This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

syslog (stdlib.syslogMiner) does not work for PAN-OS generated logs

KlausGroeger
L3 Networker

‎10-15-2019 12:02 PM - edited ‎10-15-2019 12:18 PM

Hi community,

 

I installed a fresh ubuntu 16.04.6 and updated the installation to the newest packages. When I create the PAN-OS syslsog receiver as from "stdlib.syslogMiner" prototype, the miner does not receive anything.While doing a tcpdump capture on the inemeld device I can see syslog coming in to the rsyslogd via port 13514. PCAP shows the content I expect to see (syslog messages from PAN-OS). After investigating further I found in the local /var/log/syslog the following messages:

 

Oct 15 16:35:17 minemeld rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="971" x-info="http://www.rsyslog.com"] exiting on signal 15.
Oct 15 16:35:17 minemeld rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="1755" x-info="http://www.rsyslog.com"] start
Oct 15 16:35:17 minemeld systemd[1]: Stopping System Logging Service...
Oct 15 16:35:17 minemeld systemd[1]: Stopped System Logging Service.
Oct 15 16:35:17 minemeld rsyslogd-2222: command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http://www.rsyslog.com/e/2222 ]
Oct 15 16:35:17 minemeld systemd[1]: Starting System Logging Service...
Oct 15 16:35:17 minemeld rsyslogd-2066: could not load module '/usr/lib/rsyslog/pmpanngfw.so', dlopen: /usr/lib/rsyslog/pmpanngfw.so: cannot open shared object file: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2066 ]
Oct 15 16:35:17 minemeld rsyslogd-2066: could not load module '/usr/lib/rsyslog/mmnormalize.so', dlopen: /usr/lib/rsyslog/mmnormalize.so: cannot open shared object file: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2066 ]
Oct 15 16:35:17 minemeld rsyslogd-2066: could not load module '/usr/lib/rsyslog/omrabbitmq.so', dlopen: /usr/lib/rsyslog/omrabbitmq.so: cannot open shared object file: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2066 ]
Oct 15 16:35:17 minemeld rsyslogd-2209: module name 'mmnormalize' is unknown [v8.16.0 try http://www.rsyslog.com/e/2209 ]
Oct 15 16:35:17 minemeld rsyslogd-2207: error during parsing file /etc/rsyslog.d/60-syslog-minemeld.conf, on or before line 9: errors occured in file '/etc/rsyslog.d/60-syslog-minemeld.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Oct 15 16:35:17 minemeld rsyslogd-2209: module name 'omrabbitmq' is unknown [v8.16.0 try http://www.rsyslog.com/e/2209 ]
Oct 15 16:35:17 minemeld rsyslogd-2207: error during parsing file /etc/rsyslog.d/60-syslog-minemeld.conf, on or before line 22: errors occured in file '/etc/rsyslog.d/60-syslog-minemeld.conf' around line 22 [v8.16.0 try http://www.rsyslog.com/e/2207 ]
Oct 15 16:35:17 minemeld rsyslogd-2159: error: parser 'rsyslog.panngfw' unknown at this time (maybe defined too late in rsyslog.conf?) [v8.16.0 try http://www.rsyslog.com/e/2159 ]
Oct 15 16:35:17 minemeld rsyslogd: rsyslogd's groupid changed to 108
Oct 15 16:35:17 minemeld rsyslogd: rsyslogd's userid changed to 104
Oct 15 16:35:17 minemeld rsyslogd-2039: Could not open output pipe '/dev/xconsole':: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2039 ]
Oct 15 16:35:17 minemeld rsyslogd-2007: action 'action 10' suspended, next retry is Tue Oct 15 16:35:47 2019 [v8.16.0 try http://www.rsyslog.com/e/2007 ]

 

When I take a look in directory /usr/lib/rsyslog/ I cannot find the modules that are complained about in syslog:

root@minemeld:/var/log# ls -l /usr/lib/rsyslog/
total 640
-rw-r--r-- 1 root root 36960 Mar 25 2019 imfile.so
-rw-r--r-- 1 root root 24320 Mar 25 2019 imjournal.so
-rw-r--r-- 1 root root 19936 Mar 25 2019 imklog.so
-rw-r--r-- 1 root root 15680 Mar 25 2019 imkmsg.so
-rw-r--r-- 1 root root 11040 Mar 25 2019 immark.so
-rw-r--r-- 1 root root 19856 Mar 25 2019 impstats.so
-rw-r--r-- 1 root root 36992 Mar 25 2019 imptcp.so
-rw-r--r-- 1 root root 20128 Mar 25 2019 imtcp.so
-rw-r--r-- 1 root root 28624 Mar 25 2019 imudp.so
-rw-r--r-- 1 root root 33072 Mar 25 2019 imuxsock.so
-rw-r--r-- 1 root root 23648 Mar 25 2019 lmnet.so
-rw-r--r-- 1 root root 20864 Mar 25 2019 lmnetstrms.so
-rw-r--r-- 1 root root 25344 Mar 25 2019 lmnsd_ptcp.so
-rw-r--r-- 1 root root 6304 Mar 25 2019 lmregexp.so
-rw-r--r-- 1 root root 21088 Mar 25 2019 lmstrmsrv.so
-rw-r--r-- 1 root root 10496 Mar 25 2019 lmtcpclt.so
-rw-r--r-- 1 root root 33952 Mar 25 2019 lmtcpsrv.so
-rw-r--r-- 1 root root 10432 Mar 25 2019 lmzlibw.so
-rw-r--r-- 1 root root 14704 Mar 25 2019 mmanon.so
-rw-r--r-- 1 root root 19040 Mar 25 2019 mmexternal.so
-rw-r--r-- 1 root root 14832 Mar 25 2019 mmjsonparse.so
-rw-r--r-- 1 root root 14688 Mar 25 2019 mmpstrucdata.so
-rw-r--r-- 1 root root 14816 Mar 25 2019 mmsequence.so
-rw-r--r-- 1 root root 10592 Mar 25 2019 mmutf8fix.so
-rw-r--r-- 1 root root 10488 Mar 25 2019 omjournal.so
-rw-r--r-- 1 root root 19584 Mar 25 2019 ommail.so
-rw-r--r-- 1 root root 19056 Mar 25 2019 omprog.so
-rw-r--r-- 1 root root 15200 Mar 25 2019 omuxsock.so
-rw-r--r-- 1 root root 11176 Mar 25 2019 pmaixforwardedfrom.so
-rw-r--r-- 1 root root 11168 Mar 25 2019 pmcisconames.so
-rw-r--r-- 1 root root 11200 Mar 25 2019 pmlastmsg.so
-rw-r--r-- 1 root root 11168 Mar 25 2019 pmsnare.so
-rwxr-xr-x 1 root root 140 Mar 20 2019 rsyslog-rotate

 

So, there must be something wrong with the binary install.

5 people had this problem.
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks