NSX manager syslog is not reporting NSX user successful LOGIN events
Article ID: 399588
Updated On:
Products
VMware NSX
Issue/Introduction
- After enabling syslog for NSX managers, successful LOGIN events are not reported in
/var/log/syslogand subsequently not seen on the remote syslog server. - Successful login events are expected to look similar to the following:
“2025-02-07T16:33:20.339Z ### NSX 1513 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="http"] UserName="###@###", ModuleName="ACCESS_CONTROL", Operation="LOGIN", Operation status="success" - These events are also not seen in the NSX audit logs (
/var/log/audit/audit.log). - Only LOGOUT events and failed LOGIN events are reported in SYSLOG.
<182>1 2025-06-02T13:43:14.528Z ### NSX 2934 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="http"] UserName="LdapUserDetailsImpl [Dn=CN=###,CN=Users,DC=###,DC=###; Username=###; Password=[PROTECTED]; Enabled=true; AccountNonExpired=true; CredentialsNonExpired=true; AccountNonLocked=true; Granted Authorities=[nsxadmins]]@###", ModuleName="ACCESS_CONTROL", Operation="LOGOUT", Operation status="success" <182>1 2025-06-02T13:43:30.861Z #### NSX 2934 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="http"] UserName="###@###", ModuleName="ACCESS_CONTROL", Operation="LOGIN", Operation status="failure"
- However, according to the Broadcom "Log Messages and Error Codes" document, successful LOGIN events should be recorded.
Environment
- VMware NSX 4.2.x
- VMware NSX 9.0.x
Cause
A defect was introduced in VMware NSX 4.2.0 and above such that syslog includes the full user info but suppresses logging the successful operation.
Resolution
This is a known issue affecting VMware NSX 4.2.0 and above. There is currently no resolution.
Workaround:
Filter for AAA events in NSX syslog: (Note: AAA stands for Authentication, Authorization, and Accounting)
Log snippet:
2025-06-03T14:18:05.183Z #### NSX 5070 - [nsx@6876 audit="true" comp="nsx-manager" level="INFO" reqId="####" subcomp="manager" username="###"] UserName="###", Src="###", ModuleName="AAA", Operation="GetCurrentUserInfo", Operation status="success", New value=[{"root_path":"/","provide_flat_listing":false}]
Feedback
Yes
No
Powered by
