Firewall generates and stores log files, such as audit log, rules message log, and system event log.
Firewall generates three types of logs.
Rules message logs include all access decisions such as permitted or denied traffic for each rule if logging was enabled for that rule. These are stored on each host in /var/log/dfwpktlogs.log.
In the following example:
1002 is the distributed firewall rule ID.
domain-c7 is cluster ID in the vCenter managed object browser (MOB).
192.168.110.10/138 is the source IP address.
192.168.110.255/138 is the destination IP address.
~ # more /var/log/dfwpktlogs.log 2015-03-10T03:22:22.671Z INET match DROP domain-c7/1002 IN 242 UDP 192.168.110.10/138->192.168.110.255/138
The following example shows the results of a ping 192.168.110.10 to 172.16.10.12.
~ # tail -f /var/log/dfwpktlogs.log | grep 192.168.110.10 2015-03-10T03:20:31.274Z INET match DROP domain-c27/1002 IN 60 PROTO 1 192.168.110.10->172.16.10.12 2015-03-10T03:20:35.794Z INET match DROP domain-c27/1002 IN 60 PROTO 1 192.168.110.10->172.16.10.12
To enable rules message logging in vSphere Web Client 6.0 (the UI might differ slightly in vSphere 5.5, but the steps are the same):
Enable the Log column on the Networking & Security > Firewall page.
Enable logging for a rule by hovering over the Log table cell and clicking the pencil icon.
Audit logs include administration logs and Distributed Firewall configuration changes. These are stored in /home/secureall/secureall/logs/vsm.log.
System event logs include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, etc. These are stored in /home/secureall/secureall/logs/vsm.log.
To view audit and system event logs in the UI, navigate to Networking & Security > Installation > Management and double-click the IP address of the NSX Manager. Then select the Monitor tab.
For more information, see Operations and Management.