https://live.paloaltonetworks.com/t5/expedition-discussions/firewall-panorama-traffic-log-via-syslog-to-expedition/m-p/236182#M674 <P>Hello,</P> <P>&nbsp;</P> <P>i'm forwarding at the moment traffic logs from Palo Firewalls and Panorama to the Expedition server. I verified with tcpdump that the Expedition-Server recieves the syslogs. Expedition is up to date.&nbsp;</P> <P>I modified the configuration files in "/var/www/html/OS/rsyslog" like described in the "Expedition Log Analysis Guide v1.0".&nbsp;</P> <P>I also changed the user permission for the folder like described in the "Expedition Log Analysis Guide v1.0".</P> <P>But i don't see any created traffic-log-files for analysis.</P> <P>I also restarted the rsyslog daemon multiple times without any result.</P> <P>Do you have any idea or something that i should check to solve this problem?</P> <P>&nbsp;</P> <P>Best regards,</P> <P>&nbsp;</P> <P>Ben</P> Fri, 19 Oct 2018 13:56:19 GMT bebe5001 2018-10-19T13:56:19Z https://live.paloaltonetworks.com/t5/expedition-discussions/firewall-panorama-traffic-log-via-syslog-to-expedition/m-p/236182#M674 <P>Hello,</P> <P>&nbsp;</P> <P>i'm forwarding at the moment traffic logs from Palo Firewalls and Panorama to the Expedition server. I verified with tcpdump that the Expedition-Server recieves the syslogs. Expedition is up to date.&nbsp;</P> <P>I modified the configuration files in "/var/www/html/OS/rsyslog" like described in the "Expedition Log Analysis Guide v1.0".&nbsp;</P> <P>I also changed the user permission for the folder like described in the "Expedition Log Analysis Guide v1.0".</P> <P>But i don't see any created traffic-log-files for analysis.</P> <P>I also restarted the rsyslog daemon multiple times without any result.</P> <P>Do you have any idea or something that i should check to solve this problem?</P> <P>&nbsp;</P> <P>Best regards,</P> <P>&nbsp;</P> <P>Ben</P> Fri, 19 Oct 2018 13:56:19 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/firewall-panorama-traffic-log-via-syslog-to-expedition/m-p/236182#M674 bebe5001 2018-10-19T13:56:19Z https://live.paloaltonetworks.com/t5/expedition-discussions/firewall-panorama-traffic-log-via-syslog-to-expedition/m-p/236185#M676 <P>Maybe the local Firewall?</P> <P>&nbsp;</P> <PRE>sudo /usr/bin/firewall-cmd --permanent --add-port=514/udp sudo /usr/bin/firewall-cmd --permanent --add-port=514/tcp</PRE> <P class="p1">&nbsp;</P> Fri, 19 Oct 2018 14:01:17 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/firewall-panorama-traffic-log-via-syslog-to-expedition/m-p/236185#M676 alestevez 2018-10-19T14:01:17Z https://live.paloaltonetworks.com/t5/expedition-discussions/firewall-panorama-traffic-log-via-syslog-to-expedition/m-p/236451#M695 <P>Thanks for the help, but it didn't fix my problem. I checked the server once again and the Syslog-Messages are coming to the server but they appear in the following folder /var/log and in the following files syslog and syslog.1. Usually they should be in /data like it is configured in my rsyslog.default-tcpudp.conf file.</P> <P>So it seems, that my server uses the wrong configuration file for rsyslog.</P> <P>Does someone know where i can verify which configuration file is used by rsyslog?</P> Mon, 22 Oct 2018 09:53:14 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/firewall-panorama-traffic-log-via-syslog-to-expedition/m-p/236451#M695 bebe5001 2018-10-22T09:53:14Z https://live.paloaltonetworks.com/t5/expedition-discussions/firewall-panorama-traffic-log-via-syslog-to-expedition/m-p/236453#M696 <P>You should have to replace the one comes from the OS in /etc/rsyslog.d with the one is&nbsp;provided within Expedition&nbsp;<SPAN>rsyslog.default-tcpudp.conf, then restart the service or the VM....&nbsp;</SPAN></P> Mon, 22 Oct 2018 10:04:14 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/firewall-panorama-traffic-log-via-syslog-to-expedition/m-p/236453#M696 alestevez 2018-10-22T10:04:14Z