• In the UI of VMware Cloud Director, Networking > Datacenter Groups > Distributed Firewall > Logs, we will see "No Logs Found".

VMware Cloud Director 10.6.x

Logs are visible within Aria Operations for Logs, but they are not successfully being delivered to VMware Cloud Director (VCD).

The logging feature of distributed firewall rules in VMware Cloud Director requires extra configuration. The logs are not on NSX itself but on the ESXi hosts in /var/log/dfwpktlogs.log if checked directly. The logs have to be populated on ESXi, forwarded along with NSX logs to Aria Operations for Logs, and then Aria Operations for Logs has to be configured with VMware Cloud Director. The ruleId is used for mapping in Cloud Director.

1. Verify product version compatibility according to the Broadcom Interoperability Matrix
2. Validate logging configuration and verify end-to-end configuration between products
   1. In Aria Operations for Logs:
      1. Ensure the latest NSX Content Pack is installed. See Install a Content Pack from the Content Pack Marketplace
      2. Add VMware Cloud Director to Aria Operations for Logs. See Configure a Log Provider in VMware Cloud Director
      3. Confirm that NSX-T logs are actively arriving in the Aria Operations for Logs "Interactive Analytics" view
      4. Confirm if the syslog connection for vCenter and ESXi hosts has been completed as part of adding them to Aria Operations for Logs. See Connect VMware Aria Operations for Logs to a vSphere Environment
      5. Check if the distributed firewall rule, gateway, or rule ID is traceable in Aria Operations for Logs from the cluster ESXi hosts
   2. In NSX:
      1. Verify that Aria Operations for Logs is added as a syslog server in the NSX-T Node Profile, configured with the correct port and log level. See Add Syslog Servers for NSX Nodes
      2. Confirm Route Advertisement is properly set on the edge in NSX-T (as required)
   3. In Cloud Director:
      1. Check if logs are visible by a system administrator in Cloud Director via the UI or API. Example API call:
         
         GET https://{vcdfdqn}/cloudapi/2.0.0/edgeGateways/urn:vcloud:gateway:{gateway-id}/firewall/logs?page=1&pageSize=10&filterEncoded=true&filter=timestamp=gt=2025-10-29T09:14:22.638Z;timestamp=lt=2025-10-29T09:44:22.638Z&links=true
         
         
      2. Ensure the user has the required rights: "Distributed Firewall" and "VDC Group Logging" enabled and published in VMware Cloud Director. See Activate the Distributed Firewall on a VMware Cloud Director Organization Virtual Data Center
      3. Configure connectivity from Cloud Director to Aria Operations for Logs in the VCD Provider portal. If the VCD UI configuration fails, test API connectivity directly from the Cloud Director cells using:
         
         curl -k -X POST https://<Aria_Operations_for_logs_FQDN>:9543/api/v2/sessions -d '{"username":"admin", "password":"<admin_password>", "provider":"Local"}'