Not receiving DFW traffic logs in VMware Aria Operations for Logs
Article ID: 396316
Updated On:
Products
VMware NSX
VMware vDefend Firewall
Issue/Introduction
- NSX DFW events is no longer searchable or was never searchable when searching for the events in Explore Logs or when viewing the events in the Dashboards
- Log into the ESXi host as root and run '
esxcli system syslog config get' and the output shows that the ESXi is not configured to send to VMware Aria Operations for Logs or is using UDP instead of TCP or the wrong port is specified.[root@domain] esxcli system syslog config get Allow Vsan Backing: false Check Certificate Revocation List: false Dropped Log File Rotation Size: 100 Dropped Log File Rotations: 10 Enforce SSLCertificates: true Local Log Output: /scratch/log Local Log Output Is Configured: false Local Log Output Is Persistent: true Local Logging Default Rotation Size: 1024 Local Logging Default Rotations: 8 Log Level: error Log To Unique Subdirectory: false Message Queue Drop Mark: 90 Remote Host: udp://<VMwareAriaOpsforLogsFQDN>:514 Remote Host Connect Retry Delay: 180 Remote Host Maximum Message Length: 1024 Strict X509Compliance: false
Environment
NSX 4.x
VMware Aria Operations for Logs 8.18.x
Cause
This is due to ESXi host not being configured for syslog to send to Aria Operations for Logs correctly.
Resolution
To configure remote syslog using TCP on port 514 use the following command:
esxcli system syslog config set --loghost='tcp://<VMwareAria-OperationsforLogs-ILBFQDN>:514'Additional Information
Syslog Configuration, options for DFW syslog for Aria, and fine tuned options located in this parent KB link Configuring syslog on ESXi
Feedback
Yes
No
Powered by
