cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MineMeld - need help importing and processing syslog data

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
jerryshenk
L0 Member
‎08-05-2016 08:42 AM
‎08-05-2016 08:42 AM

MineMeld - need help importing and processing syslog data

I installed the MineMeld VM on my ESXi box yesterday and it came up just fine, I can login to it from the VM Console, the web console, and over SSH.  I've edited the /etc/rsyslog.conf file and /etc/iptables/rules.v4 so that syslog data is coming in from the firewall to the /var/log/syslog file. 

 

Question: How do I get MineMeld to process the syslog data? I looked at the "Using the sysloig Miner"  article and have created a miner (stdlib.syslogMiner) and linked it to the inboundaggregator but, it isn't processing anything.  I'm sure I'm missing something rather simple - can somebody point me in the right direction?

0 Likes
Reply
Highlighted
lmori
L7 Applicator
‎08-16-2016 01:32 PM
‎08-16-2016 01:32 PM

Hi jerryshenk,

do you have a file named /etc/rsyslog.d/60-syslog-minemeld.conf in your instance ?

This should instruct rsyslog to parse syslog messages on port 13514/tcp into JSON using PAN-OS rulebase and push them to RabbitMQ on a queue MineMeld should listen to.

This seems complex, but it is just a short config file. Could you check ?

Reply
Highlighted
AndreasTrautmann
L1 Bithead
‎10-12-2017 10:26 AM
‎10-12-2017 10:26 AM

Hi there

I've got pretty much the same "problem" as jerryshenk.

I checked for the file mentioned (60-syslog-minemeld.conf). But it does not exist in

 /etc/rsyslog.d/

 

Can i get the file/settings from somewhere?

 

Thanks alot

Andreas

 

0 Likes
Reply
Highlighted
AndreasTrautmann
L1 Bithead
‎10-13-2017 08:39 AM
‎10-13-2017 08:39 AM

Update:
OK, I found the file in the apt package, extracted it and put it to /etc/rsyslog.d/ together with  palo_alto_networks.rb.

But still no Indicators in my syslog-miner.

 

The Syslog is arriving at the minemeld server, ufw is opened.

Do I need a "syslog miner rule" for it to start collecting indicators?

 

Any Ideas how I can further troubleshoot this?

 

Context Infos:
Installation on Ubuntu 16.04

Installed via ansible playbook

 

Thanks, best Regards

Andreas

0 Likes
Reply
Highlighted
LucaMarchiori
L3 Networker
‎10-13-2017 10:11 AM
‎10-13-2017 10:11 AM

@AndreasTrautmann: I'm quite new at this myself but yes, after you have syslog showing up in statistics > SYSLOG.PROCESSED, the next step is to create some rules.

 

I found this thread helpful:

 

https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262

0 Likes
Reply
Highlighted
AndreasTrautmann
L1 Bithead
‎10-13-2017 10:15 AM
‎10-13-2017 10:15 AM

Hi Luca

 

Thanks for the hint.

Unfortunately my miner does not yet receive anything (SYSLOG.PROCESSED is 0).

So my problem is further "up" somewhere in the "link" between rsyslogd and the miner.

 

Best Regards
Andreas

0 Likes
Reply
Highlighted
LucaMarchiori
L3 Networker
‎10-13-2017 11:12 AM
‎10-13-2017 11:12 AM

@AndreasTrautmann:  Got you. Definitely the SYSLOG.PROCESSED counter starts moving even with zero rules present on the node itself, so that's what needs fixing first (as you already pointed out).

0 Likes
Reply
Highlighted
HAO.BAN
L1 Bithead
‎03-23-2018 08:00 AM
‎03-23-2018 08:00 AM

@lmoriwrote:

Hi jerryshenk,

do you have a file named /etc/rsyslog.d/60-syslog-minemeld.conf in your instance ?

This should instruct rsyslog to parse syslog messages on port 13514/tcp into JSON using PAN-OS rulebase and push them to RabbitMQ on a queue MineMeld should listen to.

This seems complex, but it is just a short config file. Could you check ?

Is  "/etc/rsyslog.d/palo_alto_networks.rb" the only rulebase file? Can I modify another rulebase that can make the minemeld to integrate with any other products syslogs such as any AV, FW or IPS? Do you have any instruction for creating a "rb" file? Thanks!

0 Likes
Reply
Highlighted
DaniBCS
L1 Bithead
‎06-21-2019 06:25 AM
‎06-21-2019 06:25 AM

Did you have any progress here? I'm at the same point wondering if I need to create own .rb file and place it before or after the 60-... rb file. How does it decide which template to use?

0 Likes
Reply
Highlighted
mboehlke
L1 Bithead
‎08-26-2019 08:44 AM
‎08-26-2019 08:44 AM

What version of PanOS are you using? I've been troubleshooting the same issue. We turned on debugging for rsyslogd and it's logging error messages while parsing the palo's syslog. It looks like the threat log format changed between 8.0.X and 8.1.X. I'm thinking that the config given to rsyslogd doesn't know how to handle the 8.1.X format? 

 

You can see the format differences between these two links: 
8.0.x Format

8.1.x Format

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks