I have syslog analyzer created from prototype stdlib.localSyslog. Now I want it to send matching results to logstash but on remote not local server where MM is running. Default is I think below (host is 127.0.0.1), where do I change host address ?
port => 5514
host => '127.0.0.1'
codec => 'json_lines'
Solved! Go to Solution.
Looks like that configuraiton is under /opt/minemeld/prototypes/current/stdlib.yml
So I would think you could clone the prototype of stdlib.yml to the /opt/minemeld/local/prototypes and then modify as needed?
author: MineMeld Core Team
Syslog node connection to the local syslog server to receive PAN-OS logs.
This prototype also logs matching sessions/indicators pairs to a Logstash
instance on localhost:5514
I've created it but I dont see COMMIT active and cannot commit.. So I dont see it as avail node yet
I believe once you create the new prototype you then have to create a new Node that utilizes that prototype, then you can commit.
Also once you have created the new prototype it will store the config in /opt/minemeld/local/prototypes so if you need to change the logstash host and port you can edit the minemeldlocal.yml file.
Shouldn't my new prototype be visabl ein th elist of new prototypes (in CONFIG tab ) ? I can only find it when I click 'browes prototypes' icon. Before, when I created syslog_analyzer from stdlib.localSyslog it is available in CONFIG tab. I think something is not right..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!