Manual processing of ML logs is greyed out

cancel
Showing results for 
Search instead for 
Did you mean: 

Manual processing of ML logs is greyed out

L2 Linker

I have one instance of Expedition where I am apparently unable to manually trigger log processing for enabled files (Devices/M.learning). Initially, Expedition was set to autoprocess CSV files, and it did it successfully. After a reboot, three logfiles piled up due to scheduled log export via scp from firewall and I didn't notice that the task manager for expedition wasn't started until after the three piled up.

 

Since this box got stood up, the "Process Enabled Files" button is greyed out. Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions

Figured this out in another thread related to "unable to delete logs after autoprocessing." Turns out in my case, my FW (that is managed by Panorama) was sending logs to expedition, and I had configured Panorama as the device in Expedition. Everything worked because Expedition gets the running config of Panorama, including the FW in question. Problems that arose were this greyed out manual processing option, and it wasn't deleting logs after autoprocessing.

 

In Expedition/Devices, you need to change the view from its default "show grouped by Panorama" to "show all devices", then go into the FW in question where logs are coming from, then do the manual processing/autoprocessing from there instead. https://live.paloaltonetworks.com/t5/expedition-discussions/forwarded-logs-not-deleting-after-proces...  . Frustrating that it allows you to do most of it through Panorama, but there is no indication why those last bits aren't available/working.

View solution in original post

5 REPLIES 5

L4 Transporter

@BenKnorr2 

 

Can I see a screenshot of it being greyed out? Attached is what I see on my current environment.

 

Screen Shot 2020-09-03 at 10.12.59 AM.png

 

Screen Shot 2020-09-03 at 10.12.59 AM.png

 

EastWest_cap1.png

1 CSV pending...

 

 

EastWest_cap2.png

I also noticed that automatic processing isn't finishing either. I administratively disabled a file for processing and when doing that, Expedition changes the device from "PA-52xxx" to "PA-50xxx" (I have both types in this panorama, fwiw). Changing back to enabled changes the FW type back to 5250. Not sure what that's about or if it matters. The button for processing enabled files never changes than what is shown here. In my lab, I can process manually, but not on this particular instance of Expedition. All log files present are named consistently with PA52xxx, and I've verified that SN in logs matches the 5250 I'm targeting for ML.

 

Noticing that automatic processing isn't succeeding either, I've found my sparkRAM was only defined as 1100mb. I've updated that to 7000mb, will try again via daily automatic processing by adjusting time.

Hello, mine is greyed out as well.  Was there a fix to this?  

Figured this out in another thread related to "unable to delete logs after autoprocessing." Turns out in my case, my FW (that is managed by Panorama) was sending logs to expedition, and I had configured Panorama as the device in Expedition. Everything worked because Expedition gets the running config of Panorama, including the FW in question. Problems that arose were this greyed out manual processing option, and it wasn't deleting logs after autoprocessing.

 

In Expedition/Devices, you need to change the view from its default "show grouped by Panorama" to "show all devices", then go into the FW in question where logs are coming from, then do the manual processing/autoprocessing from there instead. https://live.paloaltonetworks.com/t5/expedition-discussions/forwarded-logs-not-deleting-after-proces...  . Frustrating that it allows you to do most of it through Panorama, but there is no indication why those last bits aren't available/working.

View solution in original post

Awesome!  That worked.  Thank you. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!