NSX Unable to See Login Events from VMware Aria Operations for Logs for the IDFW usecase
search cancel

NSX Unable to See Login Events from VMware Aria Operations for Logs for the IDFW usecase

book

Article ID: 388767

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware Aria Suite

Issue/Introduction

  • VMware Aria Operations for Logs is designed to parse authentication logs from an identity provider, extract user ID-to-IP mapping information, and forward the data to the NSX Manager. This enables Identity Firewall (IDFW) to define and apply identity-based firewall rules for access control.

  • NSX may fail to receive login events from VMware Aria Operations for Logs, leading to incomplete user-to-IP mappings and potential access control issues.

  • To verify this, administrators can run the following API query on NSX Manager:

    curl -k -u 'admin' -H "Content-Type:application/json" -X GET https://localhost/api/v1/idfw/login-logout-events

    If the output does not show the expected "event_source": "LI", NSX is not receiving login events from VMware Aria Operations for Logs.

    {

        "domain_name" : "#########",

        "user_name" : "######",

        "vm_ext_id" : "",

        "event_type" : "USER_SESSION_EVENT_TYPE_USER_LOGIN",

        "user_session_id" : 0,

        "timestamp" : ##############,   

        "user_ip" : "##.##.##.##",

        "event_source" : "AD"           <<<< In this example the event source is AD. If no record exists with  "event_source" : "LI" then NSX is not receiving events from Aria

      }




Environment

  • VMware vDefend Firewall(Formerly known as NSX Firewall) with Identity Firewall (IDFW) enabled

  • VMware Aria Operations for Logs

 

Cause

The root cause of this issue is a mismatch in the event source configuration. Specifically, VMware Aria Operations for Logs was receiving the events using an FQDN, while the Aria configuration was sending the events with the source as an IP address. This discrepancy resulted in Aria Operations for logs not sending the login events to NSX.

Resolution

To resolve the issue, update the configuration in VMware Aria Operations for Logs to match the expected event source in the Aria logs

  1. Check the source of the event log messages received by the VMware Aria Operations for Logs,
    1. Hover over the source to find the Source IP or FQDN

  1. Navigate to VMware Aria Operations for Logs > Integration > NSX Identity Firewall > Provider

  2. Ensure that the event source format matches what is seen for the events.

            ○ If event logs show an IP address as a source, update the event source in VMware Aria Operations for Logs to use the corresponding IP.

            ○ If event logs show an FQDN, update the VMware Aria Operations for Logs to use the corresponding FQDN.

 

4. Save the changes and verify that login events are now visible in NSX using the API query:

    curl -k -u 'admin' -H "Content-Type:application/json" -X GET https://localhost/api/v1/idfw/login-logout-events

    Check for the presence of "event_source": "LI" in the output to confirm that events are being received successfully.

{

    "domain_name" : "#########",

    "user_name" : "######",

    "vm_ext_id" : "",

    "event_type" : "USER_SESSION_EVENT_TYPE_USER_LOGIN",

    "user_session_id" : 0,

    "timestamp" : ##############,   

    "user_ip" : "##.##.##.##",

    "event_source" : "LI"         

}

Powered by Wolken Software