In the ML or RE case, where Expedition is configured as syslog server , and you are forwarding traffic logs from Panorama to Expedition, by default, the logs will be saved using Panorama_IP . The solution below provides steps on how to split the logs per serial# of the firewall.
Split the logs per FW/Serial number by following below steps:
Step 1. Edit your rsyslog.conf file
Replace below line:
$template DynaTrafficLog,"/PALogs/%FROMHOST-IP%/%HOSTNAME%traffic%$YEAR%%$MONTH%%$DAY%_last_calendar_day.csv"
to below ones:
set $!SERIAL = field($msg,",",2);
$template DynaTrafficLog,"/PALogs/%FROMHOST-IP%/%$!SERIAL%/%$!SERIAL%%HOSTNAME%_traffic%$YEAR%%$MONTH%%$DAY%_last_calendar_day.csv"
The intention of the above configuration is to create a folder with your Panorama IP and subfolders for each FW/Serial number.
Step 2. Restart the syslog service
Issue below command:
service rsyslog restart
For your reference, next Expedition releases will include a set of rsyslog configuration example files on the path /var/www/html/OS/rsyslog folder .
