About ChrisHammock

Hi, I have just tried to use the Expedition "API Output Manager" for the first time and find some rather strange behaviour.   I have used ML to create around 33 new security rules, when I went to the "API Output Manager" to generate api commands for each rule (SubAtomic) I selected all the api calls for the security rules and pushed to the firewall, after commiting this and coming back a day later, I notice some traffic is hitting my catchall rule (at the bottom) for which I know I created rules for.  Further investiagtion I realised that there were only around 22 rules created by the "API Output Manager" so the last 11 rules never had API commands generated for them, I tried regenerating the API calls again in expedition but still only 22 rules create.  I moved the bottom 11 rules to the top of the rulebase in expedition and generated the API commands again in "API Output Manager" and although only 22 rules were created again the previously excluded rules (now at the top) were present.   This feels like a limit on the subatomic API output, obviously there were a lot of other API calls generated I didn't use but is anyone aware of a limit on this output, also when using atomic all the rules are listed correctly so it seems to me there isn't an issue with the rules themselves.  ... View more

I had this all setup and working, following the "Log Analysis Features of Expedition" tutorial.  The setup is, all FWs managed by single Panorama, logs forward from FWs to panorama.  I have setup panorama collector to forward the firewall logs to Expedition via syslog TCP.   This all worked fine for a few days then when I tried to login a realised the logs had used up all the disk space.  I had to delete some logs to make enough space and then reboot expedition, when I logged into the gui after the reboot I noticed the PanOrders agent had stopped.  I followed some instructions on the forum about reinstalling rabbitmq or something.    sudo apt-get remove rabbitmq-server && apt-get purge rabbitmq-server sudo apt-get install rabbitmq-server   This resolved the PanOrders issue but the rsyslog service would not restart, the rsyslog log said something about no socket available (or something like that) I think google suggested to run the command "systemctl enable rsyslog.service" which resolved the error and the rsyslog service is now running but I am still getting syslog dropped according to panorama.  I can see the sylsog hitting the expedition server using tcpdump but the files are not showing in the PALogs folder.   The only other change I have made since it worked was move the /PALogs folder to /data/PALogs, I have checked the permissions and updated both the rsyslog.conf and the expedition config regarding this change but I assume none of this would effect why the server is now dropping the syslog traffic?  I have restarted the rsyslog service multiple times and rebooted expedition.   Any help?  I am sure this is related to the hard disk filling up.         ... View more