NAPP NDR SIEM integration deployment breaks every 5 minutes
Article ID: 382590
Updated On:
Products
VMware vDefend Firewall
VMware vDefend Firewall with Advanced Threat Prevention
Issue/Introduction
NAPP Getting Degraded
Logs from the nsx-ndr-worker-siem-notification-sender container show repeated connection timeouts, with errors in the SIEM Sender logs such as
2024-09-17T18:31:39.008752319Z stderr F 2024-09-17 18:31:39,008 - nsx_ndr_service.siem.siem_sender - ERROR - Failed to send SIEM event notification: HTTP Error: 400 Bad Request - Response Body: {"errorMessage":"Missing events"}
Kubernetes Metadata:
Pod Name : nsx-ndr-worker-siem-notification-sender-7bf9d7576f-z7pc9
Namespace : nsxi-platform
Pod ID : 3238fb16-e74c-4408-a1d8-6f05928c4d91
Host : napp-cluster-default-workers-zszhk-868874fbd5xbb8k9-9ffdb
Container Name : worker
Docker ID : 7829b5ddcb8043a179eabde7825143ee85affc626ffe7663fa1a145f3fe774ee
Container Image : projects.registry.vmware.com/nsx_application_platform/clustering/nsx-ndr-worker:332__releaselongview4.2.16-041ff729.focal
Container Hash : sha256:53327d5103359ab881d29aafe1255628e2d6ac6ebecf94bf9c923a3a60968f47Environment
NAPP 4.2
Cause
The bearer token used for authentication with VRLI (on-premises version) has a validity of only 30 minutes. This short expiration time means that NDR cannot maintain a persistent connection to VRLI for SIEM event notification sending, leading to timeout errors. NDR SIEM integration does not fully support Aria Operations for Logs (VRLI) in on-premises configurations.
Resolution
-
To use an Aria Operations for Log instance as the SIEM server for NDR, use the following configuration:
- Endpoint URL: https://<vrli-server-ip>:9543/api/v2/events
(Replace <vrli-server-ip> with the IP or hostname of the Aria Operations for Logs server.) - Endpoint type: “Default”
- Headers: no additional header required
- Endpoint URL: https://<vrli-server-ip>:9543/api/v2/events
Feedback
Yes
No
Powered by
