Syslog analyzer - how to configure logstash to send to remote, not local hosts ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Syslog analyzer - how to configure logstash to send to remote, not local hosts ?

L3 Networker

I have syslog analyzer created from prototype stdlib.localSyslog. Now I want it to send  matching results to logstash but on remote not local server where MM is running. Default is I think below (host is 127.0.0.1), where do I change host address ?

input {
tcp {
port => 5514
host => '127.0.0.1'
codec => 'json_lines'
}
}

 

1 accepted solution

Accepted Solutions

Looking at this deeper looks like you can find the current prototype then create a new one from it and change the host.

 

2016-12-01 12_06_49-MineMeld.png

 

 2016-12-01 12_05_26-MineMeld.png

View solution in original post

6 REPLIES 6

L1 Bithead

Looks like that configuraiton is under /opt/minemeld/prototypes/current/stdlib.yml

 

So I would think you could clone the prototype of stdlib.yml to the /opt/minemeld/local/prototypes and then modify as needed?

 

localSyslogToLogStash:
author: MineMeld Core Team
development_status: EXPERIMENTAL
node_type: processor
description: >
Syslog node connection to the local syslog server to receive PAN-OS logs.
This prototype also logs matching sessions/indicators pairs to a Logstash
instance on localhost:5514
class: minemeld.ft.syslog.SyslogMatcher
config:
logstash_host: 127.0.0.1
logstash_port: 5514

 

Looking at this deeper looks like you can find the current prototype then create a new one from it and change the host.

 

2016-12-01 12_06_49-MineMeld.png

 

 2016-12-01 12_05_26-MineMeld.png

L3 Networker

I've created it but I dont see COMMIT active and cannot commit.. So I dont see it as avail node yet

I believe once you create the new prototype you then have to create a new Node that utilizes that prototype, then you can commit.

Also once you have created the new prototype it will store the config in /opt/minemeld/local/prototypes so if you need to change the logstash host and port you can edit the minemeldlocal.yml file.

 

 

Shouldn't my new prototype be visabl ein th elist of new prototypes (in CONFIG tab ) ? I can only find it when I click 'browes prototypes' icon.  Before, when I created syslog_analyzer from stdlib.localSyslog it is available in CONFIG tab. I think something is not right..

  • 1 accepted solution
  • 7240 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!