Problems with importing logs

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Problems with importing logs

L2 Linker

I've added a panorama device into Expedition and i'm trying to import logs that I've exported from panorama and am running into an issue.  I put the csv file in /home/expedition/logs.  The csv is called panorama.csv.  /home/expedition/logs/* (logs path in expedition).  I've changed changing permissions on the file/folder and ownership and no matter what, the csv doesn't show up in expedition for importing.  Any ideas?


L3 Networker
Try exporting the logs from the firewall(s) instead. Worked for me, and we have Panorama as well.

L7 Applicator

Expedition does filter by serial number. So when you dfined your Panorama you assigned a Serial there but inside the logs exported from panorama it will show the Serials from the Firewalls who were generating the logs so there is no coincidence and for instance you wont be able to see the CSV files under your Panorama....  


The right approach will be adding Panorama, retrieve the connected devices and then from the devices imported into the one you want to focus then add the CSV files under it.  From the project perpective you have to add panorama, import the panorama config and from the log connector select the devicegroup where your firewall is part and Expedition will take care of everything else.

Ok, I've added my Panorama Device, retrieve connected devices and they show up.  Now, I've scheduled a Log Export on my M-100 (Setup in Log Collector Mode Only), however I'm not getting the log into my /home/expedition/logs/ directory.  I'm using SCP to send directly to my Expedition VM.  Doing a LS on that directory, i see the ssh-export-test.txt file that's created when the export was setup.  Any suggestions?

I'm still having this issue with a vm firewall that is not in panorama. I can see the log in the /home/expedition/logs folder but when using /home/expedition/logs/* and clicking on the search button it still is not finding any logs. I've tried this on other phsyical firewalls as well and expedition can't see any of them. Any thoughts?

When you define Panorama you have to assign the panorama serial, If you are adding the logs under your panorama but the logs were genrated by a firewall with a diffrent serial they will not be shown under panorama, you should has to retrieve cojnnected devices and then under the device configure the PATH....

Have you thought about having the devices that are learned as part of Panorama "inherit" an M.Learning log path from the setting for Panorama?

So that its already implemented, if oyu configure a PATH for Panorama all the devices managed by it will inherit the same PATH unless you override it...

Ah, yes. I went into the Panorama device profile and updated/saved the log path, and the firewalls below it all updated. Nice. I must have just biffed it somehow originally on the 3 firewall devices I was concentrating on.



L2 Linker

Anyone getting this to work?  I've attached some screenshots,thoughts?No Logs Available to importNo Logs Available to importDevices in Expedition.  Physical Firewalls were added by PanoramaDevices in Expedition. Physical Firewalls were added by PanoramaCSV File in /home/expedition/logs directoryCSV File in /home/expedition/logs directoryScheduled Export from the Physical FirewallScheduled Export from the Physical Firewall

L2 Linker

I had to import logs from each firewall indvidually to get it to work.

The logs will show under the firewall they belong too.

The belonging is done via the serial number (and the serialHA number).


Therefore, given a path for a device, we will show only the files that are on that path and that also share the serial number of that device.


Why is that?

  • Reason 1:
    • We can place all the logs of multiple firewalls in the same folder /PALogs/* but we only want to see those logs that belong to each firewall, to be accurate with the firewall's context
  • Reason 2:
    • We may have one panorama that handles 50 firewalls, having each firewall's files under /PALogs/firewall_X/*. We can set the path for Panorama to /PALogs/*, and all the managed devices (if they do not overwrite the given Panorama's path) will inherit the path, and will show only the files that belong to the firewall in place.
      Notice that we also list files that are in subfolders of a given path (if we have reading access to the folder)

And to confirm you did this under M. Learning, correct?  Regardless of what I try, in the Expedition GUI, I can never find the .csv files exported from the firewall to the Expedition Server.  When I go to the server, the Logs are getting created and written to the server properly, just aren't able to be seen by the GUI.

Have you tired hitting them with a 777 hammer just to rule out permissions?

Can you confirm that the FW you have defined in expedition has the same serial number as the serials reported in the logs?


And that the log path is correctly writen (without spaces)


And, could you try to check with the most recent update of Expedition?


If it continues failing, let's have a Zoom session to figure out the source of the issue. And we report back here the resolution once solved.

  • 17 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!