NSX Malware Prevention feature runs on NSX Edges, service virtual machine (on ESXi hosts), and NSX Application Platform. The product logs generated on NSX Edges and service virtual machines conform to the RFC 5424 log message standard. NSX Malware Prevention feature is supported only on ESXi hosts. KVM hosts are not supported.

Log Messages

On NSX-T appliances, syslog messages conform to the RFC 5424 standard. Additional product logs are written to the /var/log directory.

  • On an NSX Edge, malware analysis log messages for extracted files are provided by the Gateway Malware Prevention service on the active tier-1 gateway.
  • On an ESXi host, malware analysis log messages for files downloaded on the workload VMs, which are running on the host, are provided by the Malware Prevention Service VM on the ESXi host.
  • For files that are extracted by both Gateway Malware Prevention service and Distributed Malware Prevention service, malware analysis log messages are provided by the Security Analyzer microservice, which is running on the NSX Application Platform.

Remote logging is also supported. To consume NSX Malware Prevention feature logs, you can configure NSX Edges and NSX Application Platform to send or redirect log messages to a remote log server.

Configure Remote Logging on NSX Edge

You must configure remote logging on each NSX Edge node individually. To configure the remote logging server on an NSX Edge node by using the NSX CLI, see Configure Remote Logging.

To configure the remote logging server on an NSX Edge node by using the NSX Manager UI, see Add Syslog Servers for NSX Nodes.

Configure Remote Logging on NSX Application Platform

To send NSX Application Platform log messages to an external log server, you must run a REST API.

For information about the REST API along with sample request body, response, and code samples, see the VMware Developer Documentation portal.

Configure Remote Logging on NSX Malware Prevention Service Virtual Machine

This functionality is currently not supported. However, as a workaround, you can copy the syslog file from each NSX Malware Prevention service virtual machine (SVM) by logging on to the SVM with an SSH connection.

SSH access to the admin user of the SVM is key-based (public-private key pair). A public key is needed when you are deploying the service on an ESXi host cluster, and a private key is needed when you want to start an SSH session to the SVM.

For more information see, Log in to the NSX Malware Prevention Service Virtual Machine

After logging in to the SVM, use the sftp or the scp command to copy the syslog file from the /var/log directory at that particular time. If multiple syslog files are available at this location, they are compressed and stored at the same path.

More Information About Logging

See Log Messages and Error Codes.

Interpret NSX Malware Prevention Event Log Messages

The format of the log messages for NSX Malware Prevention events on the service virtual machine and NSX Edge is the same. However, for events on the NSX Application Platform, the format of the log messages is different.

The following event log message is generated by the sa-events-processor microservice, which is a pod that runs on the NSX Application Platform.

Example:

{"log":"{\"log\":\"\\u001b[37m2022-06-01T01:42:58,725\\u001b[m \\u001b[32mINFO \\u001b[m[\\u001b[1;34mfileEventConsumer-1\\u001b[m] \\u001b[1;33mc.v.n.s.e.k.EventsProcessorConsumerService\\u001b[m: SECURITY [nsx@6876 comp=\\\"nsx-manager\\\" level=\\\"INFO\\\" subcomp=\\\"manager\\\"] Event number 2 received from topic: ams-file-seen-events partition: 0 and offset: 212640 is: FileInspectionEvent(id=0, sha256=29fbd4604acb1da497e8127cd688bf2614f565fc4d4c808989df41c4a6fb924d, sha1=549cb3f1c85c4ef7fb06dcd33d68cba073b260ec, md5=65b9b68668bb6860e3144866bf5dab85, fileName=drupdate.dll, fileType=PeExeFile, fileSize=287024, inspectionTime=1654047770305, clientPort=0, clientIp=null, clientFqdn=null, clientVmId=500cd1b6-96b6-4567-82f4-231a63dead81, serverPort=0, serverIp=null, serverFqdn=null, serverVmId=null, applicationProtocol=null, submittedBy=SYSTEM, isFoundByAsds=true, isBlocked=false, allowListed=false, verdict=BENIGN, score=0, analystUuid=null, submissionUuid=null, tnId=38c58796-9983-4a41-b9f2-dc309bd3458d, malwareClass=null, malwareFamily=null, errorCode=null, errorMessage=null, nodeType=1, gatewayId=, analysisStatus=COMPLETED, followupEvent=false, httpDomain=null, httpMethod=null, path=null, referer=null, userAgent=null, contentDispositionFileName=null, isFileUpload=false, startTime=1654047768828, endTime=1654047768844, ttl=1654220570304)\\n\",\"stream\":\"stdout\",\"time\":\"2022-06-01T01:42:58.725811209Z\"}","log_processed":{"log":"\u001b[37m2022-06-01T01:42:58,725\u001b[m \u001b[32mINFO \u001b[m[\u001b[1;34mfileEventConsumer-1\u001b[m] \u001b[1;33mc.v.n.s.e.k.EventsProcessorConsumerService\u001b[m: SECURITY [nsx@6876 comp=\"nsx-manager\" level=\"INFO\" subcomp=\"manager\"] Event number 2 received from topic: ams-file-seen-events partition: 0 and offset: 212640 is: FileInspectionEvent(id=0, sha256=29fbd4604acb1da497e8127cd688bf2614f565fc4d4c808989df41c4a6fb924d, sha1=549cb3f1c85c4ef7fb06dcd33d68cba073b260ec, md5=65b9b68668bb6860e3144866bf5dab85, fileName=drupdate.dll, fileType=PeExeFile, fileSize=287024, inspectionTime=1654047770305, clientPort=0, clientIp=null, clientFqdn=null, clientVmId=500cd1b6-96b6-4567-82f4-231a63dead81, serverPort=0, serverIp=null, serverFqdn=null, serverVmId=null, applicationProtocol=null, submittedBy=SYSTEM, isFoundByAsds=true, isBlocked=false, allowListed=false, verdict=BENIGN, score=0, analystUuid=null, submissionUuid=null, tnId=38c58796-9983-4a41-b9f2-dc309bd3458d, malwareClass=null, malwareFamily=null, errorCode=null, errorMessage=null, nodeType=1, gatewayId=, analysisStatus=COMPLETED, followupEvent=false, httpDomain=null, httpMethod=null, path=null, referer=null, userAgent=null, contentDispositionFileName=null, isFileUpload=false, startTime=1654047768828, endTime=1654047768844, ttl=1654220570304)","stream":"stdout","time":"2022-06-01T01:42:58.725811209Z"},"kubernetes":{"pod_name":"sa-events-processor-55bcfcc46d-4jftf","namespace_name":"nsxi-platform","pod_id":"305953f7-836b-4bbb-ba9e-00fdf68de4ae","host":"worker03","container_name":"sa-events-processor","docker_id":"93f81f278898e6ce3e14d9a37e0e10a502c46fe53c9ad61680aed48b94f7f8bf","container_hash":"projects.registry.vmware.com/nsx_application_platform/clustering/sa-events-processor@sha256:b617f4bb9f3ea5767839e39490a78169f7f3d54826b89638e4a950e391405ae4","container_image":"projects.registry.vmware.com/nsx_application_platform/clustering/sa-events-processor:19067767"}}
Note: This example event log message is only for illustrative purposes. The format and content might change across major NSX-T versions.

In this sample event log message, observe that apart from the standard log attributes, such as date (2022-06-01T00:42:58,326), log level (INFO), and filterable attributes, such as module (SECURITY), container_name (sa-events-processor), additional attributes are present in a JSON style format. The following table lists these additional attributes.

Key Sample Value

id

0

sha256

29fbd4604acb1da497e8127cd688bf2614f565fc4d4c808989df41c4a6fb924d

sha1

549cb3f1c85c4ef7fb06dcd33d68cba073b260ec

md5

65b9b68668bb6860e3144866bf5dab85

fileName

drupdate.dll

fileType

PeExeFile

fileSize

287024

inspectionTime

1654047770305

clientPort

0

clientIP

null

clientFqdn

null

clientVmId

500cd1b6-96b6-4567-82f4-231a63dead81

serverPort

0

serverIp

null

serverFqdn

null

serverVmId

null

applicationProtocol

null

submittedBy

SYSTEM

isFoundByAsds

true

isBlocked

false

allowListed

false

verdict

BENIGN

score

0

analystUuid

null
submissionUuid null
tnId 38c58796-9983-4a41-b9f2-dc309bd3458d

malwareClass

null

malwareFamily

null

errorCode

null

errorMessage

null

nodeType

1

gatewayId

analysisStatus

COMPLETED

followupEvent

false

httpDomain

null

httpMethod

null

path

null

referer

null

userAgent

null

contentDispositionFileName

null

isFileUploaded

false

startTime

1654047768828

endTime

1654047768844

ttl

1654220570304

Troubleshoot Syslog Issues

If the remote log server that you configured is unable to receive log messages, see Troubleshooting Syslog Issues.

Collect Support Bundles