Firewall generates and stores log files, such as audit logs, rules message logs, and system event logs. You must configure a syslog server for each cluster that has enabled the firewall . The syslog server is specified in the Syslog.global.logHost attribute.

Recommendation: To collect firewall audit logs on a syslog server, ensure that you have upgraded the syslog server to the recent version. Preferably, configure a remote syslog-ng server to collect the firewall audit logs.

Firewall generates logs as described in the following table.

Table 1. Firewall Logs
Log Type Description Location
Rules message logs Include all access decisions such as permitted or denied traffic for each rule if logging was enabled for that rule. Contains DFW packet logs for the rules where logging has been enabled. /var/log/dfwpktlogs.log
Audit logs Include administration logs and Distributed Firewall configuration changes. /home/secureall/secureall/logs/vsm.log
System event logs Include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, and so on. /home/secureall/secureall/logs/vsm.log
Data Plane/VMKernel logs Capture activities related to a firewall kernel module (VSIP). It includes log entries for messages generated by the system. /var/log/vmkernel.log
Message Bus Client/ VSFWD logs Capture activities of a firewall agent. /var/log/vsfwd.log
Note: The vsm.log file can be accessed by running the show log manager command from the NSX Manager Command Line Interface (CLI) and performing grep for the keyword vsm.log. This file is accessible only to the user or user group having the root privilege.

Rules Message Logs

Rules message logs include all access decisions such as permitted or denied traffic for each rule, if logging was enabled for that rule. These logs are stored on each host in /var/log/dfwpktlogs.log.

Here are examples of firewall log message: 
 # more /var/log/dfwpktlogs.log
2015-03-10T03:22:22.671Z INET match DROP domain-c7/1002 IN 242 UDP 192.168.110.10/138->192.168.110.255/138

# more /var/log/dfwpktlogs.log
2017-04-11T21:09:59.877Z ESXi_FQDN dfwpktlogs: 50047 INET TERM domain-c1/1001 IN TCP RST 10.1.2.3/33491->10.4.5.6/10001 22/14 7684/1070

More examples: 

2017-10-19T22:38:05.586Z 58734 INET match PASS domain-c8/1006 OUT 84 ICMP 172.18.8.121->172.18.8.119 RULE_TAG
2017-10-19T22:38:08.723Z 58734 INET match PASS domain-c8/1006 OUT 60 TCP 172.18.8.121/36485->172.18.8.119/22 S RULE_TAG
2017-10-19T22:38:18.785Z 58734 INET TERM domain-c8/1006 OUT ICMP 8 0 172.18.8.121->172.18.8.119 2/2 168/168 RULE_TAG
2017-10-19T22:38:20.789Z 58734 INET TERM domain-c8/1006 OUT TCP FIN 172.18.8.121/36484->172.18.8.119/22 44/33 4965/5009 RULE_TAG
In the following example:
  • 1002 is the distributed firewall rule ID.
  • domain-c7 is cluster ID in the vCenter managed object browser (MOB).
  • 192.168.110.10/138 is the source IP address.
  • 192.168.110.255/138 is the destination IP address.
  • RULE_TAG is an example of the text that you add in the Tag text box while adding or editing the firewall rule.
The following example shows the results of a ping 192.168.110.10 to 172.16.10.12. 
 # tail -f /var/log/dfwpktlogs.log | grep 192.168.110.10

2015-03-10T03:20:31.274Z INET match DROP domain-c27/1002 IN 60 PROTO 1 192.168.110.10->172.16.10.12
2015-03-10T03:20:35.794Z INET match DROP domain-c27/1002 IN 60 PROTO 1 192.168.110.10->172.16.10.12

The following tables explain the text boxes in the firewall log message.

Table 2. Components of a log File Entry
Component Value in example
Timestamp 2017-04-11T21:09:59
Firewall-specific portion 877Z ESXi_FQDN dfwpktlogs: 50047 INET TERM domain-c1/1001 IN TCP RST 10.1.2.3/33491->10.4.5.6/10001 22/14 7684/1070
Table 3. Firewall-Specific Portion of log File Entry
Entity Possible Values
Filter hash A number that can be used to get the filter name and other information.
AF Value INET, INET6
Reason
  • match: Packet matches a rule.
  • bad-offset: Datapath internal error while getting packet.
  • fragment: The non-first fragments after they are assembled to the first fragment.
  • short: Packet too short (for example, not even complete to include an IP header, or TCP/UDP header).
  • normalize: Malformed packets that do not have a correct header or a payload.
  • memory: Datapath out of memory.
  • bad-timestamp: Incorrect TCP timestamp.
  • proto-cksum: Bad protocol checksum.
  • state-mismatch: TCP packets that do not pass the TCP state machine check.
  • state-insert: Duplicate connection is found.
  • state-limit: Reached the maximum number of states that a datapath can track.
  • SpoofGuard: Packet dropped by SpoofGuard.
  • TERM: A connection is terminated.
Action
  • PASS: Accept the packet.
  • DROP: Drop the packet.
  • NAT: SNAT rule.
  • NONAT: Matched the SNAT rule, but cannot translate the address.
  • RDR: DNAT rule.
  • NORDR: Matched the DNAT rule, but cannot translate the address.
  • PUNT: Send the packet to a service VM running on the same hypervisor of the current VM.
  • REDIRECT: Send the packet to network service running out of the hypervisor of the current VM.
  • COPY: Accept the packet and make a copy to a service VM running on the same hypervisor of the current VM.
  • REJECT: Reject the packet.
Rule set and rule ID rule set/rule ID
Direction IN, OUT
Packet length length
Protocol TCP, UDP, ICMP, or PROTO (protocol number)

For TCP connections, the actual reason that a connection is terminated is indicated after the keyword TCP.

If TERM is the reason for a TCP session, then an extra explanation appears in the PROTO row. The possible reasons for terminating a TCP connection include: RST (TCP RST packet), FIN (TCP FIN packet), and TIMEOUT (idle for too long)

In the example above, it is RST. So it means that there is a RST packet in the connection that must be reset.

For non-TCP connections (UDP, ICMP or other protocols), the reason for terminating a connection is only TIMEOUT.

Source IP address and port IP address/port
Destination IP address and port IP address/port
TCP flags S (SYN), SA (SYN-ACK), A (ACK), P (PUSH), U (URGENT), F (FIN), R (RESET)
Number of packets Number of packets.

22/14 - in packets / out packets

Number of bytes Number of bytes.

7684/1070 - in bytes/ out bytes

To enable a rules message, log in to vSphere Web Client:
  1. Navigate to Networking & Security > Security > Firewall.
  2. Ensure that you are in the General tab.
  3. Enable logging.
    NSX Version Procedure
    NSX 6.4.1 and later Click More>Enable>Enable Rule Logs
    NSX 6.4.0
    1. Enable the Log column on the page.
    2. Enable logging for a rule by hovering over the Log table cell and clicking the pencil icon.
Note: If you want customized text to be displayed in the firewall log message, you can enable the Tag column and add the required text by clicking the pencil icon.

Audit and System Event Logs

Audit logs include administration logs and Distributed Firewall configuration changes. These are stored in /home/secureall/secureall/logs/vsm.log.

System event logs include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, and so on. These logs are stored in /home/secureall/secureall/logs/vsm.log.

To view the audit and system event logs in the vSphere Web Client, navigate to Networking & Security > System > Events. In the Monitor tab, select the IP address of the NSX Manager.