This section describes the fields in the expanded log table.

Clicking the + plus icon on the right of the logs table expands an individual log. This provides an in-depth view of the specific connection log or the HTTP request and response log.

The following are displayed in the expanded table:

Field

Description

End to End Timing

The bar is similar to the Analytics tab of the virtual service Details page, though it also contains arrows indicating the HTTP response code. This data is specific to this single connection or HTTP request, whereas the Analytics tab for the virtual service shows an aggregate of all connections or requests. If the arrow under Server RTT is zero, then no response was received from the server. This could be due to an error such as a timed-out server response or because the request was served by the NSX Advanced Load Balancer (such as caching or a policy).

IP Addresses

Under End-to-End Timing, IP addresses and service ports indicate the client source address and port being used to initiate a transaction to the virtual service IP address and destination service port. The second address under the (LB) icon is the NSX Advanced Load Balancer source NAT (SNAT) address and source port that is used for communicating with the destination server’s pool, name, IP address, and port.

Client data

The column under the Client icon displays the following client information:

  • Client IP: The source IP address and service port of the client.

  • Location: The country of origin for the IP address or Internal for private IP addresses. This field can also show custom IP group names.

  • Operating System: The OS of the connecting device. HTTP only.

  • Device: The type of connecting device, such as computer, tablet, or phone. HTTP only.

  • Browser: The web browser of the connecting device. HTTP only.

  • SSL Version: The negotiated version, such as SSL 3.0, TLS 1.0, TLS 1.1, or TLS 1.2. SSL terminated HTTP traffic only.

  • Certificate Type: RSA or Elliptic Curve (EC) certificate used for the connection. SSL terminated HTTP traffic only.

  • Perfect Forward Secrecy: It determines if the client negotiates a cipher which protects the connection from later decryption through hijacked keys. SSL terminated HTTP traffic only.

  • Start Time: The time the connection was established or the request was received.

LB data

The following information appears under the LB icon in the middle column:

  • Virtual Service IP: The listening virtual service’s IP and port.

  • Server Conn IP: The source IP address and port are used as the source NAT address on the server side of the connection.

  • End time: When the log was generated. It normally occurs when the request or connection was completed. The logs are generated for currently active, long-lived connections. Logs generated during an open connection will be updated periodically or when the connection closes.

  • Service Engine: The SE and corresponding vCPU that was used to process the request or connection.

  • Persistent Session ID: Persistent Session ID for the request will be displayed even if persistence is not enabled.

  • Response Length: The size of the response, such as HTTP payload plus headers returned by the NSX Advanced Load Balancer to the client. This size can be different from the server Response Length in the server column due to SSL padding, Javascript insertion (when Client Insights is set to Active), compression, TCP maximum segment size differences, or many other features.

The following fields appear only if applicable:

  • Cache Hit: This is true if the HTTP request was served by the NSX Advanced Load Balancer cache. This field will not be shown if caching is disabled.

  • Compression: If the NSX Advanced Load Balancer compressed the response content, this will show the per cent by which the content was able to be compressed.

  • Policy Rule: If a policy has been applied to the virtual service, any rules that were executed will be displayed. If the rule was created with the log checkbox enabled, the log will be generated even if the virtual service does not have full client logs enabled on the Analytics tab for the virtual service. These logs will still require Non-Significant Logs to be selected in order to be displayed (unless they qualify as Significant Logs).

  • Significance: If the connection or request is determined to be an error, it will be marked as Significant. This field describes the issue (such as the client terminated the connection or the server returned a 500 error).

Server and App data

The third column provides the following information on connection or request and response:

  • Server IP: Pool name, server name, and the server IP address and port.

  • Host: The HTTP Host header, such as www.avinetworks.com or 10.1.1.10.

  • Request: The HTTP method (such as GET), version (such as HTTP/1.1), and size of the request (such as 2 Kb).

  • URI: The HTTP path and query of the client request.

  • User Agent: The raw client HTTP User-Agent header (such as Mozilla/5.0, AppleWebKit/533, and so on).

  • Content Type: The HTML, images, Javascript, and so on returned to the client.

  • Response Length: The size of the HTTP header plus content returned from the server to theNSX Advanced Load Balancer. (This might be different from the size of the response length from the NSX Advanced Load Balancer to the client due to compression, inserting JavaScript, or other acceleration that might alter the content size before it is sent to the client.)

View All Headers

Expands the log display to show additional information for the transaction. View All Headers exist due to the following:

  • All Headers: On the Analytics tab for the virtual service, create a new filter with the All Headers option selected. This will cause the NSX Advanced Load Balancer to record all client requests and server response headers. Custom headers, cache control, and other useful troubleshooting can be done by viewing full headers. Larger headers come at the cost of a significant resource hit to the SEs creating the logs and the Controller storing the larger logs. The recommendation is to turn this feature on selectively, such as for specific clients or for a shorter time duration.

  • DataScript Errors: Many DataScript errors are caught when attempting to save a new script. However, there are many scenarios when the script could fail when executing. When this happens, an error will be created in the logs, visible under View All Headers. The error and stack trace are included to help determine the cause of the error.

Searching Logs

The Search field above the list of client log entries filters the logs according to your specified search terms. You may use either arbitrary search strings or a specific search syntax. For example, entering mobile will filter the logs to all entries that include this string anywhere within the log. The search strings are not case sensitive.

To use the formal search syntax, the search filter may be typed manually, or clicking any blue text within a log entry will generate the filter. For example, clicking Client IP creates “filterclient_ip=A.B.C.D” where A.B.C.D is the client’s IP address. In this example, the logs will be filtered to show only clients with that specific IP address.

When typing a search directly into the Search field, contextual help will show the available options. For instance, typing “client_ip” will show the appropriate operands (described below) such as “ = “.

Example: The filter client_ip= will show the most commonly seen IP addresses, including the number of logs generated by these addresses and the percentage of logs from this address, in this format: 10.30.4.31 - 15924 - (34.7%).

When using the search syntax:

  • Be aware of whether the log display filter is set to Significant Logs or Non-Significant Logs.

  • Multiple filters may be selected or created to further refine a search. All filters must be true for the log to match.

  • Search criteria for strings must be enclosed in quotation marks, such as client_country=”US” or”Connection setup failed”.

  • The filter can include any combination of informal strings and formal search syntax, such as: iphone client_ip^=”10.30.” Searches may be saved and reused later.

  • The following operators allow more granular searches for strings, numbers, or IP addresses:

    • Greater than: >

    • Greater than or equal: >=

    • Less than: <

    • Less than or equal: <=

    • Not equal: !=

    • Equals: =

    • Contains: ~=

    • Does not contain: !~=

    • Starts with: ^=

    • Ends with: $=