https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/481966#M3959 <P>Hi Roland,</P> <P>As I understand correctly you ended up doing a scheduled export from all panorama manged deviced to Expedition.</P> <P>I there no way to export the logs from panorama itself?</P> <P>&nbsp;</P> Fri, 22 Apr 2022 13:46:53 GMT zGomez 2022-04-22T13:46:53Z https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/314379#M2362 <P>Hello,</P> <P>&nbsp;</P> <P>I am working in an environment in which all Palo Alto FWs are centrally managed by a Panorama instance. All traffic logs are sent to the Panorama.</P> <P>&nbsp;</P> <P>If I follow the ML (Loggings Analysis) Guide, it is proposed to set a Scheduled Log Export from each individual FW towards the Expedition ML Server.</P> <P>&nbsp;</P> <P>But what is the correct approach in case we are using a centralized Panorama instance which is already receiving all these traffic logs? Should I still configure each individual firewall with an Scheduled Log Export towards the Expedition server?</P> <P>&nbsp;</P> <P>Thanks</P> Wed, 04 Mar 2020 14:49:12 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/314379#M2362 roland_sterkendries 2020-03-04T14:49:12Z https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/314409#M2363 <P>Hello,</P> <P>&nbsp;</P> <P>You can import directly from Panorama in your situation.</P> Wed, 04 Mar 2020 15:50:51 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/314409#M2363 azuniga 2020-03-04T15:50:51Z https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/314658#M2374 <P>Hi Azuniga and thanks for answering.</P> <P>&nbsp;</P> <P>Your proposition is actually what I did some days ago but it does not seem to work.</P> <P>&nbsp;</P> <P>I can schedule the export on the Panorama instance. The scp "ping" works fine copying a dummy file named <STRONG>ssh-export-test-txt</STRONG>. However, later when the export should happen, it does not and the destination folder on the Expedition server remains empty.</P> <P>&nbsp;</P> <P>The Destination folder has following rights:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="expedition_rw_rights.png" style="width: 688px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/24248i834F9DBAD34B2D4E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="expedition_rw_rights.png" alt="expedition_rw_rights.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Seen this before? Could it be a bug?</P> <P>Thanks for any help/hint</P> Thu, 05 Mar 2020 10:49:59 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/314658#M2374 roland_sterkendries 2020-03-05T10:49:59Z https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/314741#M2377 <P>I checked my file permissions on my personal VM and noticed I have permissions of 755, I am wondering if your file permissions were changed? I see that yours is 750 so it might not matter if the permissions are altered unless expedition writes to the file as other. Would you mind changing that and confirming your machine learning file path is set to /data, it should be under settings &gt; m. learning.</P> <P>&nbsp;</P> <P>If you are still having issues please feel free to email us at fwmigrate (at) paloaltonetworks.com</P> Thu, 05 Mar 2020 17:50:18 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/314741#M2377 azuniga 2020-03-05T17:50:18Z https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/314746#M2378 <P>If you can see that the&nbsp;<STRONG>ssh-export-test-txt</STRONG><STRONG>&nbsp;</STRONG>test file gets generated in the /logs folder in your Expedition, this means that you have the settings in Expedition allowing the logs to be sent.</P> <P>&nbsp;</P> <P>If so, and you still do not get logs sent, it could be:</P> <P>a) did you commit the configuration in your FW to do the schedule log export?</P> <P>b) do you have traffic hitting rules in your firewall? (actually, I think you should get still traffic log files, but those would be empty in Expedition)</P> <P>c) are you actually seeing the traffic logs in the /logs folder? In such case, remember that you will be able to process the files in Expedition if you have imported the firewalls that own those traffic log files. Get into your Panorama device (in Expedition) and click on retrieve connected devices.</P> Thu, 05 Mar 2020 17:59:47 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/314746#M2378 dgildelaig 2020-03-05T17:59:47Z https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/315747#M2410 <P>Hi Dgildelaig,</P> <P>&nbsp;</P> <P>thanks for your answer.</P> <P>&nbsp;</P> <P>I could solve the issue this week. I will post it here for documentation. It turns out csv traffic logs cannot be exported from the Panorama.</P> <P>&nbsp;</P> <P><SPAN style="font-family: inherit;">Even if you can configure a Scheduled Log Export centrally from the Panorama, this actually pushes the Scheduled Export to all FW devices and you still have to connect to all individual devices and click on their "SCP Test" button to exchange keys between FW-Expedition. This is because the exports are happening from the FWs and not from the Panorama.</SPAN></P> Wed, 11 Mar 2020 16:20:58 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/315747#M2410 roland_sterkendries 2020-03-11T16:20:58Z https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/315980#M2412 <P>That's right.</P> <P>&nbsp;</P> <P>An alternative is to use Expedition as a Syslog server and receive the traffic-logs on-realtime.</P> <P>&nbsp;</P> <P>You may find some information about how to setup Expedition to activate the syslog server features in this forum</P> Thu, 12 Mar 2020 09:23:14 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/315980#M2412 dgildelaig 2020-03-12T09:23:14Z https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/481966#M3959 <P>Hi Roland,</P> <P>As I understand correctly you ended up doing a scheduled export from all panorama manged deviced to Expedition.</P> <P>I there no way to export the logs from panorama itself?</P> <P>&nbsp;</P> Fri, 22 Apr 2022 13:46:53 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/what-is-the-correct-way-to-export-traffic-logs-from-a-panorama/m-p/481966#M3959 zGomez 2022-04-22T13:46:53Z