01-09-2019 03:06 AM - edited 01-11-2019 02:56 AM
Hi Luke,
Yes, Expedition can get the logs as a syslog server as well.
In the /etc/rsyslog.conf you would define how the syslog server (RSyslog in Expedition case) would process the received entries:
As we would like to help you speeding up the process of setting up the syslog server, we have provided three useful examples that you can simply take for your Expedition instance.
You can find them inside the folder
/var/www/html/OS/rsyslog/
Inside, you will find a config to listen only for UDP connections, for TCP connections or both.
Take the one you prefer, edit it to add the IPs inside the AllowedSender parameteryou would allow to send syslog entries (tipically the IPs for the reporting interfaces in the PA7000) (by default shows:)
$AllowedSender TCP, 127.0.0.1, 10.11.29.0/24, 172.16.26.0/24, *.paloaltonetworks.com
and save it into /etc with the name rsyslog.conf
Remember to restart the syslog service by
service rsyslog restart
We have designed the config to save the logs into a /data folder that should exist (create it if it doesn't) and are stored by reporting IP and day (we try to emulate the structure that a firewall would create with the log export).
Regarding the permits, thing that the "rsyslog" group will store the logs there, but that www-data needs to be able to read them as well to generate the parquets and perform the ML activities.
$template DynaTrafficLog,"/data/%FROMHOST-IP%/%HOSTNAME%_traffic_%$YEAR%_%$MONTH%_%$DAY%_last_calendar_day.csv"
Finally, make sure that your Expedition instance is allowed to listen the desired port. Expedition has firewalld service that you may need to edit it. For instance:
sudo /usr/bin/firewall-cmd --permanent --add-port=514/udp
Let's start with this.
UPDATE: We have noticed that in some situations, it may be required to restart the machine to ensure that rsyslog captures the arriving traffic and process it.