I have configured the syslogminer node as per https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262
I have checked the firewall is sending syslog for threat events on TCP 13514, BSD format, LOG_USER facility and I can see the events coming into Minemeld by running tcpdump -i eth0 port 13514. It shows the traffic and ack going back:
00:16:15.486176 IP x.x.x.15.56790 > dev-minemeld01.13514: Flags [P.], seq 3360:3920, ack 1, win 115, options [nop,nop,TS val 21990724 ecr 124658], length 560 00:16:15.486195 IP dev-minemeld01.13514 > x.x.x.15.56790: Flags [.], ack 3920, win 2799, options [nop,nop,TS val 138910 ecr 21990724], length 0
There is nothing relevant in the rsyslog.log file:
Mar 17 23:57:59 dev-minemeld01 rsyslogd: [origin software="rsyslogd" swVersion="8.17.0" x-pid="770" x-info="http://www.rsyslog.com"] start Mar 17 23:57:59 dev-minemeld01 rsyslogd: rsyslogd's groupid changed to 104 Mar 17 23:57:59 dev-minemeld01 rsyslogd: rsyslogd's userid changed to 101
The miner shows "no metrics yet" in the stats tab.
What am I missing?
... View more