This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PAN to rsyslog on Ubuntu 22 yields unusable file names

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN to rsyslog on Ubuntu 22 yields unusable file names

dmurdoch
L0 Member

‎11-04-2022 10:18 AM

Hi.

I have a default setup w/ Ubuntu 22 as a rsyslog server. I pointed my PAN 10.2 to it, and am getting log data, but I am not getting a usable / meaningful file name. I'd like the log file name to be something like "perimfw" or some such to start.

Hoping that some other PAN users here are logging to rsyslog and have a usable template line = because the PAN log record does not appear to include a process name because it looks like this "2022-11-04T12:54:13-04:00 perimfw.ad.local 1,2022/11/04 12:54:13,012801088067,THREAT,url,2561,2022/11/04 12:54:13, ...."

 

In the rsyslog file has these lines:

$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"

*.* ?remote-incoming-logs

& ~

 

The log file generated is => 1,2022.log (for BSD format from PAN) and => "-.log" format if you change to IEFT. In contrast, because the Infoblox servers that are already logging to the same rsyslog server have a traditional process name, I get a nice file and record layout. Example => "ssh.log" comes from this log line "2022-10-26T19:19:56+02:00 192.168.1.27 sshd[9011]: Local authentication succeeded for user admin";  and rsyslog can easily peel off the process name. 

0 Likes Likes
1 REPLY 1

donmrdch@gmail.com
L0 Member

‎11-10-2022 02:08 PM

I have a workable answer, this does solve the problem by sending data to a usable file name. Doesn't address why the process name is missing. X.Y are replacements for your site.....

if $fromhost-ip == "192.168.X.Y" then {
Action (type="omfile" file="/var/log/perimfw.X.Y/firewall.log")
stop
}
if $hostname == "perimfw.X.Y" then {
Action (type="omfile" file="/var/log/perimfw.X.Yl/firewall.log")
stop
}
## This is a commonly suggested template to direct messages to a specific directory. It works for Infoblox NIOS very well - you get individual log files, as if you were looking at local syslog on a NIOS grid member.
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
stop

0 Likes Likes
  • 1540 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks