The '/PALogs/' cannot be scanned. '

patrick.blumer — Wed, 07 Jul 2021 13:02:46 GMT

I am getting the following error when trying to scan my log folder on expedition "The '/PALogs/<firewall logs folder>' cannot be scanned. '." I am on version 1.1.101. I also am wondering if maybe my rsylog configuration is not right. The folders being created are created by root. I have no issues if I import files manually.

Re: The '/PALogs/' cannot be scanned. '

azuniga — Wed, 07 Jul 2021 14:47:59 GMT

Verify there are no permission issues with the folder and the owner is www-data:expedition you could always change the folder permissions to chmod 777 /PALogs to see if that helps.

Re: The '/PALogs/' cannot be scanned. '

Vinayak1 — Fri, 16 Feb 2024 15:33:34 GMT

did you find any solution on this?

Re: The '/PALogs/' cannot be scanned. '

dpuigdomenec — Wed, 21 Feb 2024 15:08:11 GMT

Hi @Vinayak1

If you have some issues while trying to analyse your logs please follow below troubleshooting steps.

1) (If logs does not appear in Expedition) Check NGFW and Expedition has communication. Open the NGFW terminal and execute:

ssh host expedition@$VM_EXPEDITION

2) Check the /PALogs/ and the /data/ folders has the correct grants

chown -R www-data:www-data /data

chown -R www-data:www-data /PALogs/

3) Review in the UI settings that ML settings are correct.

4) Define your device. Make sure the serial number is the one reported on FW logs. Also set the device as a NGFW. Panorama devices can not proceed logs. NOTE: Expedition gets the 3rd line of the log file to get the mapping between the device and the log file.

5) Make sure java is installed. Execute: java -version or apt list --installed | grep jdk . If it is not installed execute: apt-get install -y openjdk-8-jre-headless

6) Process the logs (Panorama devices can not proceed logs) manually. Execute the action in below order:

Define /PALogs/$folderORFileName* as the folder where FW logs are stored. Make sure www-data has granted permission.
Click on Save
Enter again into the device and select tab ML
Click on Process Enabled Files
Wait until the process is finished. Meanwhile review below logs.

/home/userSpace/panReadOrders.log: Review the call with the params for the spark process.
/tmp/command.spark: Review the call to spark. It can be copied and executed by hand for troubleshooting purposes, output will be printed on the cli.
/tmp/command_actions.spark: Review the call to spark. It can be copied and executed by hand for troubleshooting purposes, output will be printed on /tmp/error_logCoCo.
/tmp/error_logCoCo: File containing the output of the spark command.
During the execution of the analysis you will see also the creation of a couple of csv files; *_afterProcess.csv (actions to perform after the logs are processed), *_traffic_files.csv (listing of the processed files)

Let me know if you have any other question,

Best regards,

David

topic Re: The '/PALogs/<firewall logs folder>' cannot be scanned. ' in Expedition Discussions

The '/PALogs/' cannot be scanned. '

Re: The '/PALogs/' cannot be scanned. '

Re: The '/PALogs/' cannot be scanned. '

Re: The '/PALogs/' cannot be scanned. '