VMware Networking Community
vmmed1
Enthusiast
Enthusiast

NSX Edge Firewall is failing to log to syslog or VRLI. Help please.

My VMware NSX Edge firewall rules are not logging when they are hit despite being configured to LOG

in Action. It fails to show up in syslog (splunk) and fails to get to VRLI. Does this have to be

enabled elsewhere? Thank you.

VMWare NSX Firewall logs properly in contrast.

Reply
0 Kudos
9 Replies
bayupw
Leadership
Leadership

Hi, in the other thread Where is syslog destination configured for NSX Edge firewall? you mentioned that you were trying to configure syslog for Edge Firewall.

Just to double check in case you have missed it, have you configured this syslog server settings on the NSX Edge?

The official documentation is available here: Configure Syslog Servers for NSX Edge

pastedImage_3.png

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
vmmed1
Enthusiast
Enthusiast

Yes I did that. The problem is that unlike with DFW no records show up in vrli nor splunk.

pastedImage_0.png

pastedImage_1.png

Reply
0 Kudos
vmmed1
Enthusiast
Enthusiast

If there's some other place to view allow/denied traffic - that would be helpful too.

It looks like the method below is for DFW not edge. But perhaps something similar

exists there too?

Firewall Logs

more /var/log/dfwpktlogs.log

Reply
0 Kudos
bayupw
Leadership
Leadership

To view the Edge logs, you can login (SSH or console) to the Edge and do a show log or download the Edge tech support bundle log

pastedImage_1.png

Here's the reference document

About NSX Logs

NSX Edge Logs

Use the show log [follow | reverse] command in the NSX Edge CLI.

Download Technical Support Log bundle via NSX Edge UI.

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
vmmed1
Enthusiast
Enthusiast

Show log is now showing anything that looks like a firewall rule allow/deny. I've downloaded the tech support logs and

see what's in there.

pastedImage_1.png

Reply
0 Kudos
vmmed1
Enthusiast
Enthusiast

Could it have to do the the logging level. It appears set to INFO at present.

Reply
0 Kudos
vmmed1
Enthusiast
Enthusiast

The download show tech is great. Thank you!

If you've any other ideas on the syslog output I'm all ears.

Reply
0 Kudos
vmmed1
Enthusiast
Enthusiast

So I thought I had this resolved. I swapped out the name vrli01 for the IP address of VRLI. It started

logging correctly and I thought I had this solved. But when I went in today NSX had somehow for

some reason over-ridden my change and put back the name vrli and logging was broken again.

Any idea how that could be?

Reply
0 Kudos
DaleCoghlan
VMware Employee
VMware Employee

Do you have vROPs installed with the NSX Management Pack? This has known to cause some issues with overriding configured syslog destinations.

Check out this article from Tomas on the issue

vRealize Operations Management Pack for NSX-V and Log Insight Integration – Tom Fojta's Blog

Reply
0 Kudos