• From NSX version 3.2.1.1 onwards, the log label character limit in DFW logs was extended to 39 characters from 31 characters. While the NSX Manager allows configuring longer labels, the dataplane truncates them to 39 characters, which is then reflected in the ESXi DFWPKT logs and forwarded to Aria logs. This discrepancy can cause confusion if the log label exceeds the 39-character limit, resulting in truncated information in the logs.
• This truncation occurs in the vsipfwlib component within the data plane. As a result, Aria logs and any syslog server will receive the truncated log labels, not the original longer labels

To address this issue and ensure proper log analysis:

1. Use a shorter log label: Ensure that the log label configured in NSX Manager is 39 characters or fewer.
2. Filter logs by Rule ID: If the log label is longer than 39 characters, filter logs using the associated rule ID. The truncated label will still appear in the logs, but the rule ID ensures accurate identification of firewall actions.
3. Verify logs in Aria: Logs with truncated labels will still be forwarded to Aria, and the 39-character limit should be reflected in the forwarded logs. To resolve the issue of not being able to view the logs in Aria, modify the pre-set log filters to use shorter log labels or filter by rule ID instead. This will allow you to see the truncated log labels, which are indeed being captured in the ESXi DFWPKT logs and forwarded to Aria logs, with the expected 39-character limit.