Firewall / Panorama traffic-log via Syslog to Expedition

Reply
L0 Member

Firewall / Panorama traffic-log via Syslog to Expedition

Hello,

 

i'm forwarding at the moment traffic logs from Palo Firewalls and Panorama to the Expedition server. I verified with tcpdump that the Expedition-Server recieves the syslogs. Expedition is up to date. 

I modified the configuration files in "/var/www/html/OS/rsyslog" like described in the "Expedition Log Analysis Guide v1.0". 

I also changed the user permission for the folder like described in the "Expedition Log Analysis Guide v1.0".

But i don't see any created traffic-log-files for analysis.

I also restarted the rsyslog daemon multiple times without any result.

Do you have any idea or something that i should check to solve this problem?

 

Best regards,

 

Ben

Tags (2)
L7 Applicator

Re: Firewall / Panorama traffic-log via Syslog to Expedition

Maybe the local Firewall?

 

sudo /usr/bin/firewall-cmd --permanent --add-port=514/udp
sudo /usr/bin/firewall-cmd --permanent --add-port=514/tcp

 

L0 Member

Re: Firewall / Panorama traffic-log via Syslog to Expedition

Thanks for the help, but it didn't fix my problem. I checked the server once again and the Syslog-Messages are coming to the server but they appear in the following folder /var/log and in the following files syslog and syslog.1. Usually they should be in /data like it is configured in my rsyslog.default-tcpudp.conf file.

So it seems, that my server uses the wrong configuration file for rsyslog.

Does someone know where i can verify which configuration file is used by rsyslog?

L7 Applicator

Re: Firewall / Panorama traffic-log via Syslog to Expedition

You should have to replace the one comes from the OS in /etc/rsyslog.d with the one is provided within Expedition rsyslog.default-tcpudp.conf, then restart the service or the VM.... 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!