I noticed an issue with this feature before when I tried to set up an outgoing email on the Correlated Events log settings in the Panorama built-in collector group. My idea was to filter to certain networks and then send an email when a correlated event came in that matched the filter so that a ticket could be created and our desktop services folks could investigate. I never got it working reliably.. usually only got a few sporadic emails and then it would stop working.
More recently, I decided to try something with the Threat logs forwarding. I'm actually trying to forward High and Critical threat information to Minemeld in json format so that I can create a list from the source IPs. I'm getting an error when attempting a test send "SSL peer certificate or SSH remote key was not OK". I've created a cert for the Minemeld server using the firewall and I've added it and the signing cert to Panorama as imported certs. Minemeld has the signed server installed and is using it on HTTPS.
I've tried just sending it as HTTP as well but it isn't working with the miner I set up. In fact, it isn't really clear to me if Panorama is sending it anything at all. To test, I tried modifying IP in the HTTP Server profile to just be my machine (turned off my local firewall) and ran Wireshark.. I saw some data but if it contained the json I'm trying to send then it was encrypted still because I couldn't read it in the capture.
Do I need to turn on authentication requirements for all feeds in Minemeld to clear that SSL cert error? Or is there a process I need to check on Panorama to verify it is evaluating the incoming logs and sending them as part of the log forward configs?
I'm still tinkering with this and the miner to get an auto-timeout on the indicators to work but I did get communication up so at least my Threat log forwarding is working.
The solution was to make sure I was using the FQDN in the HTTP Server profile setup. This is a "duhhh" moment for sure since I had it set up for HTTPS but I was following a guide that used the IP in the example.
I also had to go back and create a different admin user on Minemeld since the API apparently doesn't use the Feed monitoring accounts. After that I had to set up the Basic authentication hash again in the json config.
The server config itself still gives an error of some sort when I attempted a test saying the connection failed "Failed binding local connection end" but going into the actual json configuration on that same HTTP profile for the threat log formats and doing the test there again showed a successful connection and the miner updated with the test indicator.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!