Rule Enrichment Error

L4 Transporter

Re: Rule Enrichment Error

THe log connector specifies a device that has reported logs.


Have you imported those logs into Expedition and have you processed those logs first? And, are the rules that you flagged for RE reported traffic for the selected days in the log connector?

L3 Networker

Re: Rule Enrichment Error



The following logs have been processed:

root@Expedition:/home/expedition# ls -al /PALogs/

total 47612

drwxrwxrwx  5 www-data   www-data       4096 Sep  9 06:25 .

drwxr-xr-x 25 root       root           4096 Aug 29 09:16 ..

-rw-rw-r--  1 www-data   www-data    7555873 Aug 29 21:01 PA-220_traffic_2019_08_30_last_calendar_day.csv.gz

-rw-rw-r--  1 www-data   www-data   12578779 Aug 30 21:01 PA-220_traffic_2019_08_31_last_calendar_day.csv.gz

-rw-rw-r--  1 www-data   www-data    7259591 Aug 31 21:01 PA-220_traffic_2019_09_01_last_calendar_day.csv.gz

-rw-rw-r--  1 www-data   www-data    5756529 Sep  1 21:00 PA-220_traffic_2019_09_02_last_calendar_day.csv.gz

-rw-rw-r--  1 www-data   www-data    5795674 Sep  6 21:00 PA-220_traffic_2019_09_07_last_calendar_day.csv.gz

-rw-rw-r--  1 www-data   www-data    5976994 Sep  7 21:00 PA-220_traffic_2019_09_08_last_calendar_day.csv.gz

-rw-rw-r--  1 www-data   www-data    3169942 Sep  8 21:00 PA-220_traffic_2019_09_09_last_calendar_day.csv.gz

drwxr-xr-x  7 www-data   www-data       4096 Sep  9 06:25 connections.parquet

-rw-r--r--  1 www-data   www-data     623918 Mar  1  2019

drwxr-xr-x  2 www-data   www-data       4096 Sep  9 06:24 spark-warehouse

drwxr-xr-x  2 www-data   www-data       4096 Sep  9 06:25 sparkLocalDir

-rw-rw-r--  1 expedition expedition       17 Sep  6 09:48 ssh-export-test.txt




I've unset base config after the logs have been processed, but I think that shouldn't really matter?

L3 Networker

Re: Rule Enrichment Error

I've enabled the RE on all rules, and now it's ok I think:

Rule_enrichment_OK.pngAfter setting the correct dates can now see this output.

L1 Bithead

Re: Rule Enrichment Error

this is now working for me. not sure why. when I open the rule enrichment window in policies there are initially no selected rules showing (but I have selected rules). Previously, when I clicked on "analyze data", I got a pop up that said "no rules selected" or something like. that.

Now, when I click "analyze data" it does, and then all the selected rules show in the window.

L3 Networker

Re: Rule Enrichment Error

did you have to change the dates in "Time Frame Overrirde"?

I had to and then analysis started

L1 Bithead

Re: Rule Enrichment Error

I had tried that previously but nothing happened.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!