-
Notifications
You must be signed in to change notification settings - Fork 10
Configuring SafeNetworking
Edward Arcuri edited this page May 11, 2018
·
4 revisions
sudo cp install/logstash/pan-sfn.conf /etc/logstash/conf.d/
3. Edit the /etc/logstash/conf.d/pan-sfn.conf file and replace the "CHANGEME" with your logstash listener and elasticsearch server where appropriate (4 places)
Example Input and Output stanzas. Do not delete any of the lines. The filter stanza has been omitted and only sections of the input and output stanzas are shown for clarity.
input {
syslog {
host => "192.168.1.140"
port => "5514"
type => "syslog"
tags => [ "PAN-OS_syslog" ]
...[SNIP]...
output {
if "PAN-OS_traffic" in [tags] {
elasticsearch {
index => "traffic-%{+YYYY.MM.dd}"
hosts => ["192.168.1.140:9200"]
}
stdout { codec => rubydebug }
}
else if "PAN-OS_threat" in [tags] {
elasticsearch {
index => "threat-%{+YYYY.MM.dd}"
hosts => ["192.168.1.140:9200"]
}
stdout { codec => rubydebug }
}
else {
elasticsearch {
index => "parsefailure-%{+YYYY.MM.dd}"
hosts => ["192.168.1.140:9200"]
}
}
NOTE: The setup script runs against localhost. If ES is bound to a particular IP address, you will need to edit the file and change it to reflect that.
cd install
bash ./setup.sh