https://live.paloaltonetworks.com/t5/expedition-articles/ml-re-split-palogs-per-serial-of-firewall-in-the-case-of/ta-p/533003 <DIV class="lia-message-template-symptoms-zone"> <H2>UseCase</H2> <P>&nbsp;</P> <P>In the ML or RE case, where Expedition is configured as syslog server , and you are forwarding traffic logs from Panorama to Expedition,&nbsp; by default, the logs will be saved using Panorama_IP . The solution below provides steps on how to&nbsp; split the logs per serial# of the firewall.</P> </DIV> <DIV class="lia-message-template-diagnosis-zone"> <P>&nbsp;</P> </DIV> <DIV class="lia-message-template-solution-zone"> <H2>Solution</H2> <P>&nbsp;</P> <P>Split the logs per FW/Serial number by following below steps:</P> <P>&nbsp;</P> <P><STRONG>Step 1.</STRONG> <STRONG>Edit your rsyslog.conf file</STRONG></P> <P>&nbsp;</P> <P>Replace below line:</P> <P><BR /><STRONG>$template DynaTrafficLog,"/PALogs/%FROMHOST-IP%/%HOSTNAME%<EM>traffic</EM>%$YEAR%<EM>%$MONTH%</EM>%$DAY%_last_calendar_day.csv"</STRONG></P> <P><BR />to below ones:</P> <P><BR /><STRONG>set $!SERIAL = field($msg,",",2);</STRONG><BR /><STRONG>$template DynaTrafficLog,"/PALogs/%FROMHOST-IP%/%$!SERIAL%/%$!SERIAL%<EM>%HOSTNAME%_traffic</EM>%$YEAR%<EM>%$MONTH%</EM>%$DAY%_last_calendar_day.csv"</STRONG></P> <P>&nbsp;</P> <P>The intention of the above configuration is to create a folder with your Panorama IP and subfolders for each FW/Serial number.</P> <P>&nbsp;</P> <P><STRONG>Step 2. Restart the syslog service</STRONG></P> <P>Issue below command:</P> <P><STRONG>service rsyslog restart</STRONG></P> <P>&nbsp;</P> <P>For your reference, next Expedition releases will include a set of rsyslog configuration example files on the path /var/www/html/OS/rsyslog folder .</P> <P>&nbsp;</P> </DIV> Thu, 02 Mar 2023 18:40:29 GMT lychiang 2023-03-02T18:40:29Z https://live.paloaltonetworks.com/t5/expedition-articles/ml-re-split-palogs-per-serial-of-firewall-in-the-case-of/ta-p/533003 <DIV class="lia-message-template-symptoms-zone"> <H2>UseCase</H2> <P>&nbsp;</P> <P>In the ML or RE case, where Expedition is configured as syslog server , and you are forwarding traffic logs from Panorama to Expedition,&nbsp; by default, the logs will be saved using Panorama_IP . The solution below provides steps on how to&nbsp; split the logs per serial# of the firewall.</P> </DIV> <DIV class="lia-message-template-diagnosis-zone"> <P>&nbsp;</P> </DIV> <DIV class="lia-message-template-solution-zone"> <H2>Solution</H2> <P>&nbsp;</P> <P>Split the logs per FW/Serial number by following below steps:</P> <P>&nbsp;</P> <P><STRONG>Step 1.</STRONG> <STRONG>Edit your rsyslog.conf file</STRONG></P> <P>&nbsp;</P> <P>Replace below line:</P> <P><BR /><STRONG>$template DynaTrafficLog,"/PALogs/%FROMHOST-IP%/%HOSTNAME%<EM>traffic</EM>%$YEAR%<EM>%$MONTH%</EM>%$DAY%_last_calendar_day.csv"</STRONG></P> <P><BR />to below ones:</P> <P><BR /><STRONG>set $!SERIAL = field($msg,",",2);</STRONG><BR /><STRONG>$template DynaTrafficLog,"/PALogs/%FROMHOST-IP%/%$!SERIAL%/%$!SERIAL%<EM>%HOSTNAME%_traffic</EM>%$YEAR%<EM>%$MONTH%</EM>%$DAY%_last_calendar_day.csv"</STRONG></P> <P>&nbsp;</P> <P>The intention of the above configuration is to create a folder with your Panorama IP and subfolders for each FW/Serial number.</P> <P>&nbsp;</P> <P><STRONG>Step 2. Restart the syslog service</STRONG></P> <P>Issue below command:</P> <P><STRONG>service rsyslog restart</STRONG></P> <P>&nbsp;</P> <P>For your reference, next Expedition releases will include a set of rsyslog configuration example files on the path /var/www/html/OS/rsyslog folder .</P> <P>&nbsp;</P> </DIV> Thu, 02 Mar 2023 18:40:29 GMT https://live.paloaltonetworks.com/t5/expedition-articles/ml-re-split-palogs-per-serial-of-firewall-in-the-case-of/ta-p/533003 lychiang 2023-03-02T18:40:29Z