I am planning to send all my DFW logs to syslog server.
What is the best option to use key word filtering so that only the logs related to DFW logs are sent to a particular folder in the syslog server.
All logs will be received by the syslog server in common folder. Need to apply key word which will filter only the DFW logs & send it to a particular destination folder.
as per NSX Firewall Logs documentation: logs are stored on each host in /var/log/dfwpktlogs.log
so you should be able to filter by 'dfwpktlogs'
there is also a blog post as a reference on how to use Logstash to filter DFW logs here https://everythingshouldbevirtual.com/vmware-nsx-firewall-logging-logstash/
Thnx bayupw
I would like to clarify that when ESXi host sends the logs to syslog server does the entire log file dfwpktlogs.log sent to the syslog server or only the logs inside the dfwpktlogs.log is sent to the Syslog server.
If only the logs are sent what key word i need to use in Syslog server to filter out only the NSX DFW logs so that it can be put into a separate folder
Each seperate log line inside the dfwpktlogs.log file is sent to the Syslog server, although same name not the file itself. Each of these lines contain dfwpktlogs word which indicates that it comes from the NSX dFW logged rules. So, as pointed previous dfwpktlogs keyword could be used to select dFW logs and put it to a seperate folder.
In addition Rule-Id, source and destination ports and Ip addresses could be used to filter the logs theae links could be helpful:
Using vRealize Log Insight to manage and review NSX Distributed Firewall rules
http://networkinferno.net/filtering-based-on-distributed-firewall-ruleid-for-nsx
http://networkinferno.net/validating-distributed-firewall-rulesets-in-nsx