topic Re: FORWARDING PA-7000 LOGS TO Expedition in Expedition Discussions

FORWARDING PA-7000 LOGS TO Expedition

hfarajallah — Sun, 22 Aug 2021 10:20:19 GMT

Hey everybody,

I'm setting up a 7050 with a log forwarding card to a dedicated log collector and we have on top of that Panorama VM - Management only . On the log collector, I have it set to device log collection and collector group communication on ethernet1/9. I have log settings configured as well as a log forwarding profile.

now I add the panorama to the expedition and I retrieve the devices, what I need is how to export the Firewall logs to the expedition like other firewall like PA 5220 for example, that store the logs locally and there is an option for scheduler export log and configure the SCP to send the logs on daily base to expedition and I can analyze the logs.

As I know The Log Forwarding Card (LFC) is that forwards all dataplane logs (traffic and threat for example) from the firewall to one or more external logging systems, such as Panorama or a syslog server. Because the dataplane logs are no longer available on the local firewall.

How can get these logs to expedition on daily bases to analyze it, because I have multiple vsys on 7050.

I appreciate your support.

Regards,

Hamadah

Re: FORWARDING PA-7000 LOGS TO Expedition

lychiang — Mon, 23 Aug 2021 16:04:29 GMT

Hi @hfarajallah Please refer the module 4 - Import traffic logs into Expedition in the below video playlist , there are different methods for traffic log import , for example, one of the method is to make expedition as syslog server.

https://www.youtube.com/playlist?list=PLD6FJ8WNiIqXAfspousboWn6AllrOWVMi

Re: FORWARDING PA-7000 LOGS TO Expedition

hfarajallah — Tue, 24 Aug 2021 15:47:42 GMT

Hi Lychiang

I have an issue i can see the csv file in the folder but how can automatically parse these file, I can not see it in the expedition GUI, when you go to devices --> m.Lerning noting is there?

any thing that i need to be done?

my issue is the file format :

not working format that when i exported as syslog:

2021-08-24T11:51:13+03:00 MOE-HQ-PA-FW-01.moe.local 1,2021/08/24 11:51:12,010108010441,TRAFFIC,start,2305,2021/08/24 11:51:12,10.0.70.54,192.168.6.215,0.0.0.0,0.0.0.0,ANY-to-ANY_HTTPs,,,ms-sms,vsys1,outside,DB-V-13,ae2.63,ae2.2,Panorama-log,2021/08/24 11:51:12,71962469,1,52271,80,0,0,0x4000,tcp,allow,4472,4402,70,7,2021/08/24 11:51:11,0,private-ip-addresses,0,6982130509256638010,0x8000000000000000,10.0.0.0-10.255.255.255,192.168.0.0-192.168.255.255,0,6,1,n/a,922,0,0,0,HQ-DC,MOE-HQ-PA-FW-01,from-policy,,,0,,0,,N/A,0,0,0,0,47a0c081-9c8c-40c7-91b8-d047d0d54e6b,0,0,,,,,,,

working format, and this format was export normaly from the firewall as (scheduled log export)
1,2021/08/22 00:00:00,013201026585,TRAFFIC,start,2305,2021/08/22 00:00:00,10.25.127.56,10.0.10.204,,,EDs-To-Call-Manager,,,web-browsing,vsys2,RYNC-IPVPN-OUTSIDE,RYNC-IPVPN-INSIDE,ae6.601,ae5.600,Log_Forwarding_WAN,2021/08/22 00:00:00,514109,1,46033,6970,0,0,0x100000,tcp,allow,373,295,78,4,2021/08/22 00:00:01,0,any,0,6971380400278891820,0x8000000000000000,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,3,1,n/a,0,0,0,0,NC-WAN-VSYS2,RYNC-PA-FW-01,from-policy,,,0,,0,,N/A,0,0,0,0,49a0caee-7b03-4ee0-aa85-cc902ed09c8a,0,0,,,,,,,

How I can change the non working format?

any help?

Hamadah

thanks in advance