Log messages from all NSX-T Data Center components, including those running on ESXi hosts, conform to the syslog format as specified in RFC 5424. Log messages from KVM hosts are in the RFC 3164 format. The log files are in the directory /var/log.

On NSX-T Data Center appliances, you can run the following NSX-T Data Center CLI command to view the logs:
get log-file <auth.log | http.log | kern.log | manager.log | node-mgmt.log | syslog> [follow]

On hypervisors, you can use Linux commands such as tac, tail, grep, and more to view the logs. You can also use these commands on NSX-T Data Center appliances.

For more information about RFC 5424, see https://tools.ietf.org/html/rfc5424. For more information about RFC 3164, see https://tools.ietf.org/html/rfc3164.

RFC 5424 defines the following format for log messages:

<facility * 8 + severity> version UTC-TZ hostname APP-NAME procid MSGID [structured-data] msg
A sample log message:
<187>1 2016-03-15T22:53:00.114Z nsx-manager NSX - SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP4039" subcomp="manager"] Connection verification failed for broker '10.160.108.196'. Marking broker unhealthy.

Every message has the component (comp) and sub-component (subcomp) information to help identify the source of the message.

NSX-T Data Center produces regular logs (facility local6, which has a numerical value of 22) and audit logs (facility local7, which has a numerical value of 23). All API calls trigger an audit log.

An audit log that is associated with an API call has the following information:
  • An entity ID parameter entId to identify the object of the API.
  • A request ID parameter req-id to identify a specific API call.
  • An external request ID parameter ereqId if the API call contains the header X-NSX-EREQID:<string>.
  • An external user parameter euser if the API call contains the header X-NSX-EUSER:<string>.

RFC 5424 defines the following severity levels:

Severity Level Description
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages

All logs with a severity of emergency, alert, critical, or error contain a unique error code in the structured data portion of the log message. The error code consists of a string and a decimal number. The string represents a specific module.

The MSGID field identifies the type of message. For a list of the message IDs, see Log Message IDs.