Expedition root directory keeps growing

dgildelaig · ‎04-29-2019

I would say that you are still running the syslog server in Expedition and defined it to place the syslog entries in /data

Here an example of what we could have as a rsyslog config:

#####################################################
# Log everything to a per host daily logfile        #
#####################################################

$ModLoad imtcp

### Listeners
$InputTCPServerRun 10514

# specify senders you permit to access
$AllowedSender TCP, 127.0.0.1, 10.11.29.0/24, 172.16.26.0/24, *.paloaltonetworks.com

$template DynaTrafficLog,"/data/%FROMHOST-IP%/%HOSTNAME%_traffic_%$YEAR%_%$MONTH%_%$DAY%_last_calendar_day.csv"
*.* -?DynaTrafficLog

If you are exporting the logs to a specific folder, I guess you do not need to be running the syslog service and you do not need to ask the FW to use a logforwarding profile that sends the entries to Expedition.

Does it make sense?

stevenjwilliams83 · ‎04-29-2019

Yup it sure does. I think I set up syslog hoping to use it but could never figure out the use or the how to. How do you turn this service off? Or do I need to do in the conf file?

dgildelaig · ‎04-29-2019

expedition@Expedition:~/BUILD# sudo service rsyslog stop

Afterwards, modify the config file so it would stop listening the ports. In this case, if Expedition tries to restart the service, it won't capture the data.

But, best and in addition, you should stop the log forwarding profile in the firewalls.

Strata

Prisma

Cortex

Expedition root directory keeps growing

Show your appreciation!