[VMC on AWS ] NSXT-IDPS events are truncated when exported to Log Insight
search cancel

[VMC on AWS ] NSXT-IDPS events are truncated when exported to Log Insight

book

Article ID: 329804

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

This article provides information regarding the default syslog message length on the ESXi host.


Symptoms:

While NSX-T Distributed IDS/IPS on SDDC in AWS to export events to Log Insight Cloud. The longer event types of NSXT-IDPS type are truncated and the whole event is not always received. In the attached screenshot you can see that the first IDPS event appears to be complete, but the second one abruptly stops at "pkt" with still open statements in play.

image.png

 


Cause

The issue is due to the default message length of syslog on the esxi which is 1024

 

 

Resolution

The issue is fixed in M18v10 and the upcoming M20v3. 


Workaround:

Raise a Support Request with VMware Support to have the workaround implemented for the specific SDDC.


Additional Information

NA


Impact/Risks:

The customer is not able to view the complete IDS/IPS message log in vrealise log insight cloud (VRLIC).