The events window contains the last 14 days of data.

There are three event log files in the /var/log/nsx-idps folder on ESXi hosts:
  • fast log - contains internal logging of nsx-idps process events, with limited information and is used only for debugging purposes
  • nsx-idps-log - contains general nsx-idps process logs with basic information and errors about the process workflow
  • nsx-idps-events.log - contains detailed information about events (all alerts/drops/rejects) with NSX metadata
Navigate to Security > Distributed IDS/IPS > Events to view time intrusion events. Filter the viewed events by clicking the drop-down arrow and selecting one of the following:
  • Show all signatures
  • Dropped (Prevented)
  • Rejected (Prevented)
  • Alert (Detect Only)
Colored dots indicate the unique type of intrusion events and can be clicked for details. The size of the dot indicates the number of times an intrusion event has been seen. A blinking dot indicates that an attack is ongoing. Point to a dot to see the attack name, number of attempts, first occurrence, and other details.
  • Red dots - represent critical severity signature events.
  • Orange dots - represent high severity signature events.
  • Yellow dots - represent medium severity signature events.
  • Gray dots - represent low severity signature events.

All the intrusion attempts for a particular signature are grouped and plotted at their first occurrence.

  • Select the timeline by clicking the arrow in the upper right corner. The time line can be between 24 hours and 14 days.
  • Filter events by:
    Filter Criteria Description
    Attack Target Target of the attack.
    Attack Type Type of attack, such as trojan horse, or denial of service (DoS).
    CVSS (Common Vulnerability Score) Common Vulnerability Score (filter based on a score above a set threshold).
    Product Affected Vulnerable product or (version) i.e Windows XP or Web_Browsers.
    Signature ID Unique ID of the signature rule.
    VM Name The VM (based on logical port) where exploit traffic originated from or was received by.
  • Click the arrow next to an event to view details.
    Detail Description
    Last Detected This is the last time the signature was fired.
    Details The name of the signature that was fired.
    Product Affected Illustrates what product is vulnerable to the exploit.
    VM Affected Lists of VMs involved in the intrusion attempt.
    Vulnerability Details If available, this shows a link to the CVE and the CVSS score associated with the vulnerability.
    Source IP address of the attacker and source port used.
    Destination IP address of the victim and destination port used.
    Attack Direction Client-Server or Server-Client.
    Associated IDS Rule Clickable link to the configured IDS Rule which resulted in this event.
    Revision The revision number of the IDS signature.
    Activity Displays the total number of times this particular IDS signature was triggered, the most recent occurrence, and the first occurrence.
  • To view intrusion history, click the arrow next to an event, then click View Intrusion History. A window opens with the following details:
    Detail Description
    Source IP IP address of the attacker.
    Source Port Source port used in the attack.
    Destination IP IP address of the victim.
    Destination Port Destination port used in the attack.
    Protocol Traffic protocol of the detected intrusion.
    Time Detected This is the last time the signature was fired.
  • The graph present under the chart represents events that occurred over a selected time span. You can zoom in to the specific time window on this graph to view details of signatures of the related events that happened during the time window.