NSX Distributed Firewall (DFW) logs are not forwarding to Aria Operations for Logs
search cancel

NSX Distributed Firewall (DFW) logs are not forwarding to Aria Operations for Logs

book

Article ID: 403836

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • On Aria Operations for Logs environment, vCenter integration is working properly.
  • ESXi host events are showing under Logs Explorer.  However, NSX DFW logs are not showing.
  • ESXi hosts are seeing DFW packet log activity however, the data is not flowing into Aria Operations for Logs.
  • Aria Operations for Logs not capturing NSX/DFW logs even after following NSX Distributed Firewall (DFW) logs are not forwarding to Aria Operations for Logs
  • Reviewing the /var/log/vmware/loginsight/plugins/vsphere/li-vsphere.log from an Aria Operations for logs cluster node or Support Bundle, you may see entries similar to:

    ERROR] [com.vmware.loginsight.vsphere.config.VimVsphereConfigurer] [Error while setting syslog option for ESXi host <host_name_fqdn>: com.sun.xml.ws.fault.ServerSOAPFaultException - Client received SOAP Fault from server: Permission to perform this operation was denied. Please see the server log to find more detail regarding exact cause of the failure.

Environment

Aria Operations for Logs 8.x

Cause

NSX is running on the ESXi hosts and generates its logging on the hosts for DFW rules.  However, ESXi hosts are not sending these logs to the Aria Operations due to the following:

  • The syslog Host is not configured to send log to Aria Operations for Logs endpoint.
  • The Outgoing syslog firewall is not enabled.

Resolution

Configure the ESXi host's syslog to forward events, including NSX Distributed Firewall (DFW) events, to the Aria Operations for Logs environment.

Follow these steps on each ESXi host by logging into vCenter:

  1. Update the Syslog Host:

    • Navigate to Configure > System > Advanced system Settings.

    • Click Edit, click the Key filter, and enter syslog.

    • Edit the Syslog.global.logHost setting.

    • Add the Primary node IP address of Aria Operations for Logs to the list using the tcp:// prefix.

      • Example: tcp://203.0.113.10

      • Note: Separate multiple syslog hosts with a comma (,).

  2. Configure the Outgoing Firewall Rule:

    • Navigate to Configure > System > Firewall > Outgoing.

    • Click Edit.

    • Select the checkbox next to Syslog.

    • In the IP List settings, select Allow connections from any IP address or explicitly enter the IP address of the Aria Operations for Logs endpoint.

These steps update the Syslog Log Host and the Outgoing firewall rule, ensuring NSX DFW events are ingested into the Aria Operations for Logs environment.

Powered by Wolken Software