topic PAN to rsyslog on Ubuntu 22 yields unusable file names in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-to-rsyslog-on-ubuntu-22-yields-unusable-file-names/m-p/520355#M538 <P class="_1qeIAgB0cPwnLhDF9XSiJM">Hi.</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">I have a default setup w/ Ubuntu 22 as a rsyslog server. I pointed my PAN 10.2 to it, and am getting log data, but I am not getting a usable / meaningful file name. I'd like the log file name to be something like "perimfw" or some such to start.</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">Hoping that some other PAN users here are logging to rsyslog and have a usable template line = because the PAN log record does not appear to include a process name because it looks like this "2022-11-04T12:54:13-04:00 perimfw.ad.local 1,2022/11/04 12:54:13,012801088067,THREAT,url,2561,2022/11/04 12:54:13, ...."</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">In the rsyslog file has these lines:</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">*.* ?remote-incoming-logs</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">&amp; ~</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">The log file generated is =&gt; 1,2022.log (for BSD format from PAN) and =&gt; "-.log" format if you change to IEFT. In contrast, because the Infoblox servers that are already logging to the same rsyslog server have a traditional process name, I get a nice file and record layout. Example =&gt; "ssh.log" comes from this log line "2022-10-26T19:19:56+02:00 192.168.1.27 sshd[9011]: Local authentication succeeded for user admin";&nbsp; and rsyslog can easily peel off the process name.&nbsp;</P> Fri, 04 Nov 2022 17:18:13 GMT dmurdoch 2022-11-04T17:18:13Z PAN to rsyslog on Ubuntu 22 yields unusable file names https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-to-rsyslog-on-ubuntu-22-yields-unusable-file-names/m-p/520355#M538 <P class="_1qeIAgB0cPwnLhDF9XSiJM">Hi.</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">I have a default setup w/ Ubuntu 22 as a rsyslog server. I pointed my PAN 10.2 to it, and am getting log data, but I am not getting a usable / meaningful file name. I'd like the log file name to be something like "perimfw" or some such to start.</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">Hoping that some other PAN users here are logging to rsyslog and have a usable template line = because the PAN log record does not appear to include a process name because it looks like this "2022-11-04T12:54:13-04:00 perimfw.ad.local 1,2022/11/04 12:54:13,012801088067,THREAT,url,2561,2022/11/04 12:54:13, ...."</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">In the rsyslog file has these lines:</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">*.* ?remote-incoming-logs</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">&amp; ~</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P> <P class="_1qeIAgB0cPwnLhDF9XSiJM">The log file generated is =&gt; 1,2022.log (for BSD format from PAN) and =&gt; "-.log" format if you change to IEFT. In contrast, because the Infoblox servers that are already logging to the same rsyslog server have a traditional process name, I get a nice file and record layout. Example =&gt; "ssh.log" comes from this log line "2022-10-26T19:19:56+02:00 192.168.1.27 sshd[9011]: Local authentication succeeded for user admin";&nbsp; and rsyslog can easily peel off the process name.&nbsp;</P> Fri, 04 Nov 2022 17:18:13 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-to-rsyslog-on-ubuntu-22-yields-unusable-file-names/m-p/520355#M538 dmurdoch 2022-11-04T17:18:13Z Re: PAN to rsyslog on Ubuntu 22 yields unusable file names https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-to-rsyslog-on-ubuntu-22-yields-unusable-file-names/m-p/520944#M562 <P><SPAN>I have a workable answer, this does solve the problem by sending data to a usable file name. Doesn't address why the process name is missing. X.Y are replacements for your site.....<U></U><U></U></SPAN></P> <P><SPAN>if $fromhost-ip == "192.168.X.Y" then {<BR />Action (type="omfile" file="/var/log/perimfw.X.Y/<WBR />firewall.log")<BR />stop<BR />}<BR />if $hostname == "perimfw.X.Y" then {<BR />Action (type="omfile" file="/var/log/perimfw.X.Yl/<WBR />firewall.log")<BR />stop<BR />}<BR />## This is a commonly suggested template to direct messages to a specific directory. It works for Infoblox NIOS very well - you get individual log files, as if you were looking at local syslog on a NIOS grid member.<BR />$template remote-incoming-logs,"/var/<WBR />log/%HOSTNAME%/%PROGRAMNAME%.<WBR />log"<BR />*.* ?remote-incoming-logs<BR />stop</SPAN></P> Thu, 10 Nov 2022 22:08:12 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-to-rsyslog-on-ubuntu-22-yields-unusable-file-names/m-p/520944#M562 donmrdch@gmail.com 2022-11-10T22:08:12Z