Expedition Panorama Log Collector Forwarding - ML-Learning

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Expedition Panorama Log Collector Forwarding - ML-Learning

L2 Linker

 

Hello,

 

I have setup expedition as an rsyslog server and configured the Panorama Log collector to forward traffic logs to the expedtion server.

(for now i am filtering on panaorma to filter on only the device logs I am currently interested in)

The logs are all collected inside a single file under the folder

/palogs/panoramip/daily_log.csv.  

I have imported panorama inside Expedition.  My firewalls have global defined policies for all devices inside the device group an specific firewall rules depending on location. 

The global firewall policy has rules that have an any in the source and I would like to create more specific rules for the location.

Since all traffic logs for all devices are in a single file right now I do not know if this is possible.

Some question I have,  where do i have to enable the M-Learning on the panorama device or on the firewall device itself?

Will expedition be able to make difference between logs comming from Location1 and Location2, both have the same rule but source traffic will be different.

Is there a way to create seperate log files per device, I think you will have to do this in the rsyslog file.

So I want a different log analysis per device group for the same rule.

Hoping this explains a little bit what I want to achieve if not don't hesitate to aks for more info, screenshot, logs, ...

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

L2 Linker

Hi,

I asked asked a friend an he was so kind to provide rsyslog config.

This you can use if you forward all logs from panorama and do not use individual log profile on firewall.

 

set $!srcfw = field($msg, ",", 52);
$template DynaTrafficLog,"/palogs/%FROMHOST-IP%/%$!srcfw%_traffic_%$YEAR%_%$MONTH%_%$DAY%_last_calendar_day.csv"
*.* -?DynaTrafficLog

View solution in original post

13 REPLIES 13

L6 Presenter

@zGomez To answer your questions:

 

Where do i have to enable the M-Learning on the panorama device or on the firewall device itself?

You will retrieve all devices from Panorama device tab ,and when you click on right upper corner icon "show all devices" , you will see all firewall devices thats managed by the panorama, and go to the specific firewall device , click on "M. Learning" tab , and process the logs there.

 

Will expedition be able to make difference between logs coming from Location1 and Location2, both have the same rule but source traffic will be different.

ML will analyze the logs based on serial number of the device , so if you only want to analyze specific device, you can define that in the "log connector" that only select the specific firewall under specific Device Group. 

Is there a way to create separate log files per device, I think you will have to do this in the rsyslog file.

So I want a different log analysis per device group for the same rule.

When you make the Expedition as syslog server, it should automatically create separate folder based on firewall IP to contain logs that came from separate firewall devices. 

 

For any questions related ML Process, I would suggest you to review the tutorial video here:

https://www.youtube.com/playlist?list=PLD6FJ8WNiIqXAfspousboWn6AllrOWVMi

Module 4 will show you how to import logs from firewall includes making Expedition as syslog server

 

 

 

Hi Lychiang,

 

Thank you for your feedback.

I have setup expedition as syslog server but i am fowarding traffic logs from panorama not with a log profile on the firewall's itself.  Since all log are already forwarded to Panorama I am using this approach.  

So I have a single log file with all traffic logs from all devices.  But indeed I can see the log files includes the serial number of the device so maybe not an issue that I have a single file.

I will have to play with the log collector and see the outcome of this.

 

 

L2 Linker

I have my syslog setup to receive traffic logs from panorama device that forwarding me all firewall logs of my managed devices.
The objective is to create a seperate log file based on the firewall hostname include in the log files( important not the same as the sending hostname, ip of the logs)

Example log file:

2022-05-16T14:26:01+00:00 PANORAMA 1,2022/05/16 14:26:01,012001050280,TRAFFIC,end,2049,2022/05/16 14:25:57,10.51.10.8,10.52.2.1,0.0.0.0,0.0.0.0,MPLS ,,,snmpv1,vsys1,VPN,trust,tunnel.2001,ethernet1/2.900,LogToPanorama,2022/05/16 14:25:57,76592,1,58824,161,0,0,0x4019,udp,allow,16 90,785,905,18,2022/05/16 14:25:25,1,any,0,578843949,0x8000000000000000,10.0 .0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,9,9,aged-out,29,3090,3092,0,,FIREWALLNAME,from-policy,,,0,,0,,N/A,0,0,0,0,,0,0,,,,,,,

This is currenlty in my syslog file.

$template DynaTrafficLog,"/palogs/%FROMHOST-IP%/%HOSTNAME%_traffic_%$YEAR%_%$MONTH%_%$DAY%_last_ca lendar_day.csv"
*.* -?DynaTrafficLog

 

Anybody that can help on configuring syslog for this?

Are you not seeing the log saved in /palogs/{yourpanoramaIP}/ folder ?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!