I will adjust the MTU of the Linux instance. That's a good point.
-Original Message-
From: David Lang
Sent: Tuesday, August 13, 2024 6:46 PM
To: David Lang
Cc: Drumm, Daniel ; rsyslog-users
Subject: RE: [rsyslog] Formatting CEF to log.
On Tue, 13 Aug 2024, David Lang wrote:
13 Aug 2024, Drumm, Daniel wrote:
Date: Tue, 13 Aug 2024 23:19:42 +
From: "Drumm, Daniel"
To: David Lang
Cc: rsyslog-users
Subject: RE: [rsyslog] Formatting CEF to log.
David -
After experimenting and speaking with a Microsoft engineer, the underlying
issue is known to Microso
Lang
Cc: rsyslog-users
Subject: RE: [rsyslog] Formatting CEF to log.
David -
After experimenting and speaking with a Microsoft engineer, the underlying
issue is known to Microsoft. Rsyslog will truncate or drop long messages in CEF
format unless TCP is used. UDP cannot be used. This was in a
To: David Lang
Cc: Drumm, Daniel ; rsyslog-users
Subject: RE: [rsyslog] Formatting CEF to log.
I will also point out that templates in rsyslog are for output only, they have
no effect at all on parsing input.
David Lang
On Tue, 13 Aug 2024, David Lang wrote:
> Date: Tue, 13 Aug 2024 13:42
ubject: RE: [rsyslog] Formatting CEF to log.
Drumm, Daniel wrote:
David -
If you want me to instance a brand-new Ubuntu 22.04 VM in the cloud, get
rsyslog on it, and move the 514/udp Palo flow to it, I can do that.
Conversely, if you have access to a PAN-OS instance or old physical
firewall,
slog-users
Subject: RE: [rsyslog] Formatting CEF to log.
Drumm, Daniel wrote:
Is there a rsyslog Template that exists to take the data in this
format and log it? As you state, when rsyslogd gets a malformed
message, or one with fields additional to that it understands or
knows, it will not log it at
Sent: Tuesday, August 13, 2024 2:20 PM
To: Drumm, Daniel
Cc: David Lang ; rsyslog-users
Subject: RE: [rsyslog] Formatting CEF to log.
Drumm, Daniel wrote:
> Is there a rsyslog Template that exists to take the data in this
> format and log it? As you state, when rsyslogd gets a mal
Drumm, Daniel wrote:
Is there a rsyslog Template that exists to take the data in this format and
log it? As you state, when rsyslogd gets a malformed message, or one with
fields additional to that it understands or knows, it will not log it at all,
will not write it to disk at all, not even a
rmat and log
it? As you state, when rsyslogd gets a malformed message, or one with fields
additional to that it understands or knows, it will not log it at all, will not
write it to disk at all, not even a partial malformed log.
-Original Message-
From: David Lang
Sent: Tuesday, A
unksRcv=0
PanOSRuleUUID=d6ca6ff0-71e9-4f09-8e8d-2204deb98205
PanOSHTTP2Con=0\0x0aPanLinkChange=0 PanPolicyID=
PanLinkDetail=\0x0aPanSDWANCluster= PanSDWANDevice=\0x0aPanSDWANClustype=
-----Original Message-
From: David Lang
Sent: Monday, August 12, 2024 6:37 PM
To: Drumm, Daniel
Cc:
ca6ff0-71e9-4f09-8e8d-2204deb98205,0,0,,,2024-08-13T10:14:41.917-05:00,,,unknown,unknown,unknown,1,,,not-applicable,no,no,0,NonProxyTraffic,'
$!:
$.:
$/:
-Original Message-
From: rsyslog On Behalf Of Drumm, Daniel
via rsyslog
Sent: Tuesday, August 13,
nSDWANDevice=\0x0aPanSDWANClustype=
-Original Message-
From: David Lang
Sent: Monday, August 12, 2024 6:37 PM
To: Drumm, Daniel
Cc: David Lang ; Drumm, Daniel via rsyslog
Subject: RE: [rsyslog] Formatting CEF to log.
On Mon, 12 Aug 2024, Drumm, Daniel wrote:
> Messages roll in
logging things from
10.40.0.210, or ??
can you show a tcpdump of a message getting through from the device vs the
traffic messages that are failing?
David Lang
-----Original Message-----
From: David Lang
Sent: Monday, August 12, 2024 6:15 PM
To: Drumm, Daniel
Cc: David Lang ; Drumm, Da
#012PanOSVsysName=
dvchost=DOB-FW-HA-1
PanOSActionFlags=0x0#012anOSTimeGeneratedHighResolution=2024-08-12T18:23:59.046-05:00'
$!:
$.:
$/:
TRAFFIC messages are not processed despite hitting the VNIC.
-----Original Message-----
From: David Lang
Sent: Monday, August 12, 2024 6:15 PM
To: Dr
wrote:
Date: Mon, 12 Aug 2024 23:11:15 +
From: "Drumm, Daniel"
To: David Lang
Cc: "Drumm, Daniel via rsyslog"
Subject: RE: [rsyslog] Formatting CEF to log.
I removed the 'stop' from every single directive, as this is confusing the
matter.
It looks as such, a
t;
queue.size="25000"
queue.workerThreads="100"
queue.dequeueBatchSize="2048"
queue.saveonshutdown="on"
target="127.0.0.1" Port="28330" Protocol="tcp")
-Original Message-
From: David Lang
Sent: Monday, August 12, 2024
On Mon, 12 Aug 2024, Drumm, Daniel wrote:
Date: Mon, 12 Aug 2024 22:41:21 +
From: "Drumm, Daniel"
To: David Lang
Cc: "Drumm, Daniel via rsyslog"
Subject: RE: [rsyslog] Formatting CEF to log.
Here is that file with the -o flag:
root@syslog-server-vni
t; log files.
#
*.=debug;auth,authpriv.none;news.none;mail.none /var/log/debug
PreprocFileLineNumber(33)
*.=info;*.=notice;*.=warn;auth,authpriv.none;cron,daemon.none;mail,news.none
/var/log/messages
PreprocFileLineNumber(37)
#
# Emergencies are sent to everybody logged in.
#
*.emerg
clause looking at the
fromhost-ip
David Lang
On Mon, 12 Aug 2024, Drumm, Daniel wrote:
Date: Mon, 12 Aug 2024 22:18:02 +
From: "Drumm, Daniel"
To: David Lang ,
"Drumm, Daniel via rsyslog"
Subject: RE: [rsyslog] Formatting CEF to log.
Thank you, I should have
SDWANClustype
22:16:32.237613 IP (tos 0x0, ttl 63, id 30089, offset 0, flags [+], proto UDP
(17), length 1500)
So why are they not logging?
-Original Message-
From: David Lang
Sent: Monday, August 12, 2024 3:51 PM
To: Drumm, Daniel via rsyslog
Cc: Drumm, Daniel
Subject: Re: [rsyslog]
On Mon, 12 Aug 2024, Drumm, Daniel via rsyslog wrote:
When I perform a "tcpdump -v" I see that the Palo Alto is sending the rsyslog
server the correct logs for traffic flows. But the only logs coming from the firewall
that are logging are the system messages. I had to convert the traffic flow
When I perform a "tcpdump -v" I see that the Palo Alto is sending the rsyslog
server the correct logs for traffic flows. But the only logs coming from the
firewall that are logging are the system messages. I had to convert the traffic
flow messages coming in from the Palo Alto on 514/udp to the
22 matches
Mail list logo
