VMware Networking Community
rajeevsrikant
Expert
Expert

NSX DFW Logs - Syslog

I am planning to send all my DFW logs to syslog server.

What is the best option to use key word filtering so that only the logs related to DFW logs are sent to a particular folder in the syslog server.

All logs will be received by the syslog server in common folder. Need to apply key word which will filter only the DFW logs & send it to a particular destination folder.

Reply
0 Kudos
3 Replies
bayupw
Leadership
Leadership

as per NSX Firewall Logs documentation: logs are stored on each host in /var/log/dfwpktlogs.log

so you should be able to filter by 'dfwpktlogs'

there is also a blog post as a reference on how to use Logstash to filter DFW logs here https://everythingshouldbevirtual.com/vmware-nsx-firewall-logging-logstash/

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
rajeevsrikant
Expert
Expert

Thnx bayupw

I would like to clarify that when ESXi host sends the logs to syslog server does the entire log file dfwpktlogs.log sent to the syslog server or only the logs inside the dfwpktlogs.log is sent to the Syslog server.

If only the logs are sent what key word i need to use in Syslog server to filter out only the NSX DFW logs so that it can be put into a separate folder

Reply
0 Kudos
cnrz
Expert
Expert

Each seperate log line inside the dfwpktlogs.log file  is sent to the Syslog server, although same name not the file itself. Each of these lines contain dfwpktlogs word which indicates that it comes from the NSX dFW logged rules. So, as pointed previous dfwpktlogs keyword could be used to select dFW logs and put it to a seperate folder.

In addition Rule-Id, source and destination ports and Ip addresses could be used to filter the logs theae links could be helpful:

Using vRealize Log Insight to manage and review NSX Distributed Firewall rules

http://networkinferno.net/filtering-based-on-distributed-firewall-ruleid-for-nsx 

http://networkinferno.net/validating-distributed-firewall-rulesets-in-nsx

Reply
0 Kudos