About zGomez

Hi,   Just wanted to give an update. I figured out that the M.learning under device read the first line of the log and if this contains the serial/firewallname will display the file name.   Since i have a single file for all traffic logs from different firewalls every day the first line can be different.  So best approach is to have really seperate files per firewall device.  I have not found how to do this dynamically do this with rsyslog filters but you can use a script to split the single file into multiple files based on the value off a column. (awk in linux)   So my question is more related to rsyslog how do i send the logs to different files if they come from a single source. I would like rsyslog to create seperate files based on the $53 column in the traffic log (this is the firewallname). If i figure out how to do this in rsyslog i will post this config.     ... View more

Hi Liam,   No it is not correct, it should display more files 11 to be correct,  I have in total 11 files that contain that firewall and serial number.   Output directory:   ls -alh total 45G drwxr-xr-x 2 www-data expedition 4.0K May 23 15:21 . drwxrwxr-x 6 www-data expedition 4.0K May 10 13:47 .. -rw-r--r-- 1 www-data expedition 3.0G May 13 23:59 panorama_traffic_2022_05_13_last_calendar_day.csv -rw-r--r-- 1 www-data expedition 3.4G May 14 23:59 panorama_traffic_2022_05_14_last_calendar_day.csv -rw-r--r-- 1 www-data expedition 3.3G May 15 23:59 panorama_traffic_2022_05_15_last_calendar_day.csv -rw-r--r-- 1 www-data expedition 5.0G May 16 23:59 panorama_traffic_2022_05_16_last_calendar_day.csv -rw-r--r-- 1 www-data expedition 5.1G May 17 23:59 panorama_traffic_2022_05_17_last_calendar_day.csv -rw-r--r-- 1 www-data expedition 5.2G May 18 23:59 panorama_traffic_2022_05_18_last_calendar_day.csv -rw-r--r-- 1 www-data expedition 5.2G May 19 23:59 panorama_traffic_2022_05_19_last_calendar_day.csv -rw-r--r-- 1 www-data expedition 5.0G May 20 23:59 panorama_traffic_2022_05_20_last_calendar_day.csv -rw-r--r-- 1 www-data expedition 3.5G May 21 23:59 panorama_traffic_2022_05_21_last_calendar_day.csv -rw-r--r-- 1 www-data expedition 3.3G May 22 23:59 panorama_traffic_2022_05_22_last_calendar_day.csv -rw-r--r-- 1 www-data expedition 3.2G May 23 16:55 panorama_traffic_2022_05_23_last_calendar_day.csv   When i grep for hostname through the files and display only unique files names you can see it has more files.   lab:/palogs/10.255.125.50$ grep -H -r "MX-KIO1-FW0001" /palogs/10.255.125.50/ | cut -d: -f1 | sort -u /palogs/10.255.125.50/panorama_traffic_2022_05_13_last_calendar_day.csv /palogs/10.255.125.50/panorama_traffic_2022_05_14_last_calendar_day.csv /palogs/10.255.125.50/panorama_traffic_2022_05_15_last_calendar_day.csv /palogs/10.255.125.50/panorama_traffic_2022_05_16_last_calendar_day.csv /palogs/10.255.125.50/panorama_traffic_2022_05_17_last_calendar_day.csv /palogs/10.255.125.50/panorama_traffic_2022_05_18_last_calendar_day.csv /palogs/10.255.125.50/panorama_traffic_2022_05_19_last_calendar_day.csv /palogs/10.255.125.50/panorama_traffic_2022_05_20_last_calendar_day.csv /palogs/10.255.125.50/panorama_traffic_2022_05_21_last_calendar_day.csv /palogs/10.255.125.50/panorama_traffic_2022_05_22_last_calendar_day.csv /palogs/10.255.125.50/panorama_traffic_2022_05_23_last_calendar_day.csv   ... View more

Hello the first screenshot was panorama --> show all devices --> then i went into the specific device firewall.   ... View more

Hi Lychiang, The issue I am facing is that under the device config M.learning i am not seeing all the files that contain that specific firewall.   I only see 1 file the first one created.   there are several files in the directory with the same rights as other file, containg serial and firewallname.  i should see 11 files in the above screenshot.   The log is currently storing log files for 4 different firewalls. If i take  another device also in the log file i can see all of the file in /palogs.     When i manual copy the log files by filtering on LInux containing the first firewall logs i can see the file. so it is before I create a project log-collector.     ... View more

Yes i receive the logs that is not the issue. I have my syslog setup to receive traffic logs from panorama device that forwarding me all firewall logs of my managed devices. The objective is to create a seperate log file based on the firewall hostname include in the log files( important not the same as the sending hostname, ip of the logs) Example log file: 2022-05-16T14:26:01+00:00 PANORAMA 1,2022/05/16 14:26:01,012001050280,TRAFFIC,end,2049,2022/05/16 14:25:57,10.51.10.8,10.52.2.1,0.0.0.0,0.0.0.0,MPLS ,,,snmpv1,vsys1,VPN,trust,tunnel.2001,ethernet1/2.900,LogToPanorama,2022/05/16 14:25:57,76592,1,58824,161,0,0,0x4019,udp,allow,16 90,785,905,18,2022/05/16 14:25:25,1,any,0,578843949,0x8000000000000000,10.0 .0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,9,9,aged-out,29,3090,3092,0,,FIREWALLNAME,from-policy,,,0,,0,,N/A,0,0,0,0,,0,0,,,,,,, This is currenlty in my syslog file. $template DynaTrafficLog,"/palogs/%FROMHOST-IP%/%HOSTNAME%_traffic_%$YEAR%_%$MONTH%_%$DAY%_last_ca lendar_day.csv" *.* -?DynaTrafficLog This stores the files in /palogs/IP-address/panorama_date_.csv All traffic logs will be in the same file. I want seperate logs based on FIREWALLNAME (column 53 in the log line) this can be different values. I could do this using if msg contains "FIREWALLNAME" but this is not really dynamic and hard to keep up with. Can i do this using template? ... View more

I have my syslog setup to receive traffic logs from panorama device that forwarding me all firewall logs of my managed devices. The objective is to create a seperate log file based on the firewall hostname include in the log files( important not the same as the sending hostname, ip of the logs) Example log file: 2022-05-16T14:26:01+00:00 PANORAMA 1,2022/05/16 14:26:01,012001050280,TRAFFIC,end,2049,2022/05/16 14:25:57,10.51.10.8,10.52.2.1,0.0.0.0,0.0.0.0,MPLS ,,,snmpv1,vsys1,VPN,trust,tunnel.2001,ethernet1/2.900,LogToPanorama,2022/05/16 14:25:57,76592,1,58824,161,0,0,0x4019,udp,allow,16 90,785,905,18,2022/05/16 14:25:25,1,any,0,578843949,0x8000000000000000,10.0 .0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,9,9,aged-out,29,3090,3092,0,,FIREWALLNAME,from-policy,,,0,,0,,N/A,0,0,0,0,,0,0,,,,,,, This is currenlty in my syslog file. $template DynaTrafficLog,"/palogs/%FROMHOST-IP%/%HOSTNAME%_traffic_%$YEAR%_%$MONTH%_%$DAY%_last_ca lendar_day.csv" *.* -?DynaTrafficLog   Anybody that can help on configuring syslog for this? ... View more

Hi Lychiang,   Thank you for your feedback. I have setup expedition as syslog server but i am fowarding traffic logs from panorama not with a log profile on the firewall's itself.  Since all log are already forwarded to Panorama I am using this approach.   So I have a single log file with all traffic logs from all devices.  But indeed I can see the log files includes the serial number of the device so maybe not an issue that I have a single file. I will have to play with the log collector and see the outcome of this.     ... View more