We have a vCloud environment in place that is currently using NSX-V, however we have built an NSX-T environment and attached to the same vCloud environment and are about to start migrations.
On an NSX-V backed ESG, there was an option to specify a syslog server. This was handy as we could send firewall logs to a customer's existing logging solution or to a SIEM. This was done from the ESG > Edge Settings > Syslog Server Settings.
With an NSX-T backed ESG (T1), I am not seeing any similar syslog configuration. The only option I see is the NSX-T Manager Global settings implemented via a profile at System > Fabric > Profiles > Node Profiles > All NSX Nodes.
Has anybody successfully implemented anything here?
You can follow the steps mentioned in the documentation ( node profile will work) or try from CLI if you want to be more specific.
Thanks for the info, but I am not clear on how that meets the requirement. I have done exactly what you mentioned using a node profile, but I consider that level of logging to meet our 'provider' or infrastructure requirements. Syslog for a tenant should be an entirely different thing.
Provider (Managers, ETNs etc) > provider syslog
Tenant A ESG 1 > Tenant A syslog
Tenant A ESG 2 > Tenant A syslog
Tenant B ESG 1 > Tenant B syslog
Tenant B ESG 2 > Tenant B syslog
As a provider, neither of these tenant syslog servers will be accessible to us - will not be within our VRF, nor would each tenant syslog be in the same VRF. With vCloud and NSX-V this was easily achieved as the ESG would send the logs to a syslog server which it had network access to. How is this achieved with vCloud underpinned by NSX-T?
As long as the dedicated Edges can reach the Syslog server of the tenants, they will continue to get the same benefit. However, when you have a shared Edge for multiple tenants, it will defeat the purpose. Even in NSX-V, we can technically share ESG with multiple tenants ( shared network) so the challenge was already there.
so that means that with a vCloud environment based on nsx-t, a tenant is no longer able to configure a Syslog-Server by him self? Because he had no access to the nsx-nodes, and even if we would have dedicated Edges for each tenant the configuration had to be done by the provider?
This is correct, T1/T0 is totally different if we compare them with DLR/ESG. If we enable logging on Edges, it applies to all tenants who are sharing the edges. So dedicated edges with provider-managed loggings are required.
We have an alternative option now if you are using VCD 10.4 + NSX 3.2