08-22-2021 03:20 AM
I'm setting up a 7050 with a log forwarding card to a dedicated log collector and we have on top of that Panorama VM - Management only . On the log collector, I have it set to device log collection and collector group communication on ethernet1/9. I have log settings configured as well as a log forwarding profile.
now I add the panorama to the expedition and I retrieve the devices, what I need is how to export the Firewall logs to the expedition like other firewall like PA 5220 for example, that store the logs locally and there is an option for scheduler export log and configure the SCP to send the logs on daily base to expedition and I can analyze the logs.
As I know The Log Forwarding Card (LFC) is that forwards all dataplane logs (traffic and threat for example) from the firewall to one or more external logging systems, such as Panorama or a syslog server. Because the dataplane logs are no longer available on the local firewall.
How can get these logs to expedition on daily bases to analyze it, because I have multiple vsys on 7050.
I appreciate your support.
08-23-2021 09:04 AM
Hi @hfarajallah Please refer the module 4 - Import traffic logs into Expedition in the below video playlist , there are different methods for traffic log import , for example, one of the method is to make expedition as syslog server.
08-24-2021 08:47 AM
I have an issue i can see the csv file in the folder but how can automatically parse these file, I can not see it in the expedition GUI, when you go to devices --> m.Lerning noting is there?
any thing that i need to be done?
my issue is the file format :
not working format that when i exported as syslog:
2021-08-24T11:51:13+03:00 MOE-HQ-PA-FW-01.moe.local 1,2021/08/24 11:51:12,010108010441,TRAFFIC,start,2305,2021/08/24 11:51:12,10.0.70.54,192.168.6.215,0.0.0.0,0.0.0.0,ANY-to-ANY_HTTPs,,,ms-sms,vsys1,outside,DB-V-13,ae2.63,ae2.2,Panorama-log,2021/08/24 11:51:12,71962469,1,52271,80,0,0,0x4000,tcp,allow,4472,4402,70,7,2021/08/24 11:51:11,0,private-ip-addresses,0,6982130509256638010,0x8000000000000000,10.0.0.0-10.255.255.255,192.168.0.0-192.168.255.255,0,6,1,n/a,922,0,0,0,HQ-DC,MOE-HQ-PA-FW-01,from-policy,,,0,,0,,N/A,0,0,0,0,47a0c081-9c8c-40c7-91b8-d047d0d54e6b,0,0,,,,,,,
working format, and this format was export normaly from the firewall as (scheduled log export)
1,2021/08/22 00:00:00,013201026585,TRAFFIC,start,2305,2021/08/22 00:00:00,10.25.127.56,10.0.10.204,,,EDs-To-Call-Manager,,,web-browsing,vsys2,RYNC-IPVPN-OUTSIDE,RYNC-IPVPN-INSIDE,ae6.601,ae5.600,Log_Forwarding_WAN,2021/08/22 00:00:00,514109,1,46033,6970,0,0,0x100000,tcp,allow,373,295,78,4,2021/08/22 00:00:01,0,any,0,6971380400278891820,0x8000000000000000,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,3,1,n/a,0,0,0,0,NC-WAN-VSYS2,RYNC-PA-FW-01,from-policy,,,0,,0,,N/A,0,0,0,0,49a0caee-7b03-4ee0-aa85-cc902ed09c8a,0,0,,,,,,,
How I can change the non working format?
thanks in advance
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!