NSX-T IDFW log events are not being learnt by NSX-T when log scrapping is configured
Article ID: 322574
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
- You are using IDFW NSX-T 3.2.0 or 3.2.0.1.
- IDFW is configured to use log scraping.
- Log scrapping fails to detect events related to user login and logout from the ldap server.
- If we do an API call to check user sessions:
GET https://{{ip}}/policy/api/v1/infra/settings/firewall/idfw/user-session-data
{
"active_user_sessions": [
{
"id": "########-####-####-####-############",
"domain_name": "IDFW",
"user_name": "user1",
"user_id": "",
"vm_ext_id": "########-####-####-####-############",
"user_session_id": 2,
"login_time": 1635850776234,
"logout_time": 0,
"session_source": "GI"
},
...
],
"dir_group_to_user_session_data_mappings": []
}
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center 3.x
Cause
Log scrapper in not functioning correctly and is unable to return the events.
From the API call above we see the domain_name is upper case:
"domain_name": "IDFW"
This is due to an issue in NSX-T 3.2.0 and 3.2.0.1 where the configured netbios name in NSX-T (case sensitivity) does not match that of the ldap server.
It should match the case from the result of the query run to return the netobios name from the ldap server.
Please review guide to see steps on finding the netbios name: Configuring Active Directory and Event Log Scraping
Resolution
This is a known issue and fixed on VMware NSX-T Data Center 3.2.1 and onwards.
Workaround:
Enter the netbios name of the ldap server in the case which was returned from the query above, so that it will match the case used by the ldap server.
Workaround:
Enter the netbios name of the ldap server in the case which was returned from the query above, so that it will match the case used by the ldap server.
Feedback
Yes
No
Powered by
