Firewall generates and stores log files, such as audit log, rules message log, and system event log.

Firewall generates three types of logs.

  • Rules message logs include all access decisions such as permitted or denied traffic for each rule if logging was enabled for that rule. These are stored on each host in /var/log/dfwpktlogs.log.

    In the following example:

    • 1002 is the distributed firewall rule ID.

    • domain-c7 is cluster ID in the vCenter managed object browser (MOB).

    • is the source IP address.

    • is the destination IP address.

    ~ # more /var/log/dfwpktlogs.log
    2015-03-10T03:22:22.671Z INET match DROP domain-c7/1002 IN 242 UDP>

    The following example shows the results of a ping to

    ~ # tail -f /var/log/dfwpktlogs.log | grep
    2015-03-10T03:20:31.274Z INET match DROP domain-c27/1002 IN 60 PROTO 1>
    2015-03-10T03:20:35.794Z INET match DROP domain-c27/1002 IN 60 PROTO 1>

    To enable rules message logging in vSphere Web Client 6.0 (the UI might differ slightly in vSphere 5.5, but the steps are the same):

    1. Enable the Log column on the Networking & Security > Firewall page.

    2. Enable logging for a rule by hovering over the Log table cell and clicking the pencil icon.

  • Audit logs include administration logs and Distributed Firewall configuration changes. These are stored in /home/secureall/secureall/logs/vsm.log.

  • System event logs include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, etc. These are stored in /home/secureall/secureall/logs/vsm.log.

To view audit and system event logs in the UI, navigate to Networking & Security > Installation > Management and double-click the IP address of the NSX Manager. Then select the Monitor tab.

For more information, see Operations and Management.