https://live.paloaltonetworks.com/t5/expedition-discussions/way-to-forward-logs-from-individual-rules-instead-of-entire/m-p/347631#M2953 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/93223">@BOkay</a>&nbsp;</P> <P>&nbsp;</P> <P>This question will be a PAN-OS question, I know there is an "scp export traffic log" command that you can specify the filter using "query", you might want to open a case with TAC and ask them if there is a way to export only traffic logs matching specific rule name.&nbsp;&nbsp;</P> Tue, 08 Sep 2020 17:56:06 GMT lychiang 2020-09-08T17:56:06Z https://live.paloaltonetworks.com/t5/expedition-discussions/way-to-forward-logs-from-individual-rules-instead-of-entire/m-p/347564#M2951 <P>Is there a way to forward logs from individual rules by adding Expedition to their Log Forwarding Profile rather than setting up a Scheduled Log Export which forwards an entire firewall's logs?</P> <P>&nbsp;</P> <P>Reason I ask is I need to use MI to analyze traffic for some specific rules but do not need to analyze traffic on an entire firewall. I have Scheduled Log Export setup for some smaller firewalls where the entire policy needs to be analyzed and this works well.&nbsp; But, I also have some very large high traffic firewalls where I need to analyze only a few rules and scheduling the export of their entire traffic log would just be too much for our Expedition server.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Any thoughts?&nbsp; Thank you!</P> Tue, 08 Sep 2020 15:34:41 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/way-to-forward-logs-from-individual-rules-instead-of-entire/m-p/347564#M2951 BOkay 2020-09-08T15:34:41Z https://live.paloaltonetworks.com/t5/expedition-discussions/way-to-forward-logs-from-individual-rules-instead-of-entire/m-p/347631#M2953 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/93223">@BOkay</a>&nbsp;</P> <P>&nbsp;</P> <P>This question will be a PAN-OS question, I know there is an "scp export traffic log" command that you can specify the filter using "query", you might want to open a case with TAC and ask them if there is a way to export only traffic logs matching specific rule name.&nbsp;&nbsp;</P> Tue, 08 Sep 2020 17:56:06 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/way-to-forward-logs-from-individual-rules-instead-of-entire/m-p/347631#M2953 lychiang 2020-09-08T17:56:06Z https://live.paloaltonetworks.com/t5/expedition-discussions/way-to-forward-logs-from-individual-rules-instead-of-entire/m-p/347869#M2955 <P>Hi,</P> <P>&nbsp;</P> <P>Yes, this is possible using Expedition as a Syslog server and using a Log Forwarding profile as you stated.</P> <P>&nbsp;</P> <P>To make sure that Expedition is receiving the traffic logs using syslog messages, check this other thread where we mentioned how to set up these parts.</P> <P><A href="https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-syslog-server-change-logs-directory/td-p/244974" target="_blank">https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-syslog-server-change-logs-directory/td-p/244974</A></P> <P>&nbsp;</P> Wed, 09 Sep 2020 10:45:57 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/way-to-forward-logs-from-individual-rules-instead-of-entire/m-p/347869#M2955 dgildelaig 2020-09-09T10:45:57Z