I am trying to import PANOS-Threat Logs into MineMeld using the syslogMiner.
I have configured the Miner and the LogForwarding via Panorama and can see the incoming logs at the Minemeld instance using tcpdump.
Still I see no indicators in my Miner-Node. The Engine Logs show following error that I think is relevant to the problem:
I already checked the forums for similar errors, but couldnt find anything that helped me. I also stumbled about the advice to restart rabbitmq-server, but this service doesnt exist on my instance. For installation I followed the tutorial here:
If anyone can assist me with this problem I would be very glad!
I'm having this issue as well. Same issues in the log file and I also used the build for Ubuntu 16. This config came off of my previous installation of ubuntu 14 so I don't think it's my minemeld config. I also see established traffic from my firewalls over port 13514 so it seems that the issue is somewhere between rsyslog and the miner itself.
I think that when Luigi created the new install guide there's something missing that's required for the syslog miner to function. @lmori are you able to confirm?
As an update, it looks like the error is because "rabbitmq-server" isn't installed, when it was in the Ubuntu 14 version I had running. However, installing rabbitmq doesn't fix the logs showing up in MineMeld, it only removes the errors. It seems it's missing some other configuration, but I'm not sure what that is.
I believe I have fixed it, at least in the interim until it can be added to the Palo repo. According to Luigi here rsyslog (or more appropriately the package called rsyslog-minemeld in Ubuntu 14.04) Was built by them from source with additional features enabled, and distributed through their repo. It does not seem that rsyslog-minemeld is distrubuted in their current Xenial/16.04 repo.
http://minemeld-updates.panw.io/ubuntu xenial-minemeld main
However, when I built a current version of rsyslog with those features; it was incompatible with the /etc/rsyslog.d/*.conf files. I was able to find an old version of rsyslog "8.19.0", combile it, install the .deb file on my minemeld-server. I also installed I also installed via apt "librabbitmq4" and "liblognorm2" as refferenced by some of my /var/log/syslog errors. Once I did that, all the errors went away, and IPs started showing up in my miner/output.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!