I have configured the syslogminer node as per https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262
I have checked the firewall is sending syslog for threat events on TCP 13514, BSD format, LOG_USER facility and I can see the events coming into Minemeld by running tcpdump -i eth0 port 13514. It shows the traffic and ack going back:
00:16:15.486176 IP x.x.x.15.56790 > dev-minemeld01.13514: Flags [P.], seq 3360:3920, ack 1, win 115, options [nop,nop,TS val 21990724 ecr 124658], length 560
00:16:15.486195 IP dev-minemeld01.13514 > x.x.x.15.56790: Flags [.], ack 3920, win 2799, options [nop,nop,TS val 138910 ecr 21990724], length 0
There is nothing relevant in the rsyslog.log file:
Mar 17 23:57:59 dev-minemeld01 rsyslogd: [origin software="rsyslogd" swVersion="8.17.0" x-pid="770" x-info="http://www.rsyslog.com"] start
Mar 17 23:57:59 dev-minemeld01 rsyslogd: rsyslogd's groupid changed to 104
Mar 17 23:57:59 dev-minemeld01 rsyslogd: rsyslogd's userid changed to 101
The miner shows "no metrics yet" in the stats tab.
What am I missing?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!