Unable to create Log Connector

markmill · ‎06-12-2020

Expedition 1.1.69.3

I have created a new project and I'm unable to create a Log Connector. After Selecting my Device, I click the dropdown for Source and it's blank. Selecting the dropdown for Virtual System is also blank.

Alternately if I create a Dynamic Log Connector and then try to analyze ML data, the connector cannot be found.

Looking for assistance in troubleshooting why I cannot create and use either type of Log Connector

dgildelaig · ‎06-12-2020

Hi,

The configuration that you imported into this project, did you imported via a device or via an XML file?

The log connector will only work in the first case

View solution in original post

dgildelaig · ‎06-12-2020

Hi,

The configuration that you imported into this project, did you imported via a device or via an XML file?

The log connector will only work in the first case

markmill · ‎06-12-2020

I imported via device by clicking the green Import Device button on the Import tab of the project. I had previoulsy used the XML option as well -- good to know not to use it.

I think I've been able to reproduce a bug. I created a new project and was able to create a static connector. However, if I attempt to create a dynamic connector, it seems to subsequently break creating any connectors, regardless of type. This behavior persists through creating new projects as well. I have to completely log out of Expedition to get the behavior to reset to where I can create a Log Connector again.

dgildelaig · ‎06-17-2020

Thanks,

I have created a ticket around that to check it and get it fixed.

DanaHawkins · ‎11-29-2022

Was this bug fixed?

I'm running into this with the latest version of the Expedition tool. I've imported the device via API (Username and Password). I've configured Expedition to be a syslog collector and that seems to be working properly with good log processing occurring. Whether I create a static or dynamic connector none show up when I go to analyze logs with ML.
It does work with Enrichment.

We also deleted and recreated the project after performing an update.

Get out there and do great things!

lychiang · ‎11-29-2022

Hi @DanaHawkins The log connector will be your panorama or firewall depends on where the security policy located , if the policy is in panorama , you will need to add panorama as device, click on retrieve latest content to retrieve configuration from panorama, when you go into the project , first go to "import", click on the device to import the config from panorama, then go to "plug-in", add panorama as a static log connector , you will require connectivity between expedition and panorama on tcp port 443

DanaHawkins · ‎11-29-2022

@lychiang thanks for the reply. These firewalls are unmanaged/standalone. I have no problem importing the device or going through the process of creating the connector. It doesn't show up when I enable ML on any policies and try to run the ML discovery.

Unfortunately I don't have access to Expedition right now but I will try to provide a screenshot tomorrow via customer screenshare.

I've asked the customer to review logs coming from syslog to ensure they contain the serial number of the firewall in question.

Get out there and do great things!

Unable to create Log Connector

Unable to create Log Connector

Show your appreciation!