https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/237925#M738 <P>Maybe for that rule there is no log between the time period selected?</P> Wed, 31 Oct 2018 11:49:04 GMT alestevez 2018-10-31T11:49:04Z https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/237602#M719 <P>I have a problem with Rule Enrichment.&nbsp;</P> <P>&nbsp;</P> <P>The error_SecRulesEnrich gives these messages after analysing the data from a rule which has a lot of data (at least by APP-ID):</P> <P>&nbsp;&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Schermafbeelding 2018-10-29 om 15.36.56.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17352iF40AEE62B3C059B9/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Schermafbeelding 2018-10-29 om 15.36.56.png" alt="Schermafbeelding 2018-10-29 om 15.36.56.png" /></span></P> <P>I am connected to a firewall, and i can analyse in Expedition the applications (By APP-ID) and getting results.</P> <P>So i am confused why it sais, no traffic found.</P> <P>&nbsp;</P> <P>MySQL is working, the "expedition internal checks" are all green.&nbsp;</P> <P>&nbsp;</P> <P>The Rule Enrichment is processing and results in "Completed"</P> <P>Also i rebooted the VM.</P> <P>&nbsp;</P> Mon, 29 Oct 2018 15:30:27 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/237602#M719 antono 2018-10-29T15:30:27Z https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/237925#M738 <P>Maybe for that rule there is no log between the time period selected?</P> Wed, 31 Oct 2018 11:49:04 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/237925#M738 alestevez 2018-10-31T11:49:04Z https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/238175#M749 <P>I changed the log collector time to several months. No change..</P> Thu, 01 Nov 2018 08:00:27 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/238175#M749 antono 2018-11-01T08:00:27Z https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/238361#M754 <P>Nobody who had this problem, found a solution?</P> Fri, 02 Nov 2018 15:20:06 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/238361#M754 antono 2018-11-02T15:20:06Z https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/238367#M755 <P>Can you grep your csv file to see of there is any log entry for the rule name you are evaluating?</P> Fri, 02 Nov 2018 15:57:55 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/238367#M755 alestevez 2018-11-02T15:57:55Z https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/238567#M763 <P>Eventually i found the problem.</P> <P>&nbsp;</P> <P>RL and ML does not read the logs directly from the Palo Alto logs, like APPID does.&nbsp;</P> <P>&nbsp;</P> <P>After exporting an CSV file from the monitoring tab (filtered on the same rule as i want to analyse), and importing this CSV file to the local folder, and changing the security settings on this folder, i got it working.</P> <P>&nbsp;</P> <P>So for Rule Enrichment, there is a need of logging exported from the firewall</P> Mon, 05 Nov 2018 10:34:21 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/re-error-secrulesenrich-no-traffic-found/m-p/238567#M763 antono 2018-11-05T10:34:21Z