Unknown Error when Adding an Event Log Server for IDFW
search cancel

Unknown Error when Adding an Event Log Server for IDFW

book

Article ID: 428108

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Network Detection and Response

Issue/Introduction

Adding a Event Log Server in the UI > System > Identity Firewall AD > Add Active Directory > Click Event Log Server 
Error Shows in UI


After adding Hostname, Username, Password and clicking Add shows an "Unknown error." You're not able to move forward with the Event Log Server setup wizard.  

Logs > /var/log/syslog
16:05:48.608Z nsx NSX 1150557 FIREWALL [nsx@6876 comp="nsx-manager" level="WARNING" reqId="234473ec-c0a9-48a5-a45d-caf6aef1ea2f" subcomp="manager" username="####"] Couldn't connect to event log server, domain: AD.Domain.Name host: AD.Server.Name user: IDFW-AD

Environment

NSX 4.x

Cause

This can be caused by incorrect permissions for Active Directory service user configured for IDFW for Log Scrapping. The service account needs to have read permissions for security logs. 

Resolution

This service user should use the pre-built AD account called Event Log Readers or equivalent access. 

Example Pic Shows Correct Pre-built group for AD.

 

Additional Information

Documentation to Enable Windows Security Log Access for the Event Log Reader
https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-1/administration-guide/operations-and-management/enable-security-log-access-for-the-event-log-reader.html

Powered by Wolken Software