NSX Distributed firewall logs are not ingested in VMware Aria Operations for Log
Article ID: 413418
Updated On:
Products
VCF Operations/Automation (formerly VMware Aria Suite)
Issue/Introduction
- Configured remote logging on NSX as per documentation Configure Remote Logging but distributed firewall logs entries are not showing in Distributed Firewall Dashboard and no entries showing in Explore Logs for Distributed Firewall
- NSX manager can reach VMware Aria Operations for Logs on port 514 and 1515. Steps to test connectivity is documented in KB Unable to view Firewall logs from NSX-T in Aria Operations for Logs
- ESXi host is configured for syslog as per KB Not receiving DFW traffic logs in Aria any longer
- The Syslog host is configured to send logs to VMware Aria Operations for Logs and the outgoing syslog firewall is enabled as per KB NSX Distributed Firewall (DFW) logs are not forwarding to Aria Operations for Logs
- The /var/log/dfwpktlogs.log is not present on the ESXi host
Environment
VMware Aria Operations for Logs 8.18.x
VMware NSX 4.x
Cause
Logging is disabled by default for Distributed Firewall
Resolution
Enable logging for firewall rules on NSX Manager:
- Log in to the NSX Manager: Access the web interface of your NSX Manager.
- Navigate to Policy Management: Go to Security > Policy Management > Distributed Firewall.
- Locate your Firewall Rule: Find the specific rule within your Distributed Firewall policy that you want to enable logging for.
- Edit the Rule: Click the gear icon (settings) on the right side of the rule's row.
- Enable Logging: In the rule's settings, toggle the logging option to "Enable".
- Apply Changes: Click "Apply" to save the changes to the rule.
Note: It is recommended to enable logging for specific rules that you wish to monitor in VMware Aria Operations for Logs as it can impact the performance on the ESXi host
Additional Information
Additional documentation found here: Common Admin- Add a Distributed Firewall
Feedback
Yes
No
Powered by
