DFWPKT Logs not being forwarded to Aria Logs with Log Label set to a character length greater than 39 characters.
search cancel

DFWPKT Logs not being forwarded to Aria Logs with Log Label set to a character length greater than 39 characters.

book

Article ID: 371438

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

  • In NSX versions prior to 3.2.1.1, the character limit for log labels in Distributed Firewall (DFW) rules was 31 characters. However, starting from version 3.2.1.1, this limit has been increased to 39 characters.
  • While the dfwpktlogs.log on ESXi hosts will truncate log labels exceeding 39 characters, Aria Logs do not display this truncation.

Environment

VMware NSX

Cause

  • Although NSX Manager allows setting log labels with more than 39 characters starting from version 3.2.1.1, the data plane truncates log labels exceeding 39 characters.

  • This truncation occurs in the vsipfwlib component within the data plane. As a result, Aria logs and any syslog server will receive the truncated log labels, not the original longer labels.

Resolution

To resolve the issue of not being able to view the logs in Aria, modify the pre-set log filters to use shorter log labels or filter by rule ID instead. This will allow you to see the truncated log labels, which are indeed being captured in the ESXi DFWPKT logs and forwarded to Aria logs, with the expected 39-character limit.