VMware Networking Community
Bhushan_D
Contributor
Contributor
‎02-25-2020 12:42 AM

How to analyze syslogs of dfw firewalls ?

Can anyone please specify tcp flaps used by dfw firewall ?

Also please let me know how to analyze syslogs of dfw firewalls.

i tried to find details but didn't find any.

i am having issue in which i am  getting TERM action log and FIN flag is displayed in logs. i tried to find blogs and documents explaining action and about how to analyze logs but no luck.

i also see SEM listed in intial traffic logs along with PASS action for flow then later action i can see is TERM with FIN flag.

0 Kudos
5 Replies
Sreec
VMware Employee
VMware Employee
‎02-26-2020 12:55 AM

I'm unsure what tool you are using for syslog ?  Ideally for such deep level inspection you need a IPFIX/Netflow collector and it will easy fetch it .

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
HassanAlKak88
Expert
Expert
‎02-26-2020 01:13 AM

Hello,

I recommend using vRNI for network visibility and flows.

And vRLI to check the logs of DFW rules specially with the "Interactive Analysis"


If my reply was helpful, I kindly ask you to like it and mark it as a solution

Regards,
Hassan Alkak
0 Kudos
Bhushan_D
Contributor
Contributor
‎02-26-2020 06:48 AM

I am using loginsight.

nsx forwards logs to loinsight.

I want to understand format of logs and how to analyze logs for dfw.

0 Kudos
Bhushan_D
Contributor
Contributor
‎02-26-2020 06:51 AM

I am using interactive analysis from loginsight tool.

is there any Kb or document which has all the logs interpretation meanings or explanation?

0 Kudos
HassanAlKak88
Expert
Expert
‎02-26-2020 07:09 AM

check the following: Using vRealize Log Insight to manage and review NSX Distributed Firewall rules


If my reply was helpful, I kindly ask you to like it and mark it as a solution

Regards,
Hassan Alkak
0 Kudos