Firewall / Panorama traffic-log via Syslog to Expedition

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Firewall / Panorama traffic-log via Syslog to Expedition

L0 Member

Hello,

 

i'm forwarding at the moment traffic logs from Palo Firewalls and Panorama to the Expedition server. I verified with tcpdump that the Expedition-Server recieves the syslogs. Expedition is up to date. 

I modified the configuration files in "/var/www/html/OS/rsyslog" like described in the "Expedition Log Analysis Guide v1.0". 

I also changed the user permission for the folder like described in the "Expedition Log Analysis Guide v1.0".

But i don't see any created traffic-log-files for analysis.

I also restarted the rsyslog daemon multiple times without any result.

Do you have any idea or something that i should check to solve this problem?

 

Best regards,

 

Ben

1 accepted solution

Accepted Solutions

You should have to replace the one comes from the OS in /etc/rsyslog.d with the one is provided within Expedition rsyslog.default-tcpudp.conf, then restart the service or the VM.... 

View solution in original post

3 REPLIES 3

L7 Applicator

Maybe the local Firewall?

 

sudo /usr/bin/firewall-cmd --permanent --add-port=514/udp
sudo /usr/bin/firewall-cmd --permanent --add-port=514/tcp

 

Thanks for the help, but it didn't fix my problem. I checked the server once again and the Syslog-Messages are coming to the server but they appear in the following folder /var/log and in the following files syslog and syslog.1. Usually they should be in /data like it is configured in my rsyslog.default-tcpudp.conf file.

So it seems, that my server uses the wrong configuration file for rsyslog.

Does someone know where i can verify which configuration file is used by rsyslog?

You should have to replace the one comes from the OS in /etc/rsyslog.d with the one is provided within Expedition rsyslog.default-tcpudp.conf, then restart the service or the VM.... 

  • 1 accepted solution
  • 5645 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!