My VMware NSX Edge firewall rules are not logging when they are hit despite being configured to LOG
in Action. It fails to show up in syslog (splunk) and fails to get to VRLI. Does this have to be
enabled elsewhere? Thank you.
VMWare NSX Firewall logs properly in contrast.
Hi, in the other thread Where is syslog destination configured for NSX Edge firewall? you mentioned that you were trying to configure syslog for Edge Firewall.
Just to double check in case you have missed it, have you configured this syslog server settings on the NSX Edge?
The official documentation is available here: Configure Syslog Servers for NSX Edge
Yes I did that. The problem is that unlike with DFW no records show up in vrli nor splunk.
If there's some other place to view allow/denied traffic - that would be helpful too.
It looks like the method below is for DFW not edge. But perhaps something similar
exists there too?
more /var/log/dfwpktlogs.log
To view the Edge logs, you can login (SSH or console) to the Edge and do a show log or download the Edge tech support bundle log
Here's the reference document
NSX Edge Logs | Use the Download Technical Support Log bundle via NSX Edge UI. |
Show log is now showing anything that looks like a firewall rule allow/deny. I've downloaded the tech support logs and
see what's in there.
Could it have to do the the logging level. It appears set to INFO at present.
The download show tech is great. Thank you!
If you've any other ideas on the syslog output I'm all ears.
So I thought I had this resolved. I swapped out the name vrli01 for the IP address of VRLI. It started
logging correctly and I thought I had this solved. But when I went in today NSX had somehow for
some reason over-ridden my change and put back the name vrli and logging was broken again.
Any idea how that could be?
Do you have vROPs installed with the NSX Management Pack? This has known to cause some issues with overriding configured syslog destinations.
Check out this article from Tomas on the issue
vRealize Operations Management Pack for NSX-V and Log Insight Integration – Tom Fojta's Blog