VMware Networking Community
Czernobog
Expert
Expert
‎03-19-2020 02:50 AM

NSX-T 2.5 - monitor packet logs with Log Insight - no events sent

I want to monitor firewall rule rejects (blocked communication) using log insight. I've set up remote logging on my nsx manager using:

set logging-server [ip] proto udp level info

also tried it with

set logging-server [ip] proto udp level info facility syslog messageid FIREWALL,FIREWALL-PKTLOG

I've also set up a firewall rule to reject some traffic and enabled logging.

The remote logging seems to work in some way, because when I filter for the nsx-manager hostname in interactive analytics, I can read some events about configuration changes etc., but none are relevant to the network packets sent or rejected. But when selecting one of the NSX-T filters describing the firewall behavior, like for example vmw_nsxt_firewall_action, no events are displayed.

Also the NSX Distributed Firewall Dashboards display no events.

What else could be done to import the relevant logs into Log Insight from the NSX-T Manager?

edit: nevermind, it seems to work, although the events need >15 minutes to be passed on to log insight, which is another problem now

edit2: nevermind again, problem still persists - it seems that some events reach log insight and some don't :smileyplain:

eidt3: same syslog is configured on the esxi hosts, nsx-t manager and vrli instance are placed in same subnet, so communication inbetween should not be an issue

Tags (2)
0 Kudos
5 Replies
mauricioamorim
VMware Employee
VMware Employee
‎03-19-2020 08:10 AM

Firewall rule logs are stored on the hosts and they are the ones who need to send to syslog server. That's why you will not find these messages by filtering using the nsx-manager hostname. To check if the logs are being generated take a look at /var/log/dfwpktlogs.log.

If the logs are not there it is not a syslog problem, but maybe you just haven't enabled logging in the firewall rule. Check this doc: About Firewall Rules

RaymundoEC
VMware Employee
VMware Employee
‎03-19-2020 01:55 PM

question: did you put the log check in the FW rue example something like a tag Rul2 for X rule ?

+vRay
Czernobog
Expert
Expert
‎03-20-2020 04:36 AM

I did enable logging o nthe rule, turns out that the issue was vRLI related. Even though the vCenter integration was in place and all hosts seemed to be configured, some were not sending data to Log Insight.

I had to unconfigure all hosts and configure the again from Log Insight. After that the hosts started sendign data and the reject events are visible. So it works basically just like in NSX-V.

What I find interesting ist, that yesterday when checking the NSX-T Manager as the log source following event were logged:

nsx-manager NSX 31382 FIREWALL [nsx@6876 audit="true" comp="nsx-manager" entId="edb7d290-06c3-47aa-865a-643c351afd44" level="INFO" reqId="1ad3e007-843f-4396-bae5-08b7e34e5b6c" splitId="AYmIpooH" splitIndex="3 of 4" subcomp="manager" username="admin"


] "f58fe46b-37cf-4258-993d-26a21da892d2",

"target_display_name": "xxx/xxx@xxx",

"target_type": "LogicalPort",

"is_valid": true

},

{

"target_id": "ip",

"target_display_name": "ip",

"target_type": "IPAddress",

"is_valid": true

}

],

"destinations": [

{

"target_id": "yyy",

"target_display_name": "yyy/yyy@yyy",

"target_type": "LogicalPort",

"is_valid": true

}

],

"rule_tag": "rejectTest",

"action": "REJECT",

"disabled": false,

"logged": true,

"direction": "IN_OUT",

"ip_protocol": "IPV4_IPV6",

"is_default": false,

"_revision": 3

}

],

"resource_type": "FirewallSection",

"id": "zzz",

"display_name": "zzz",

"section_type": "LAYER3",

"stateful": true,

"rule_count": 1,

"is_default": false,

"locked": false,

"comments": "Default section unlock comment",

"lock_modified_by": "admin",

"lock_modified_time":

Basically, the whole rule is returned, but only the elements wihch are relevant to the reject action are shown.

So it seems that (some of) the events are kept on the manager anyway.

0 Kudos
mauricioamorim
VMware Employee
VMware Employee
‎03-20-2020 06:13 AM

These are not firewall logs, but audit logs.

These are related to config changes and are documented here: Log Messages

0 Kudos
Czernobog
Expert
Expert
‎03-20-2020 06:51 AM

Ah you are rightSmiley Happy Thanks for the explanation.

0 Kudos