About BenKnorr2

BenKnorr2 · ‎09-18-2020

in my case, /PAlogs is where the parquet files are stored. /home/expedition/logs is where I've got my FW exporting logs to. FWIW, I have this exact same setup in my lab and everything is the same except I have a FW configured as a device instead of Panorama. I'm not looking to delete parquet files, just the massive exported traffic logs from my FW.

BenKnorr2 · ‎09-18-2020

I have Panorama configured as a device in Expedition. Devices managed by Panorama have been imported/retrieved into the device within Expedition. Some stuff I've done/is configured: crontab is set to fix permissions on imported logs daily at midnight. It runs successfully and resulting files look like they have the right permissions: -rw-rw---- 1 expedition www-data 184G Sep 17 17:56 PA5220_traffic..... My daily scheduled log processing is set for 4AM The M.Learning component in the device (Panorama) is set to "auto process CSV log files" and appears to do this. I've been able to analyze rules in a project using this info. I have "after process: Delete" configured, but it doesn't appear to work I've also got another thread out there regarding the "process Enabled Files" option that is greyed out in this context. The only way I can process these logs is by letting the daily processing schedule catch up to them, or manually changing that schedule to be 2 min from now, for instance. In any case, the server quickly fills up with space as logs aren't being deleted after processing. My thinking is that logs are uploaded at 1600, ACL changed at 0000, then auto processing kicking off at 0400. So far it seems to all work except the deleting part. Any tips?

BenKnorr2 · ‎09-03-2020

1 CSV pending... I also noticed that automatic processing isn't finishing either. I administratively disabled a file for processing and when doing that, Expedition changes the device from "PA-52xxx" to "PA-50xxx" (I have both types in this panorama, fwiw). Changing back to enabled changes the FW type back to 5250. Not sure what that's about or if it matters. The button for processing enabled files never changes than what is shown here. In my lab, I can process manually, but not on this particular instance of Expedition. All log files present are named consistently with PA52xxx, and I've verified that SN in logs matches the 5250 I'm targeting for ML. Noticing that automatic processing isn't succeeding either, I've found my sparkRAM was only defined as 1100mb. I've updated that to 7000mb, will try again via daily automatic processing by adjusting time.

BenKnorr2 · ‎09-03-2020

Have tried other major Ubuntu versions besides 16.04, and was unsuccessful. I have stuck to 16.04 since it's still supported (until Apr 21) and is straightforward to get working.

BenKnorr2 · ‎09-03-2020

I have one instance of Expedition where I am apparently unable to manually trigger log processing for enabled files (Devices/M.learning). Initially, Expedition was set to autoprocess CSV files, and it did it successfully. After a reboot, three logfiles piled up due to scheduled log export via scp from firewall and I didn't notice that the task manager for expedition wasn't started until after the three piled up. Since this box got stood up, the "Process Enabled Files" button is greyed out. Any ideas?

Member Since	‎05-23-2019 08:29 AM
Date Last Visited	‎03-16-2023 11:29 AM
Posts	20
Total Likes Received	1

Online Status	Offline
Date Last Visited	‎03-16-2023 11:29 AM

About BenKnorr2

Re: Cloud Identity Engine Directory Sync

Re: Panorama log import

Prisma Access compatibility

Re: GlobalProtect - Autoblock/kick users when vulnerability exploit is detected?

Prisma Access rules : how to calculate when used?

Re: Palo to Palo migration

Re: forwarded logs not deleting after processing

Re: forwarded logs not deleting after processing

forwarded logs not deleting after processing

Re: Manual processing of ML logs is greyed out

Re: Expedition OS Compatibility

Manual processing of ML logs is greyed out