Firewall generates and stores log files, such as audit logs, rules message logs, and system event logs. You must configure a syslog server for each cluster that has enabled the firewall . The syslog server is specified in the Syslog.global.logHost attribute.
Firewall generates logs as described in the following table.
|Rules message logs||Include all access decisions such as permitted or denied traffic for each rule if logging was enabled for that rule. Contains DFW packet logs for the rules where logging has been enabled.||/var/log/dfwpktlogs.log|
|Audit logs||Include administration logs and Distributed Firewall configuration changes.||/home/secureall/secureall/logs/vsm.log|
|System event logs||Include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, and so on.||/home/secureall/secureall/logs/vsm.log|
|Data Plane/VMKernel logs||Capture activities related to a firewall kernel module (VSIP). It includes log entries for messages generated by the system.||/var/log/vmkernel.log|
|Message Bus Client/ VSFWD logs||Capture activities of a firewall agent.||/var/log/vsfwd.log|
Rules Message Logs
Rules message logs include all access decisions such as permitted or denied traffic for each rule, if logging was enabled for that rule. These logs are stored on each host in /var/log/dfwpktlogs.log.
# more /var/log/dfwpktlogs.log 2015-03-10T03:22:22.671Z INET match DROP domain-c7/1002 IN 242 UDP 192.168.110.10/138->192.168.110.255/138 # more /var/log/dfwpktlogs.log 2017-04-11T21:09:59.877Z ESXi_FQDN dfwpktlogs: 50047 INET TERM domain-c1/1001 IN TCP RST 10.1.2.3/33491->10.4.5.6/10001 22/14 7684/1070
2017-10-19T22:38:05.586Z 58734 INET match PASS domain-c8/1006 OUT 84 ICMP 172.18.8.121->172.18.8.119 RULE_TAG 2017-10-19T22:38:08.723Z 58734 INET match PASS domain-c8/1006 OUT 60 TCP 172.18.8.121/36485->172.18.8.119/22 S RULE_TAG 2017-10-19T22:38:18.785Z 58734 INET TERM domain-c8/1006 OUT ICMP 8 0 172.18.8.121->172.18.8.119 2/2 168/168 RULE_TAG 2017-10-19T22:38:20.789Z 58734 INET TERM domain-c8/1006 OUT TCP FIN 172.18.8.121/36484->172.18.8.119/22 44/33 4965/5009 RULE_TAG
- 1002 is the distributed firewall rule ID.
- domain-c7 is cluster ID in the vCenter managed object browser (MOB).
- 192.168.110.10/138 is the source IP address.
- 192.168.110.255/138 is the destination IP address.
- RULE_TAG is an example of the text that you add in the Tag text box while adding or editing the firewall rule.
# tail -f /var/log/dfwpktlogs.log | grep 192.168.110.10 2015-03-10T03:20:31.274Z INET match DROP domain-c27/1002 IN 60 PROTO 1 192.168.110.10->172.16.10.12 2015-03-10T03:20:35.794Z INET match DROP domain-c27/1002 IN 60 PROTO 1 192.168.110.10->172.16.10.12
The following tables explain the text boxes in the firewall log message.
|Component||Value in example|
|Firewall-specific portion||877Z ESXi_FQDN dfwpktlogs: 50047 INET TERM domain-c1/1001 IN TCP RST 10.1.2.3/33491->10.4.5.6/10001 22/14 7684/1070|
|Filter hash||A number that can be used to get the filter name and other information.|
|AF Value||INET, INET6|
|Rule set and rule ID||rule set/rule ID|
|Protocol||TCP, UDP, ICMP, or PROTO (protocol number)
For TCP connections, the actual reason that a connection is terminated is indicated after the keyword TCP.
If TERM is the reason for a TCP session, then an extra explanation appears in the PROTO row. The possible reasons for terminating a TCP connection include: RST (TCP RST packet), FIN (TCP FIN packet), and TIMEOUT (idle for too long)
In the example above, it is RST. So it means that there is a RST packet in the connection that must be reset.
For non-TCP connections (UDP, ICMP or other protocols), the reason for terminating a connection is only TIMEOUT.
|Source IP address and port||IP address/port|
|Destination IP address and port||IP address/port|
|TCP flags||S (SYN), SA (SYN-ACK), A (ACK), P (PUSH), U (URGENT), F (FIN), R (RESET)|
|Number of packets||Number of packets.
22/14 - in packets / out packets
|Number of bytes||Number of bytes.
7684/1070 - in bytes/ out bytes
- Navigate to .
- Ensure that you are in the General tab.
- Enable logging.
NSX Version Procedure NSX 6.4.1 and later Click More>Enable>Enable Rule Logs NSX 6.4.0
- Enable the Log column on the page.
- Enable logging for a rule by hovering over the Log table cell and clicking the pencil icon.
Audit and System Event Logs
Audit logs include administration logs and Distributed Firewall configuration changes. These are stored in /home/secureall/secureall/logs/vsm.log.
System event logs include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, and so on. These logs are stored in /home/secureall/secureall/logs/vsm.log.
To view the audit and system event logs in the vSphere Web Client, navigate to . In the Monitor tab, select the IP address of the NSX Manager.