Hello,
After configuring ESXi hosts to send NSX dFW logs to a syslog server, the logs are able to be observed:
Could not find information about the S, or SEW Flags on the log entries. The documentation mentions about the Rule Id, Cluster Id, Pass or Drop fields. Is it possible that each TCP session log composing multiple log entries?
Vsphere 5.5 Administration Guide:
https://pubs.vmware.com/NSX-6/index.jsp?topic=%2Fcom.vmware.nsx.admin.doc%2FGUID-ECEE0A32-88D5-4E82-...
Vsphere 6 Doc:
https://pubs.vmware.com/NSX-62/index.jsp#com.vmware.nsx.admin.doc/GUID-6F9DC53E-222D-464B-8613-AB2D5...
2015-12-03T08:56:25.241Z esx03 dfwpktlogs: INET match PASS domain-c41/1001 OUT 60 TCP 192.168.1.11/33790->192.168.1.12/22 S (for some entries SEW)
http://www.breekeenbeen.nl/2015/12/03/nsx-dfw-logging-to-syslog-server/
Entity | Possible Values |
---|
AF Value | INET, INET6 |
Reason | Possible values: match, bad-offset, fragment, short, normalize, memory, bad-timestamp, congestion, ip-option, proto-cksum, state-mismatch, state-insert, state-limit, src-limit, synproxy, spoofguard |
Action | PASS, DROP, SCRUB, NOSCRUB, NAT, NONAT, BINAT, NOBINAT, RDR, NORDR, SYNPROXY_DROP, PUNT, REDIRECT, COPY |
Rule identifier | Identifier |
Rule value | Ruleset ID and Rule position (Internal details) |
Rule set identifier | Identifier |
Rule set value | Ruleset name |
Rule ID identifier | Identifier |
Rule ID | ID matched |
Direction | ROUT, IN |
Length identifier | Len followed by variable |
Length value | Packet length |
Source identifier | SRC |
Source IP address | IP address |
Destination identifier | IP address |
Protocol | TCP, UDP, PROTO |
Source port identifier | SPORT |
Source port | Source port number for TDP and UDP |
Source port identifier | Destination port identifier |
Destination port | Destination port number for TDP and UDP |
Flag | Flag for TCP |