PAN to rsyslog on Ubuntu 22 yields unusable file names

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN to rsyslog on Ubuntu 22 yields unusable file names

L0 Member

Hi.

I have a default setup w/ Ubuntu 22 as a rsyslog server. I pointed my PAN 10.2 to it, and am getting log data, but I am not getting a usable / meaningful file name. I'd like the log file name to be something like "perimfw" or some such to start.

Hoping that some other PAN users here are logging to rsyslog and have a usable template line = because the PAN log record does not appear to include a process name because it looks like this "2022-11-04T12:54:13-04:00 perimfw.ad.local 1,2022/11/04 12:54:13,012801088067,THREAT,url,2561,2022/11/04 12:54:13, ...."

 

In the rsyslog file has these lines:

$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"

*.* ?remote-incoming-logs

& ~

 

The log file generated is => 1,2022.log (for BSD format from PAN) and => "-.log" format if you change to IEFT. In contrast, because the Infoblox servers that are already logging to the same rsyslog server have a traditional process name, I get a nice file and record layout. Example => "ssh.log" comes from this log line "2022-10-26T19:19:56+02:00 192.168.1.27 sshd[9011]: Local authentication succeeded for user admin";  and rsyslog can easily peel off the process name. 

1 REPLY 1

I have a workable answer, this does solve the problem by sending data to a usable file name. Doesn't address why the process name is missing. X.Y are replacements for your site.....

if $fromhost-ip == "192.168.X.Y" then {
Action (type="omfile" file="/var/log/perimfw.X.Y/firewall.log")
stop
}
if $hostname == "perimfw.X.Y" then {
Action (type="omfile" file="/var/log/perimfw.X.Yl/firewall.log")
stop
}
## This is a commonly suggested template to direct messages to a specific directory. It works for Infoblox NIOS very well - you get individual log files, as if you were looking at local syslog on a NIOS grid member.
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
stop

  • 1576 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!