VMware NSX

 View Only
  • 1.  NSX Firewall traffic logs, syslog server.

    Posted Oct 12, 2017 02:46 PM

    Folks,

    We have a syslog server configured on our NSX and the NSX sends the logs to this server. However, what we are getting is only the audit/system logs.

    What we need to see is the traffic logs which shows the hits for allow and deny.

    Could someone help on any guidance with reference to this?

    Thanks!!!



  • 2.  RE: NSX Firewall traffic logs, syslog server.
    Best Answer

    Posted Oct 12, 2017 02:55 PM

    Hi neel,

       I have spend days to troubleshoot this issue...

       you need to configure syslog server settings on ESX server's to see the packet allow/drop.

       DFW uses vmkernel mgmt. ip to send logs to syslog server. 

       Please look into below KB article on how to configure syslog server in esx.

       Configuring syslog on ESXi (2003322) | VMware KB



  • 3.  RE: NSX Firewall traffic logs, syslog server.

    Posted Oct 13, 2017 11:30 AM

    Thanks mate!!! I think this is exactly what we are looking at.

    However, what could be the affect of enabling the syslog at a root level?

    Is there a chance of any impact to performance? We are only looking for the DFW traffic logs and do not want all logs from the ESX host.



  • 4.  RE: NSX Firewall traffic logs, syslog server.

    Posted Oct 13, 2017 11:25 PM

    I don't have a supporting document but it should not impact the performance and it is one of the best practice to configure remote logging to syslog.

    If you ask VMware partner/professional services for a health check/health analyzer, remote logging to syslog will be one of the best practice item.

    This will improve administration, management, monitoring, troubleshooting and root cause analysis.

    The DFW logs are part of ESXi so you would need to configure the ESXi syslog as part of the Syslog.global.loghost.

    FYI, if you are entitled for NSX licenses then you would also entitled for vRealize Log Insight for NSX license.

    vRealize Log Insight for NSX FAQ (2145800) | VMware KB

    The NSX content pack for Log Insight would help you to analyse firewall traffic logs e.g. top allowed/blocked rules, top sources/destinations, ports, etc

    NSX Content Pack For Log Insight: Overview - YouTube



  • 5.  RE: NSX Firewall traffic logs, syslog server.

    Posted Oct 12, 2017 10:41 PM

    By default, Firewall rules/traffic are not logged.

    You would need to set each rules to Log as per this doc: Firewall Logs

    Here are the steps to Log a DFW rule

    1. Enable the Log column on the Networking & Security > Firewall page.

    2. Enable logging for a rule by hovering over the Log table cell and clicking the pencil icon.

    As per doc, the DFW log is stored in each host in /var/log/dfwpktlogs.log by default

    Look for dfwkptlogs.log file



  • 6.  RE: NSX Firewall traffic logs, syslog server.

    Posted Oct 14, 2017 03:25 AM

    Hi Bayu,

      I am afraid now, we have NOT "Enabled the Log column on the Networking & Security > Firewall page." but still we i see the DFW allow/drop packets inside vRLI.

      Strange but i can see the traffic logged inside vRLI.