VMware NSX

Hi team ,

  Need your urgent help . I need to know who create DFW rule  using service composer  in NSX.  We are using NSX version 6.3.2 .

there are so many users on our environment .  I can see there are few Production DFW polices which are compromised  ( someone added a New IP set  and deleted the old in wrong way)

1. Which logs on ESXi host can tell me who modified or published DFW rule using service composer.

2. Let say i don't have access to ESXi hosts  , can i check the same on NSX Manager .. like when policy was published and by which Vcenter user.

Tarun Gupta

TarunGuptaAccenture​,

Under Events -> Monitor -> Audit Logs you can filter for "modify" or "configuration".  For more details click on the blue "i" icon in the Operation column. 

For future cases I would recommend implementing a process where admins leverage the built-in NSX Ticket Logger.  It tags all changes that you make during that session with the ID of your internal ticketing system.  Using NSX Ticket Logger

Thanks a lot mate,

It helps , but all i can see are the entries for today or at most yesterday when i search for "modify" or configuration" ..might be NSX manger does not store the old entries. ..

We have more than 10 datacenters  and  NSX ticket logger is off  on all datacenters.  So that also dont help . 

Any other option in your mind which can help me here .. any logs on ESXi hosts  or NSX Manager which stores log for a week or so .

Thanks a lot for your support .

Tarun Gupta

There are no straight way to find user who create/modified/delete any Firewall rules, however you can try following psql query in NSX-Manager DB to get some clue:-

### Find the name of service composer object that been deleted (say for example  LB-SG ):-

secureall=# select objectid,name from domain_object where objectid  like '%securitygroup-%';

     objectid     |                                 name

------------------+-----------------------------------------------------------------------

securitygroup-11 | LB-SG

### Use following query to get the username who have create/modified/delete above SG and its corresponding timestamp with exact that been modified or deleted:-

Note you can use "Epoch Unix Time Stamp Converter" to convert following timestamp in to easily readable formate:-

secureall=# select username,timestamp,datacenter,operation,status,resourcename,isvcuser,old_value,new_value from audit_logs where username!= 'System' and resourcename = 'LB-SG';

          username           |   timestamp   | datacenter | operation | status  | resourcename | isvcuser |                                                             old_value

  |                                                             new_value

-----------------------------+---------------+------------+-----------+---------+--------------+----------+----------------------------------------------------------------------------------------------------------------------------------

--+------------------------------------------------------------------------------------------------------------------------------------

vsphere.local\administrator | 1540299909034 |            | CREATE    | SUCCESS | LB-SG        | true     |

  | {"includeList":{"member-1":{"name":"LB-IPset","type":"IPSet"}},"name":"LB-SG"}

vsphere.local\administrator | 1540302338446 |            | MODIFY    | SUCCESS | LB-SG        | true     | {"includeList":{"member-1":{"name":"LB-IPset","type":"IPSet"}},"name":"LB-SG"}

  | {"dynamicMembership":"{ [VM.NAME starts_with VM-] }","includeList":{"member-1":{"name":"LB-IPset","type":"IPSet"}},"name":"LB-SG"}

vsphere.local\administrator | 1542719440928 |            | DELETE    | SUCCESS | LB-SG        | true     | {"dynamicMembership":"{ [VM.NAME starts_with VM-] }","includeList":{"member-1":{"name":"LB-IPset","type":"IPSet"}},"name":"LB-SG"

} |

(3 rows)

Hope it help you.

Thanks,

Omkar Singh