L4 Transporter

THe log connector specifies a device that has reported logs.


Have you imported those logs into Expedition and have you processed those logs first? And, are the rules that you flagged for RE reported traffic for the selected days in the log connector?

L3 Networker

The following logs have been processed:

root@Expedition:/home/expedition# ls -al /PALogs/

total 47612

drwxrwxrwx  5 www-data   www-data       4096 Sep  9 06:25 .

drwxr-xr-x 25 root       root           4096 Aug 29 09:16 ..

-rw-rw-r--  1 www-data   www-data    7555873 Aug 29 21:01 PA-220_traffic_2019_08_30_last_calendar_day.csv.gz

-rw-rw-r--  1 www-data   www-data   12578779 Aug 30 21:01 PA-220_traffic_2019_08_31_last_calendar_day.csv.gz

-rw-rw-r--  1 www-data   www-data    7259591 Aug 31 21:01 PA-220_traffic_2019_09_01_last_calendar_day.csv.gz

-rw-rw-r--  1 www-data   www-data    5756529 Sep  1 21:00 PA-220_traffic_2019_09_02_last_calendar_day.csv.gz

-rw-rw-r--  1 www-data   www-data    5795674 Sep  6 21:00 PA-220_traffic_2019_09_07_last_calendar_day.csv.gz

-rw-rw-r--  1 www-data   www-data    5976994 Sep  7 21:00 PA-220_traffic_2019_09_08_last_calendar_day.csv.gz

-rw-rw-r--  1 www-data   www-data    3169942 Sep  8 21:00 PA-220_traffic_2019_09_09_last_calendar_day.csv.gz

drwxr-xr-x  7 www-data   www-data       4096 Sep  9 06:25 connections.parquet

-rw-r--r--  1 www-data   www-data     623918 Mar  1  2019

drwxr-xr-x  2 www-data   www-data       4096 Sep  9 06:24 spark-warehouse

drwxr-xr-x  2 www-data   www-data       4096 Sep  9 06:25 sparkLocalDir

-rw-rw-r--  1 expedition expedition       17 Sep  6 09:48 ssh-export-test.txt




I've unset base config after the logs have been processed, but I think that shouldn't really matter?

L3 Networker

I've enabled the RE on all rules, and now it's ok I think:

Rule_enrichment_OK.pngAfter setting the correct dates can now see this output.

L1 Bithead

this is now working for me. not sure why. when I open the rule enrichment window in policies there are initially no selected rules showing (but I have selected rules). Previously, when I clicked on "analyze data", I got a pop up that said "no rules selected" or something like. that.

Now, when I click "analyze data" it does, and then all the selected rules show in the window.

L3 Networker

did you have to change the dates in "Time Frame Overrirde"?

I had to and then analysis started

L1 Bithead

I had tried that previously but nothing happened.

