leotaglietti
Enthusiast
Enthusiast

vRealize Log Insight is able to logging traffic from VLAN Backend of NSX-T?

Hello guys. 

I'm facing a problem to use vRealize Log Insight to log VLAN Backend traffic. 

I did create a VLAN Backend segment and all my VMs are attached to this port-group segment and working well. I created two Distributed Firewall rule One called Catchall-Inbound and the other Cathall-Outbound with the source and destination this VLAN Backend subnet. These two rules have any destination and any sources for any services. 

I did enable the "Logging" option on each DFW Rule and I did set a Log Label to find more easily the rules on vRealize Log Insight. I am sure that these two rules are working because when I disable both rules the traffic immediately stops. But on vRealize Log Insight when I go to event tabs I can't see any traffic on this two rule. But when I set to DFW accept traffic from Overlay Networing the vRealize Log Insight show immediately all the traffic. 

My doubt is: Can the NSX-T DFW rules and vRealize Log Insight only log and log traffic coming from overlay networks? Or we can do the same for VLAN Backend Segment once that we can normally apply DFW rules to the VLAN Backend Segment. 

Reply
0 Kudos
RickVerstegen
Expert
Expert

You can also log traffic from NSX-T VLAN backed segments. How is the query setup in vRealize Log Insight?  

Also please check on the host /var/log/dfwpktlogs.log to see if these DFW rules are logged.

Was I helpful? Give a kudo for appreciation!
Blog: https://rickverstegen84.wordpress.com/
Twitter: https://twitter.com/verstegenrick
Reply
0 Kudos
leotaglietti
Enthusiast
Enthusiast

Thanks for your answer. 

I did enable the logging toggle on the DFW Rule and I did set the log label. In the vRealize Log Insight, I filter the search to the log label but vRealize Log Insight doesn't register any VLAN Backend activity when some traffic hit the DFW Rule only Overlay activity are registered. 

Regards.

Reply
0 Kudos
RickVerstegen
Expert
Expert

Just to be sure, you created VLAN backed NSX-T segments in NSX-T and attach them to virtual machines, right?
So no DvPG.

Was I helpful? Give a kudo for appreciation!
Blog: https://rickverstegen84.wordpress.com/
Twitter: https://twitter.com/verstegenrick
Reply
0 Kudos
leotaglietti
Enthusiast
Enthusiast

Hello Rick. 

Yes, that's right. I'm using NSX-T Segments VLAN Backend and no distributed switch port groups.

Tags (1)
Reply
0 Kudos
RickVerstegen
Expert
Expert

Which NSX-T and Log Insight version are you using?
Did you check if the VMs have VMTools installed and running?
I tested in a lab with NSX-T VLAN backed segments and it is working fine at my side, i used the query vmw_nsxt_firewall_src starts with <your IP>. For some reason contains does not work for me to get the results.

You can also query on appname contains firewall_pktlog.

Was I helpful? Give a kudo for appreciation!
Blog: https://rickverstegen84.wordpress.com/
Twitter: https://twitter.com/verstegenrick

View solution in original post

leotaglietti
Enthusiast
Enthusiast

Hello Rick. 

I would like to thank you again for your time and help here. 

I was able to log VLAN Backed traffic on vRealize Log Insight now using NSX-T 4.0.0.1.0.20159689 and vRealize Log Insight 8.8.2-20056468 plus   I hadn't configured vRealize Log Insight as ESXi hosts syslog and now I configured it. It's perfectly working. 

 

Thank you again. 

Reply
0 Kudos