This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Firewall / Panorama traffic-log via Syslog to Expedition

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Firewall / Panorama traffic-log via Syslog to Expedition

Go to solution
bebe5001
L0 Member

‎10-19-2018 06:56 AM

Hello,

 

i'm forwarding at the moment traffic logs from Palo Firewalls and Panorama to the Expedition server. I verified with tcpdump that the Expedition-Server recieves the syslogs. Expedition is up to date. 

I modified the configuration files in "/var/www/html/OS/rsyslog" like described in the "Expedition Log Analysis Guide v1.0". 

I also changed the user permission for the folder like described in the "Expedition Log Analysis Guide v1.0".

But i don't see any created traffic-log-files for analysis.

I also restarted the rsyslog daemon multiple times without any result.

Do you have any idea or something that i should check to solve this problem?

 

Best regards,

 

Ben

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
alestevez
L7 Applicator
In response to bebe5001

‎10-22-2018 03:04 AM

You should have to replace the one comes from the OS in /etc/rsyslog.d with the one is provided within Expedition rsyslog.default-tcpudp.conf, then restart the service or the VM.... 

View solution in original post

2 people found this solution to be helpful.
0 Likes Likes
3 REPLIES 3

Go to solution
alestevez
L7 Applicator

‎10-19-2018 07:01 AM

Maybe the local Firewall?

 

sudo /usr/bin/firewall-cmd --permanent --add-port=514/udp
sudo /usr/bin/firewall-cmd --permanent --add-port=514/tcp

 

0 Likes Likes

Go to solution
bebe5001
L0 Member
In response to alestevez

‎10-22-2018 02:53 AM

Thanks for the help, but it didn't fix my problem. I checked the server once again and the Syslog-Messages are coming to the server but they appear in the following folder /var/log and in the following files syslog and syslog.1. Usually they should be in /data like it is configured in my rsyslog.default-tcpudp.conf file.

So it seems, that my server uses the wrong configuration file for rsyslog.

Does someone know where i can verify which configuration file is used by rsyslog?

0 Likes Likes

Go to solution
alestevez
L7 Applicator
In response to bebe5001

‎10-22-2018 03:04 AM

You should have to replace the one comes from the OS in /etc/rsyslog.d with the one is provided within Expedition rsyslog.default-tcpudp.conf, then restart the service or the VM.... 

2 people found this solution to be helpful.
0 Likes Likes
  • 1 accepted solution
  • 6099 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks