG tab ) ? I can only find it when I click 'browes prototypes' icon. &nbsp;Before, when I created syslog_analyzer from&nbsp;<SPAN>stdlib.localSyslog it is available in CONFIG tab. I think something is not right..</SPAN></P> Fri, 02 Dec 2016 15:22:14 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-analyzer-how-to-configure-logstash-to-send-to-remote-not/m-p/130663#M98594 niuk 2016-12-02T15:22:14Z