Is there a way to forward logs from individual rules by adding Expedition to their Log Forwarding Profile rather than setting up a Scheduled Log Export which forwards an entire firewall's logs?
Reason I ask is I need to use MI to analyze traffic for some specific rules but do not need to analyze traffic on an entire firewall. I have Scheduled Log Export setup for some smaller firewalls where the entire policy needs to be analyzed and this works well. But, I also have some very large high traffic firewalls where I need to analyze only a few rules and scheduling the export of their entire traffic log would just be too much for our Expedition server.
Any thoughts? Thank you!
Yes, this is possible using Expedition as a Syslog server and using a Log Forwarding profile as you stated.
To make sure that Expedition is receiving the traffic logs using syslog messages, check this other thread where we mentioned how to set up these parts.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!