Solved: Re: NSX Firewall traffic logs, syslog server.

neel_mani · ‎10-12-2017

Folks,

We have a syslog server configured on our NSX and the NSX sends the logs to this server. However, what we are getting is only the audit/system logs.

What we need to see is the traffic logs which shows the hits for allow and deny.

Could someone help on any guidance with reference to this?

Thanks!!!

amolnjadhav · ‎10-12-2017

Hi neel,

I have spend days to troubleshoot this issue...

you need to configure syslog server settings on ESX server's to see the packet allow/drop.

DFW uses vmkernel mgmt. ip to send logs to syslog server.

Please look into below KB article on how to configure syslog server in esx.

Configuring syslog on ESXi (2003322) | VMware KB

View solution in original post

amolnjadhav · ‎10-12-2017

Hi neel,

I have spend days to troubleshoot this issue...

you need to configure syslog server settings on ESX server's to see the packet allow/drop.

DFW uses vmkernel mgmt. ip to send logs to syslog server.

Please look into below KB article on how to configure syslog server in esx.

Configuring syslog on ESXi (2003322) | VMware KB

bayupw · ‎10-12-2017

By default, Firewall rules/traffic are not logged.

You would need to set each rules to Log as per this doc: Firewall Logs

Here are the steps to Log a DFW rule

1. Enable the Log column on the Networking & Security > Firewall page.

2. Enable logging for a rule by hovering over the Log table cell and clicking the pencil icon.

As per doc, the DFW log is stored in each host in /var/log/dfwpktlogs.log by default

Look for dfwkptlogs.log file

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

neel_mani · ‎10-13-2017

Thanks mate!!! I think this is exactly what we are looking at.

However, what could be the affect of enabling the syslog at a root level?

Is there a chance of any impact to performance? We are only looking for the DFW traffic logs and do not want all logs from the ESX host.

bayupw · ‎10-13-2017

I don't have a supporting document but it should not impact the performance and it is one of the best practice to configure remote logging to syslog.

If you ask VMware partner/professional services for a health check/health analyzer, remote logging to syslog will be one of the best practice item.

This will improve administration, management, monitoring, troubleshooting and root cause analysis.

The DFW logs are part of ESXi so you would need to configure the ESXi syslog as part of the Syslog.global.loghost.

FYI, if you are entitled for NSX licenses then you would also entitled for vRealize Log Insight for NSX license.

vRealize Log Insight for NSX FAQ (2145800) | VMware KB

The NSX content pack for Log Insight would help you to analyse firewall traffic logs e.g. top allowed/blocked rules, top sources/destinations, ports, etc

NSX Content Pack For Log Insight: Overview - YouTube

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

amolnjadhav · ‎10-13-2017

Hi Bayu,

I am afraid now, we have NOT "Enabled the Log column on the Networking & Security > Firewall page." but still we i see the DFW allow/drop packets inside vRLI.

Strange but i can see the traffic logged inside vRLI.

All

NSX Firewall traffic logs, syslog server.