Syslog analyzer - how to configure logstash to send to remote, not local hosts ?

Reply
L3 Networker

Syslog analyzer - how to configure logstash to send to remote, not local hosts ?

I have syslog analyzer created from prototype stdlib.localSyslog. Now I want it to send  matching results to logstash but on remote not local server where MM is running. Default is I think below (host is 127.0.0.1), where do I change host address ?

input {
tcp {
port => 5514
host => '127.0.0.1'
codec => 'json_lines'
}
}

 

L1 Bithead

Re: Syslog analyzer - how to configure logstash to send to remote, not local hosts ?

Looks like that configuraiton is under /opt/minemeld/prototypes/current/stdlib.yml

 

So I would think you could clone the prototype of stdlib.yml to the /opt/minemeld/local/prototypes and then modify as needed?

 

localSyslogToLogStash:
author: MineMeld Core Team
development_status: EXPERIMENTAL
node_type: processor
description: >
Syslog node connection to the local syslog server to receive PAN-OS logs.
This prototype also logs matching sessions/indicators pairs to a Logstash
instance on localhost:5514
class: minemeld.ft.syslog.SyslogMatcher
config:
logstash_host: 127.0.0.1
logstash_port: 5514

 

L1 Bithead

Re: Syslog analyzer - how to configure logstash to send to remote, not local hosts ?

Looking at this deeper looks like you can find the current prototype then create a new one from it and change the host.

 

2016-12-01 12_06_49-MineMeld.png

 

 2016-12-01 12_05_26-MineMeld.png

Highlighted
L3 Networker

Re: Syslog analyzer - how to configure logstash to send to remote, not local hosts ?

I've created it but I dont see COMMIT active and cannot commit.. So I dont see it as avail node yet

L1 Bithead

Re: Syslog analyzer - how to configure logstash to send to remote, not local hosts ?

I believe once you create the new prototype you then have to create a new Node that utilizes that prototype, then you can commit.

L1 Bithead

Re: Syslog analyzer - how to configure logstash to send to remote, not local hosts ?

Also once you have created the new prototype it will store the config in /opt/minemeld/local/prototypes so if you need to change the logstash host and port you can edit the minemeldlocal.yml file.

 

 

L3 Networker

Re: Syslog analyzer - how to configure logstash to send to remote, not local hosts ?

Shouldn't my new prototype be visabl ein th elist of new prototypes (in CONFIG tab ) ? I can only find it when I click 'browes prototypes' icon.  Before, when I created syslog_analyzer from stdlib.localSyslog it is available in CONFIG tab. I think something is not right..

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!