5 Replies Latest reply on Mar 20, 2020 6:51 AM by Czernobog

    NSX-T 2.5 - monitor packet logs with Log Insight - no events sent

    Czernobog Hot Shot

      I want to monitor firewall rule rejects (blocked communication) using log insight. I've set up remote logging on my nsx manager using:

      set logging-server [ip] proto udp level info

      also tried it with

      set logging-server [ip] proto udp level info facility syslog messageid FIREWALL,FIREWALL-PKTLOG

      I've also set up a firewall rule to reject some traffic and enabled logging.

      The remote logging seems to work in some way, because when I filter for the nsx-manager hostname in interactive analytics, I can read some events about configuration changes etc., but none are relevant to the network packets sent or rejected. But when selecting one of the NSX-T filters describing the firewall behavior, like for example vmw_nsxt_firewall_action, no events are displayed.

      Also the NSX Distributed Firewall Dashboards display no events.

       

      What else could be done to import the relevant logs into Log Insight from the NSX-T Manager?

       

      edit: nevermind, it seems to work, although the events need >15 minutes to be passed on to log insight, which is another problem now

       

      edit2: nevermind again, problem still persists - it seems that some events reach log insight and some don't

       

      eidt3: same syslog is configured on the esxi hosts, nsx-t manager and vrli instance are placed in same subnet, so communication inbetween should not be an issue

        • 1. Re: NSX-T 2.5 - monitor packet logs with Log Insight - no events sent
          mauricioamorim Expert
          VMware Employees

          Firewall rule logs are stored on the hosts and they are the ones who need to send to syslog server. That's why you will not find these messages by filtering using the nsx-manager hostname. To check if the logs are being generated take a look at /var/log/dfwpktlogs.log.

           

          If the logs are not there it is not a syslog problem, but maybe you just haven't enabled logging in the firewall rule. Check this doc: About Firewall Rules

          1 person found this helpful
          • 2. Re: NSX-T 2.5 - monitor packet logs with Log Insight - no events sent
            RaymundoEC Hot Shot
            VMware EmployeesvExpert

            question: did you put the log check in the FW rue example something like a tag Rul2 for X rule ?

            1 person found this helpful
            • 3. Re: NSX-T 2.5 - monitor packet logs with Log Insight - no events sent
              Czernobog Hot Shot

              I did enable logging o nthe rule, turns out that the issue was vRLI related. Even though the vCenter integration was in place and all hosts seemed to be configured, some were not sending data to Log Insight.

              I had to unconfigure all hosts and configure the again from Log Insight. After that the hosts started sendign data and the reject events are visible. So it works basically just like in NSX-V.

               

              What I find interesting ist, that yesterday when checking the NSX-T Manager as the log source following event were logged:

               

              nsx-manager NSX 31382 FIREWALL [nsx@6876 audit="true" comp="nsx-manager" entId="edb7d290-06c3-47aa-865a-643c351afd44" level="INFO" reqId="1ad3e007-843f-4396-bae5-08b7e34e5b6c" splitId="AYmIpooH" splitIndex="3 of 4" subcomp="manager" username="admin"


               

              ] "f58fe46b-37cf-4258-993d-26a21da892d2",

              "target_display_name": "xxx/xxx@xxx",

              "target_type": "LogicalPort",

              "is_valid": true

              },

              {

              "target_id": "ip",

              "target_display_name": "ip",

              "target_type": "IPAddress",

              "is_valid": true

              }

              ],

              "destinations": [

              {

              "target_id": "yyy",

              "target_display_name": "yyy/yyy@yyy",

              "target_type": "LogicalPort",

              "is_valid": true

              }

              ],

              "rule_tag": "rejectTest",

              "action": "REJECT",

              "disabled": false,

              "logged": true,

              "direction": "IN_OUT",

              "ip_protocol": "IPV4_IPV6",

              "is_default": false,

              "_revision": 3

              }

              ],

              "resource_type": "FirewallSection",

              "id": "zzz",

              "display_name": "zzz",

              "section_type": "LAYER3",

              "stateful": true,

              "rule_count": 1,

              "is_default": false,

              "locked": false,

              "comments": "Default section unlock comment",

              "lock_modified_by": "admin",

              "lock_modified_time":

               

              Basically, the whole rule is returned, but only the elements wihch are relevant to the reject action are shown.

              So it seems that (some of) the events are kept on the manager anyway.

              • 4. Re: NSX-T 2.5 - monitor packet logs with Log Insight - no events sent
                mauricioamorim Expert
                VMware Employees

                These are not firewall logs, but audit logs.

                 

                These are related to config changes and are documented here: Log Messages

                • 5. Re: NSX-T 2.5 - monitor packet logs with Log Insight - no events sent
                  Czernobog Hot Shot

                  Ah you are right Thanks for the explanation.