• You are using Identity Firewall in your NSX-T deployment
• You have configured Event Log scraping as the method of user login detection.
• Both the LDAP server and log scraping if used are showing connected without issues.
• You observe that there are no user log in events in the NSX-T UI or API using command GET https://<NSX-ManagerIP>/policy/api/v1/infra/settings/firewall/idfw/user-session-data/
• You are using the default domain user group in AD for NS groups membership.

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment

VMware NSX-T Data Center 3.X

VMware NSX-T Data Center 4.X

• While using Event Log Scraping the user session data or user id does not get pulled as the "Domain users" group is a primary group. As a result, no log in event will be detected.
• Using built in AD groups/primary groups when configuring NS Groups on NSX-T for IDFW should be avoided due to the above issue and AD security risks.

Create a new AD group to be used with the NSGroup for IDFW.