You can view the security flow logs of the NSX-T Data Center environment by using VMware vRealize Log Insight.
- TLS Inspection
- Gateway IDPS
- URL Filtering
Starting with NSX-T Data Center 3.2.1, TLS Inspection and Gateway IDPS are available for production environments are fully supported. In NSX-T Data Center 3.2.0 these features were available in tech preview mode only. For more information, see the NSX-T Data Center Release Notes.
Unified Security Logs
All the security verticals generate and save unified security flow logs in the Unified Security Logs format in a single log file on a node. This single log is exported to syslog server, which is configured for VMware vRealize Log Insight. VMware vRealize Log Insight will then process the logs to provide further log management, analysis, and display them by using NSX-T Content Pack.
Display Logs on vRealize Log Insight
A new dashboard 'NSX - Unified Security Flow Logs' is added in the existing NSX-T Content Pack. This dashboard shows chart widgets, which are visual representation of the security flow logs.
Content Pack of VMware vRealize Log Insight is a plugin. It contains dashboards, extracted fields, saved queries, and alerts that are related to a specific product or set of logs.
NSX-T Content Pack is available on VMware vRealize Log Insight Marketplace.
For more information about VMware vRealize Log Insight and how to install Content Pack from Content Pack Market place, see the chapter Install a Content Pack from the Content Pack Marketplace from the Using VMware vRealize Log Insight product document.
Top-N and Last X-hours
You can also query events in VMware vRealize Log Insight for Top-N information from last X-hours using Interactive Analytics and Content Pack.
Remote Logging Server
To send logs to a remote logging server, NSX-T Data Center appliances and hypervisors must be configured with remote logging on each node separately.
For more information, see Configure Remote Logging.
If logs are not received by the remote log server, see Troubleshooting Syslog Issues.
Unified Security Log Format
cat /var/log/syslog | grep 'unified-logs'
Examples of log messages:
2021-10-12T09:00:46.192Z nsxedge-18734920-1-mps29 NSX 22621 SYSTEM [nsx@6876 comp="nsx-edge"
subcomp="tls-proxy" s2comp="unified-logs" level="INFO"] {"event_type": "fw-flow-terminate-log",
"event_trigger": ["fw-rule-log"], "origin": {"fw_type": "gateway", "fw_uuid": "79427614-4a0d-2692-032c-eb4692f717a9",
"node_uuid": "ec11a626-f425-3bc2-671d-a656500003b2"}, "flow": {"start": "2021-10-12T09:00:46.723Z",
"end": "2021-10-12T09:00:46.773Z", "ip_ver": "ipv4", "flow_id": "0x1e0000704f000018",
"src_ip": "192.168.100.160", "src_port": 25700, "dest_ip": "1.1.5.10", "dest_port": 443, "proto": "TCP", "tcp_flags": "",
"bytes_toserver": 95, "bytes_toclient": 29873, "reason": "FIN-close", "final_action": "PASS"}, "fw": {"action": "PASS", "rule_id": 1002,
"direction": "", "rule_tag": ""}, "http": {"http_method": "", "hostname": "www.facebook.com", "url": "www.facebook.com/benign_pdf1.pdf", "scheme": "", "http_user_agent": "", "status": "",
"site_category": ""SOCIAL_NETWORK"", "site_reputation": "Trustworthy"},"tls_inspection": {"action": "PASS", "rule_id": 1008, "domain": "www.facebook.com", "cert_status": "ok", "tls_version_toserver": "TLSv1.2",
"cipher_to_server": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "reason": "", "tls_rule_tag": "TLS External Rule"}, "idps": {"action": "PASS", "rule_id": 1007,
"ids_profile_id": "00000000-0000-0000-0000-000000000000", "alert_event": ["SOCIAL_NETWORK"], "protocol_event": ["http"]}, "app_id": {"app": ""APP_HTTP", "APP_FACEBOOK", "APP_SSL""}
2021-11-11T04:07:37.489Z nsxedge-18866667-2-NAT-fc-3-nov NSX 27330 SYSTEM [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="unified-logs" level="INFO"]
{"event_type": "fw-flow-terminate-log", "event_trigger": ["ids-rule-log"], "origin": {"fw_type": "gateway", "fw_uuid": "544ee558-fad0-e624-019f-e8e3e0472c91",
"node_uuid": "dabf16c9-ec11-833c-0c00-8c832f771729"}, "flow": {"start": "2021-11-11T04:07:07.000Z", "end": "2021-11-11T04:07:37.000Z",
"ip_ver": "ipv4", "flow_id": "0xd44d00306e0a0004", "src_ip": "1.1.1.10", "src_port": 35714, "dest_ip": "10.142.7.1", "dest_port": 53,
"proto": "UDP", "tcp_flags": "FPW", "bytes_toserver": 297878, "bytes_toclient": 71, "pkts_toserver": 71, "pkts_toclient": 1,
"reason": "FIN-close", "final_action": "PASS"}, "fw": {"action": "PASS", "rule_id": 2025, "direction": "", "rule_tag": ""},
"l7profile": {"entry_id": "00000000-0000-0000-0000-000000000000", "action": "PASS"},
"http": {"http_method": "", "hostname": "", "url": "", "scheme": "", "http_user_agent": "", "status": "", "site_category": "",
"site_reputation": "UNKNOWN"}, "idps": {"action": "IDP_DETECT", "rule_id": 2028, "ids_profile_id": "9872e27a-ead4-4c93-af5f-4df1ec0c73e1",
"alert_event": [], "protocol_event": []}, "app_id": {"app": ""APP_DNS""}}
2021-11-08T08:30:59.208Z nsxedge-18866667-2-NAT-fc-3-nov NSX 9495 SYSTEM [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="unified-logs" level="INFO"]
{"event_type": "fw-flow-terminate-log", "event_trigger": ["fw-rule-log"], "origin": {"fw_type": "gateway", "fw_uuid": "544ee558-fad0-e624-019f-e8e3e0472c91",
"node_uuid": "dabf16c9-ec11-833c-0c00-8c832f771729"}, "flow": {"start": "2021-11-08T08:30:57.000Z", "end": "2021-11-08T08:30:59.000Z",
"ip_ver": "ipv4", "flow_id": "0x4001006c04000000", "src_ip": "1.1.1.10", "src_port": 43600, "dest_ip": "13.226.234.18",
"dest_port": 80, "proto": "TCP", "tcp_flags": "FREW", "bytes_toserver": 54968, "bytes_toclient": 444,
"pkts_toserver": 444, "pkts_toclient": 7, "reason": "FIN-close", "final_action": "PASS"}, "fw": {"action": "PASS", "rule_id": 1004, "direction": "",
"rule_tag": ""}, "l7profile": {"entry_id": "e9580107-2749-471c-be82-715d530bf4d4", "action": "PASS"},
"http": {"http_method": "", "hostname": "", "url": "espn.com/", "scheme": "", "http_user_agent": "", "status": "",
"site_category": ""SPORTS"", "site_reputation": "TRUSTWORTHY"}, "app_id": {"app": ""APP_HTTP", "APP_ESPN""}}
