I have syslog analyzer created from prototype stdlib.localSyslog. Now I want it to send matching results to logstash but on remote not local server where MM is running. Default is I think below (host is 127.0.0.1), where do I change host address ?
port => 5514
host => '127.0.0.1'
codec => 'json_lines'
Looks like that configuraiton is under /opt/minemeld/prototypes/current/stdlib.yml
So I would think you could clone the prototype of stdlib.yml to the /opt/minemeld/local/prototypes and then modify as needed?
author: MineMeld Core Team
Syslog node connection to the local syslog server to receive PAN-OS logs.
This prototype also logs matching sessions/indicators pairs to a Logstash
instance on localhost:5514
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!