NSX-T IDFW log events are not being learnt by NSX-T when log scrapping is configured
search cancel

NSX-T IDFW log events are not being learnt by NSX-T when log scrapping is configured

book

Article ID: 322574

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

  • You are using IDFW NSX-T 3.2.0 or 3.2.0.1.
  • IDFW is configured to use log scraping.
  • Log scrapping fails to detect events related to user login and logout from the ldap server.
  • If we do an API call to check user sessions:
GET https://{{ip}}/policy/api/v1/infra/settings/firewall/idfw/user-session-data
{
    "active_user_sessions": [
        {
            "id": "########-####-####-####-############",
            "domain_name": "IDFW",
            "user_name": "user1",
            "user_id": "",
            "vm_ext_id": "########-####-####-####-############",
            "user_session_id": 2,
            "login_time": 1635850776234,
            "logout_time": 0,
            "session_source": "GI"
        },
...
    ],
    "dir_group_to_user_session_data_mappings": []
}



Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 3.x

Cause

Log scrapper in not functioning correctly and is unable to return the events.
From the API call above we see the domain_name is upper case:
"domain_name": "IDFW"
This is due to an issue in NSX-T 3.2.0 and 3.2.0.1 where the configured netbios name in NSX-T (case sensitivity) does not match that of the ldap server.
It should match the case from the result of the query run to return the netobios name from the ldap server.
Please review guide to see steps on finding the netbios name:
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-8B60D22B-3119-48F6-AEAE-AE27A9372189.html

Resolution

This is a known issue in NSX-T Data Center.

Workaround:
Enter the netbios name of the ldap server in the case which was returned from the query above, so that it will match the case used by the ldap server.