I have created a new project and I'm unable to create a Log Connector. After Selecting my Device, I click the dropdown for Source and it's blank. Selecting the dropdown for Virtual System is also blank.
Alternately if I create a Dynamic Log Connector and then try to analyze ML data, the connector cannot be found.
Looking for assistance in troubleshooting why I cannot create and use either type of Log Connector
I imported via device by clicking the green Import Device button on the Import tab of the project. I had previoulsy used the XML option as well -- good to know not to use it.
I think I've been able to reproduce a bug. I created a new project and was able to create a static connector. However, if I attempt to create a dynamic connector, it seems to subsequently break creating any connectors, regardless of type. This behavior persists through creating new projects as well. I have to completely log out of Expedition to get the behavior to reset to where I can create a Log Connector again.
Was this bug fixed?
I'm running into this with the latest version of the Expedition tool. I've imported the device via API (Username and Password). I've configured Expedition to be a syslog collector and that seems to be working properly with good log processing occurring. Whether I create a static or dynamic connector none show up when I go to analyze logs with ML.
It does work with Enrichment.
We also deleted and recreated the project after performing an update.
Hi @DanaHawkins The log connector will be your panorama or firewall depends on where the security policy located , if the policy is in panorama , you will need to add panorama as device, click on retrieve latest content to retrieve configuration from panorama, when you go into the project , first go to "import", click on the device to import the config from panorama, then go to "plug-in", add panorama as a static log connector , you will require connectivity between expedition and panorama on tcp port 443
@lychiang thanks for the reply. These firewalls are unmanaged/standalone. I have no problem importing the device or going through the process of creating the connector. It doesn't show up when I enable ML on any policies and try to run the ML discovery.
Unfortunately I don't have access to Expedition right now but I will try to provide a screenshot tomorrow via customer screenshare.
I've asked the customer to review logs coming from syslog to ensure they contain the serial number of the firewall in question.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!