How To Check If a NSX Lastline Sensor Is Working Correctly Including Log File References
Article ID: 333704
Updated On:
Products
Issue/Introduction
Problem
How do I identify if the traffic is scanned properly?
How do I check if the span port is clean and seeing all the traffic that it should?
Resolution
Solutions
1. Run lastline_test_appliance.
There are a number of tests in lastline_test_appliance that sniff all the connected sniffing interfaces and analyze the quality of the traffic to identify common problems.
Login to the monitoring console on the appliance and type in the command lastline_test_appliance at the shell prompt.
2. Check the Monitoring Logs in the UI
There is a software component running on the Sensor called llwatchdog that performs periodic checks on the state of all the critical Sensor components and reports their status in the appliance monitoring logs. Sensors running up-to-date software will report warnings in the Monitoring Logs if, for example, Suricata (our IDS) is not receiving traffic.
You can find the appliance Monitoring Logs in the Portal GUI by going to Admin -> Appliance -> Quick Links -> Monitoring Logs
3. Review Logs
If it is necessary to look deeper into a problem, you may need to check additional log files. Reviewing log files to troubleshoot the Sensor comes with this caveat. Log files are not part of the officially supported software. We do not intend to maintain backwards compatibility or documentation on them. A Sensor upgrade may change these logs or their formats at any time.
Suricata operation (rule parsing warnings, rule reloads, restarts, ...)
/var/log/suricata/suricata.msg
llpsv operation (daemon restarts, ...)
/var/log/llpsv/llpsv.INFO
Archive of recent artifacts extracted and processed by Suricata. Not all artifact types are archived there, especially NTA logs, as this would cause too much I/O load. The NTA pipelines are exclusively in memory.
/var/lib/suricata-eve/archive/suricata-lastline/*
Reputation alerts on plain IPs/domains
/var/log/llpsv/llpsv.log
Operation of the mail component
/var/log/llmail/email/*.log
Operation of the ICAP daemon (custom log format with more metadata)
/var/log/c-icap/processing.log
Logs of the file processing pipeline invoking the prefilter (used by sniffing and ICAP; not mail)
/var/log/llfd/llfd_worker?.log
Logs of the daemon that is in charge of performing the uploads of all the data generated by the Sensor as it transfers the data to our Hosted backend or an On-Premises Manager. This log may be helpful in troubleshooting in only a handful of very specific cases.
/var/log/llshed/*
Feedback
