Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.
I installed the MineMeld VM on my ESXi box yesterday and it came up just fine, I can login to it from the VM Console, the web console, and over SSH. I've edited the /etc/rsyslog.conf file and /etc/iptables/rules.v4 so that syslog data is coming in from the firewall to the /var/log/syslog file.
Question: How do I get MineMeld to process the syslog data? I looked at the "Using the sysloig Miner" article and have created a miner (stdlib.syslogMiner) and linked it to the inboundaggregator but, it isn't processing anything. I'm sure I'm missing something rather simple - can somebody point me in the right direction?
Hi jerryshenk,
do you have a file named /etc/rsyslog.d/60-syslog-minemeld.conf in your instance ?
This should instruct rsyslog to parse syslog messages on port 13514/tcp into JSON using PAN-OS rulebase and push them to RabbitMQ on a queue MineMeld should listen to.
This seems complex, but it is just a short config file. Could you check ?
Hi there
I've got pretty much the same "problem" as jerryshenk.
I checked for the file mentioned (60-syslog-minemeld.conf). But it does not exist in
/etc/rsyslog.d/
Can i get the file/settings from somewhere?
Thanks alot
Andreas
Update:
OK, I found the file in the apt package, extracted it and put it to /etc/rsyslog.d/ together with palo_alto_networks.rb.
But still no Indicators in my syslog-miner.
The Syslog is arriving at the minemeld server, ufw is opened.
Do I need a "syslog miner rule" for it to start collecting indicators?
Any Ideas how I can further troubleshoot this?
Context Infos:
Installation on Ubuntu 16.04
Installed via ansible playbook
Thanks, best Regards
Andreas
@AndreasTrautmann: I'm quite new at this myself but yes, after you have syslog showing up in statistics > SYSLOG.PROCESSED, the next step is to create some rules.
I found this thread helpful:
https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262
Hi Luca
Thanks for the hint.
Unfortunately my miner does not yet receive anything (SYSLOG.PROCESSED is 0).
So my problem is further "up" somewhere in the "link" between rsyslogd and the miner.
Best Regards
Andreas
@AndreasTrautmann: Got you. Definitely the SYSLOG.PROCESSED counter starts moving even with zero rules present on the node itself, so that's what needs fixing first (as you already pointed out).
@lmoriwrote:Hi jerryshenk,
do you have a file named /etc/rsyslog.d/60-syslog-minemeld.conf in your instance ?
This should instruct rsyslog to parse syslog messages on port 13514/tcp into JSON using PAN-OS rulebase and push them to RabbitMQ on a queue MineMeld should listen to.
This seems complex, but it is just a short config file. Could you check ?
Is "/etc/rsyslog.d/palo_alto_networks.rb" the only rulebase file? Can I modify another rulebase that can make the minemeld to integrate with any other products syslogs such as any AV, FW or IPS? Do you have any instruction for creating a "rb" file? Thanks!
Did you have any progress here? I'm at the same point wondering if I need to create own .rb file and place it before or after the 60-... rb file. How does it decide which template to use?
What version of PanOS are you using? I've been troubleshooting the same issue. We turned on debugging for rsyslogd and it's logging error messages while parsing the palo's syslog. It looks like the threat log format changed between 8.0.X and 8.1.X. I'm thinking that the config given to rsyslogd doesn't know how to handle the 8.1.X format?
You can see the format differences between these two links:
8.0.x Format
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!