This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Syslog analyzer - how to configure logstash to send to remote, not local hosts ?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Syslog analyzer - how to configure logstash to send to remote, not local hosts ?

Go to solution
niuk
L3 Networker

‎12-01-2016 06:54 AM

I have syslog analyzer created from prototype stdlib.localSyslog. Now I want it to send  matching results to logstash but on remote not local server where MM is running. Default is I think below (host is 127.0.0.1), where do I change host address ?

input {
    tcp {
        port => 5514
        host => '127.0.0.1'  
        codec => 'json_lines'
    }
}

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Rich_G
L1 Bithead
In response to Rich_G

‎12-01-2016 10:07 AM

Looking at this deeper looks like you can find the current prototype then create a new one from it and change the host.

 

2016-12-01 12_06_49-MineMeld.png

 

 2016-12-01 12_05_26-MineMeld.png

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
Rich_G
L1 Bithead

‎12-01-2016 10:03 AM

Looks like that configuraiton is under /opt/minemeld/prototypes/current/stdlib.yml

 

So I would think you could clone the prototype of stdlib.yml to the /opt/minemeld/local/prototypes and then modify as needed?

 

localSyslogToLogStash:
author: MineMeld Core Team
development_status: EXPERIMENTAL
node_type: processor
description: >
Syslog node connection to the local syslog server to receive PAN-OS logs.
This prototype also logs matching sessions/indicators pairs to a Logstash
instance on localhost:5514
class: minemeld.ft.syslog.SyslogMatcher
config:
logstash_host: 127.0.0.1
logstash_port: 5514

 

Go to solution
Rich_G
L1 Bithead
In response to Rich_G

‎12-01-2016 10:07 AM

Looking at this deeper looks like you can find the current prototype then create a new one from it and change the host.

 

2016-12-01 12_06_49-MineMeld.png

 

 2016-12-01 12_05_26-MineMeld.png

0 Likes Likes

Go to solution
niuk
L3 Networker

‎12-01-2016 10:30 AM

I've created it but I dont see COMMIT active and cannot commit.. So I dont see it as avail node yet

0 Likes Likes

Go to solution
Rich_G
L1 Bithead
In response to niuk

‎12-01-2016 10:40 AM

I believe once you create the new prototype you then have to create a new Node that utilizes that prototype, then you can commit.

0 Likes Likes

Go to solution
Rich_G
L1 Bithead
In response to Rich_G

‎12-01-2016 10:45 AM

Also once you have created the new prototype it will store the config in /opt/minemeld/local/prototypes so if you need to change the logstash host and port you can edit the minemeldlocal.yml file.

 

 

0 Likes Likes

Go to solution
niuk
L3 Networker
In response to Rich_G

‎12-02-2016 07:22 AM

Shouldn't my new prototype be visabl ein th elist of new prototypes (in CONFIG tab ) ? I can only find it when I click 'browes prototypes' icon.  Before, when I created syslog_analyzer from stdlib.localSyslog it is available in CONFIG tab. I think something is not right..

0 Likes Likes
  • 1 accepted solution
  • 7834 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks