This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

dgildelaig
L5 Sessionator

‎01-09-2019 03:06 AM - edited ‎01-11-2019 02:56 AM

Hi Luke,

 

Yes, Expedition can get the logs as a syslog server as well.

In the /etc/rsyslog.conf you would define how the syslog server (RSyslog in Expedition case) would process the received entries:

  • where to listen from (notice that the example defined the 10514 port, which it is not the default one. Probably you would prefer setting it up to 514)
  • which IPs to allow reporting
  • where to store the log entries

As we would like to help you speeding up the process of setting up the syslog server, we have provided three useful examples that you can simply take for your Expedition instance.

You can find them inside the folder 

/var/www/html/OS/rsyslog/

 

Inside, you will find a config to listen only for UDP connections, for TCP connections or both.

Take the one you prefer, edit it to add the IPs inside the AllowedSender parameteryou would allow to send syslog entries (tipically the IPs for the reporting interfaces in the PA7000) (by default shows:)

$AllowedSender TCP, 127.0.0.1, 10.11.29.0/24, 172.16.26.0/24, *.paloaltonetworks.com

and save it into /etc with the name rsyslog.conf

 

Remember to restart the syslog service by

service rsyslog restart

 

We have designed the config to save the logs into a /data folder that should exist (create it if it doesn't) and are stored by reporting IP and day (we try to emulate the structure that a firewall would create with the log export).

Regarding the permits, thing that the "rsyslog" group will store the logs there, but that www-data needs to be able to read them as well to generate the parquets and perform the ML activities.

$template DynaTrafficLog,"/data/%FROMHOST-IP%/%HOSTNAME%_traffic_%$YEAR%_%$MONTH%_%$DAY%_last_calendar_day.csv"

 

Finally, make sure that your Expedition instance is allowed to listen the desired port. Expedition has firewalld service that you may need to edit it. For instance:

sudo /usr/bin/firewall-cmd --permanent --add-port=514/udp

 

Let's start with this.

 

UPDATE: We have noticed that in some situations, it may be required to restart the machine to ensure that rsyslog captures the arriving traffic and process it.

View solution in original post

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks