- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-03-2020 09:37 AM
I have one instance of Expedition where I am apparently unable to manually trigger log processing for enabled files (Devices/M.learning). Initially, Expedition was set to autoprocess CSV files, and it did it successfully. After a reboot, three logfiles piled up due to scheduled log export via scp from firewall and I didn't notice that the task manager for expedition wasn't started until after the three piled up.
Since this box got stood up, the "Process Enabled Files" button is greyed out. Any ideas?
10-07-2020 10:48 AM
Figured this out in another thread related to "unable to delete logs after autoprocessing." Turns out in my case, my FW (that is managed by Panorama) was sending logs to expedition, and I had configured Panorama as the device in Expedition. Everything worked because Expedition gets the running config of Panorama, including the FW in question. Problems that arose were this greyed out manual processing option, and it wasn't deleting logs after autoprocessing.
In Expedition/Devices, you need to change the view from its default "show grouped by Panorama" to "show all devices", then go into the FW in question where logs are coming from, then do the manual processing/autoprocessing from there instead. https://live.paloaltonetworks.com/t5/expedition-discussions/forwarded-logs-not-deleting-after-proces... . Frustrating that it allows you to do most of it through Panorama, but there is no indication why those last bits aren't available/working.
09-03-2020 10:15 AM
Can I see a screenshot of it being greyed out? Attached is what I see on my current environment.
09-03-2020 11:08 AM
1 CSV pending...
I also noticed that automatic processing isn't finishing either. I administratively disabled a file for processing and when doing that, Expedition changes the device from "PA-52xxx" to "PA-50xxx" (I have both types in this panorama, fwiw). Changing back to enabled changes the FW type back to 5250. Not sure what that's about or if it matters. The button for processing enabled files never changes than what is shown here. In my lab, I can process manually, but not on this particular instance of Expedition. All log files present are named consistently with PA52xxx, and I've verified that SN in logs matches the 5250 I'm targeting for ML.
Noticing that automatic processing isn't succeeding either, I've found my sparkRAM was only defined as 1100mb. I've updated that to 7000mb, will try again via daily automatic processing by adjusting time.
10-07-2020 07:59 AM
Hello, mine is greyed out as well. Was there a fix to this?
10-07-2020 10:48 AM
Figured this out in another thread related to "unable to delete logs after autoprocessing." Turns out in my case, my FW (that is managed by Panorama) was sending logs to expedition, and I had configured Panorama as the device in Expedition. Everything worked because Expedition gets the running config of Panorama, including the FW in question. Problems that arose were this greyed out manual processing option, and it wasn't deleting logs after autoprocessing.
In Expedition/Devices, you need to change the view from its default "show grouped by Panorama" to "show all devices", then go into the FW in question where logs are coming from, then do the manual processing/autoprocessing from there instead. https://live.paloaltonetworks.com/t5/expedition-discussions/forwarded-logs-not-deleting-after-proces... . Frustrating that it allows you to do most of it through Panorama, but there is no indication why those last bits aren't available/working.
10-08-2020 03:37 PM
Awesome! That worked. Thank you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!