Administrators may observe unauthorized changes to segment configurations (e.g., admin status, connectivity, or profile changes) within the NSX Manager. To ensure security compliance and audit accountability, it is necessary to identify:

• The User Account that performed the change.

• The Source IP Address (Client IP) of the request.

• The Timestamp and specific API/UI Operation (PUT, PATCH, DELETE).

VMware NSX

Administrative changes are executed via the NSX Policy API or the Manager UI. These actions are recorded in the local audit logs of the NSX Manager appliance that serviced the request.

CLI-Based Audit Log Analysis

1. Log in to the NSX Manager appliance as root via SSH or open the support bundle. Note: In a cluster, check the node holding the Virtual IP (VIP) first, or check all three managers.

2. Navigate to the audit log directory: cd /var/log/audit/

3. Search the audit log for the segment name or ID. Filter for write operations (PATCH, PUT, POST, DELETE).

   grep -i "<SEGMENT_NAME>" /var/log/audit/audit.log | grep -i -E "PUT|PATCH|POST|DELETE"
   

4. Analyze the log entry format: A typical entry will look like this:

   2026-02-13T15:47:46.886Z NSX 77141 - [nsx@6876 audit="true" comp="nsx-manager" level="INFO" reqId="########-####-####-####-############" subcomp="manager" update="true" username="username@domain"] UserName="username@domain", Src="##.##.##.##", ModuleName="PolicyConnectivity", Operation="PatchInfraSegment", Operation status="success", Old value=[{"type":"DISCONNECTED","vlan_ids":["###"],"transport_zone_path":"/infra/sites/default/enforcement-points/default/transport-zones/#########","advanced_config":{"hybrid":false,"multicast":true,"inter_router":false,"local_egress":false,"urpf_mode":"STRICT","connectivity":"ON"},"admin_state":"UP","replication_mode":"MTEP","resource_type":"Segment","id":"segment_ID","display_name":"Segment_name","tags":[{"scope":"SYSTEM","tag":"#######"}],"path":"/infra/segments/Segment_name","relative_path":"Segment_name","parent_path":"/infra","unique_id":"#####","realization_id":"#######","owner_id":"######","marked_for_delete":false,"overridden":false,"_system_owned":false,"_protection":"NOT_PROTECTED","_create_time":1742748335930,"_create_user":"admin","_last_modified_time":1742748431026,"_last_modified_user":"user@domain","_revision":1}], New value=["Segment" {"type":"DISCONNECTED","vlan_ids":["###"],"transport_zone_path":"/infra/sites/default/enforcement-points/default/transport-zones/#####","advanced_config":{"hybrid":false,"multicast":true,"inter_router":false,"local_egress":false,"urpf_mode":"STRICT","connectivity":"ON"},"admin_state":"DOWN","replication_mode":"MTEP","resource_type":"Segment","id":"Segment_ID","display_name":"Segment_name","tags":[{"scope":"SYSTEM","tag":"######"}],"path":"/infra/segments/Segmen t_name","relative_path":"Segment_name","parent_path":"/infra","unique_id":"#####","realization_id":"####","owner_id":"#####","marked_for_delete":false,"overridden":false,"_system_owned":false,"_create_time":1742748335930,"_create_user":"admin","_last_modified_time":1742748431026,"_last_modified_user":"username@domain","_revision":1}]

    

   • UserName: The identity used (e.g., admin, vIDM_user).

   • Operation: The type of change (PATCH usually indicates a modification).

   • Source IP: The source machine used by the administrator.