https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538627#M4530 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/283781">@tnamba_evotek</a>&nbsp;If /PALogs folder does not exist, you will need to manually create them in the Expedition.&nbsp; Please review the tutorial video&nbsp;<A href="https://youtu.be/Ozjx0rfRRmI" target="_blank">https://youtu.be/Ozjx0rfRRmI</A></P> Thu, 13 Apr 2023 16:38:45 GMT lychiang 2023-04-13T16:38:45Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538621#M4529 <P>Hi all, I'm trying to set up Expedition as a Syslog server. &nbsp;I am following the guides, but a folder under /PALogs is never created with the management IP of firewall sending the logs. &nbsp;Any suggestions? &nbsp;</P> Thu, 13 Apr 2023 16:00:48 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538621#M4529 tnamba_evotek 2023-04-13T16:00:48Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538627#M4530 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/283781">@tnamba_evotek</a>&nbsp;If /PALogs folder does not exist, you will need to manually create them in the Expedition.&nbsp; Please review the tutorial video&nbsp;<A href="https://youtu.be/Ozjx0rfRRmI" target="_blank">https://youtu.be/Ozjx0rfRRmI</A></P> Thu, 13 Apr 2023 16:38:45 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538627#M4530 lychiang 2023-04-13T16:38:45Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538629#M4531 <P>/PALogs directory is there, but the directory under that never gets created with the management IP of the firewall (10.0.0.1). &nbsp;I tried creating the 10.0.0.1 directory manually, but no logs ever get populated.</P> Thu, 13 Apr 2023 16:54:33 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538629#M4531 tnamba_evotek 2023-04-13T16:54:33Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538630#M4532 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/283781">@tnamba_evotek</a>&nbsp; The subfolder should be auto created when Expedition received syslog from firewall. You can try to use "chmod" to change the folder permission, so firewall can write to it , all those are in the tutorial video .&nbsp;</P> Thu, 13 Apr 2023 16:57:34 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538630#M4532 lychiang 2023-04-13T16:57:34Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538632#M4533 <P>That is my issue, it is not getting created automatically and when I manually create it, the logs never show up. &nbsp;I used chmod and chown to mirror the /PALogs directory permission and ownership to the 10.0.0.1 directory.</P> Thu, 13 Apr 2023 17:10:52 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538632#M4533 tnamba_evotek 2023-04-13T17:10:52Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538635#M4534 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/283781">@tnamba_evotek</a>&nbsp;Make sure you have modified</P> <P class="p1"><SPAN class="s1"><STRONG>/var/www/html/OS/rsyslog/rsyslog.conf</STRONG> to be like the sample in the same directory , for example, if you are sending the syslog in udp , you will reference the&nbsp;</SPAN><SPAN class="s1">rsyslog.default-udp in the same directory, double check below:</SPAN></P> <P class="p1"><SPAN class="s1">1.&nbsp; You have added your firewallIPs as allowed list in the section of the rsyslog.conf </SPAN></P> <P class="p1"><SPAN class="s1"># specify senders you permit to access</SPAN></P> <P class="p1"><SPAN class="s1">$AllowedSender TCP, 127.0.0.1, 10.11.29.0/24, 172.16.26.0/24, *.paloaltonetworks <STRONG><FONT color="#FF0000">(add your firewall IPs)</FONT></STRONG></SPAN></P> <P class="p1"><SPAN class="s1">.com</SPAN></P> <P class="p1"><SPAN class="s1">$AllowedSender UDP, 127.0.0.1, 10.11.29.0/24, 172.16.26.0/24, *.paloaltonetworks<STRONG><FONT color="#FF0000">&nbsp;(add your firewall IPs)</FONT></STRONG></SPAN></P> <P class="p1"><SPAN class="s1">.com</SPAN></P> <P class="p2">2.&nbsp;In the below section, make sure the folder is /PALogs and the folder exist in your system:&nbsp; (Folder name is Case sensitive)</P> <P class="p2">&nbsp;</P> <P class="p1"><SPAN class="s1">$template DynaTrafficLog,<STRONG>"/PALogs/%FROMHOST-IP%/%HOSTNAME%_traffic_%$YEAR%_%$MON</STRONG></SPAN></P> <P class="p1"><STRONG><SPAN class="s1">TH%_%$DAY%_last_calendar_day.csv"</SPAN></STRONG></P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">3. After modify and save the file, make sure you restart the VM</SPAN></P> Thu, 13 Apr 2023 17:32:23 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538635#M4534 lychiang 2023-04-13T17:32:23Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538893#M4535 <P>Yes, that is all in the guide which I followed.&nbsp;</P> Sat, 15 Apr 2023 23:40:19 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-as-a-syslog-server/m-p/538893#M4535 tnamba_evotek 2023-04-15T23:40:19Z