Firewall generates and stores log files, such as audit log, rules message log, and system event log. You must configure a syslog server for each cluster that has enabled the firewall . The syslog server is specified in the Syslog.global.logHost attribute.

Firewall generates logs as described in the following table.

Table 1. Firewall Logs

Log Type

Description

Location

Rules message logs

Include all access decisions such as permitted or denied traffic for each rule if logging was enabled for that rule. Contains DFW packet logs for the rules where logging has been enabled.

/var/log/dfwpktlogs.log

Audit logs

Include administration logs and Distributed Firewall configuration changes.

/home/secureall/secureall/logs/vsm.log

System event logs

Include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, and so on.

/home/secureall/secureall/logs/vsm.log

Data Plane/VMKernel logs

Capture activities related to a firewall kernel module (VSIP). It include log entries for messages generated by the system.

/var/log/vmkernel.log

Message Bus Client/ VSFWD logs

Capture activities of a firewall agent.

/var/log/vsfwd.log

Note:

The vsm.log file can be accessed by running the show log manager command from the NSX Manager Command Line Interface (CLI) and performing grep for the keyword vsm.log. This file is accessible only to the user or user group having the root privilege.

Rules Message Logs

Rules message logs include all access decisions such as permitted or denied traffic for each rule, if logging was enabled for that rule. These logs are stored on each host in /var/log/dfwpktlogs.log.

Here are examples of firewall log message:

 # more /var/log/dfwpktlogs.log
2015-03-10T03:22:22.671Z INET match DROP domain-c7/1002 IN 242 UDP 192.168.110.10/138->192.168.110.255/138

# more /var/log/dfwpktlogs.log
2017-04-11T21:09:59.877Z ESXi_FQDN dfwpktlogs: 50047 INET TERM domain-c1/1001 IN TCP RST 10.1.2.3/33491->10.4.5.6/10001 22/14 7684/1070

More examples:

2017-10-19T22:38:05.586Z 58734 INET match PASS domain-c8/1006 OUT 84 ICMP 172.18.8.121->172.18.8.119 RULE_TAG
2017-10-19T22:38:08.723Z 58734 INET match PASS domain-c8/1006 OUT 60 TCP 172.18.8.121/36485->172.18.8.119/22 S RULE_TAG
2017-10-19T22:38:18.785Z 58734 INET TERM domain-c8/1006 OUT ICMP 8 0 172.18.8.121->172.18.8.119 2/2 168/168 RULE_TAG
2017-10-19T22:38:20.789Z 58734 INET TERM domain-c8/1006 OUT TCP FIN 172.18.8.121/36484->172.18.8.119/22 44/33 4965/5009 RULE_TAG

In the following example:

  • 1002 is the distributed firewall rule ID.

  • domain-c7 is cluster ID in the vCenter managed object browser (MOB).

  • 192.168.110.10/138 is the source IP address.

  • 192.168.110.255/138 is the destination IP address.

  • RULE_TAG is an example of the text that you add in the Tag text box while adding or editing the firewall rule.

The following example shows the results of a ping 192.168.110.10 to 172.16.10.12.

 # tail -f /var/log/dfwpktlogs.log | grep 192.168.110.10

2015-03-10T03:20:31.274Z INET match DROP domain-c27/1002 IN 60 PROTO 1 192.168.110.10->172.16.10.12
2015-03-10T03:20:35.794Z INET match DROP domain-c27/1002 IN 60 PROTO 1 192.168.110.10->172.16.10.12

The following tables explain the text boxes in the firewall log message.

Table 2. Components of a log File Entry

Component

Value in example

Timestamp

2017-04-11T21:09:59

Firewall-specific portion

877Z ESXi_FQDN dfwpktlogs: 50047 INET TERM domain-c1/1001 IN TCP RST 10.1.2.3/33491->10.4.5.6/10001 22/14 7684/1070

Table 3. Firewall-Specific Portion of log File Entry

Entity

Possible Values

Filter hash

A number that can be used to get the filter name and other information.

AF Value

INET, INET6

Reason

  • match: Packet matches a rule.

  • bad-offset: Datapath internal error while getting packet.

  • fragment: The non-first fragments after they are assembled to the first fragment.

  • short: Packet too short (for example, not even complete to include an IP header, or TCP/UDP header).

  • normalize: Malformed packets that do not have a correct header or a payload.

  • memory: Datapath out of memory.

  • bad-timestamp: Incorrect TCP timestamp.

  • proto-cksum: Bad protocol checksum.

  • state-mismatch: TCP packets that do not pass the TCP state machine check.

  • state-insert: Duplicate connection is found.

  • state-limit: Reached the maximum number of states that a datapath can track.

  • SpoofGuard: Packet dropped by SpoofGuard.

  • TERM: A connection is terminated.

Action

  • PASS: Accept the packet.

  • DROP: Drop the packet.

  • NAT: SNAT rule.

  • NONAT: Matched the SNAT rule, but can not translate the address.

  • RDR: DNAT rule.

  • NORDR: Matched the DNAT rule, but cannot translate the address.

  • PUNT: Send the packet to a service VM running on the same hypervisor of the current VM.

  • REDIRECT: Send the packet to network service running out of the hypervisor of the current VM.

  • COPY: Accept the packet and make a copy to a service VM running on the same hypervisor of the current VM.

  • REJECT: Reject the packet.

Rule set and rule ID

rule set/rule ID

Direction

IN, OUT

Packet length

length

Protocol

TCP, UDP, ICMP, or PROTO (protocol number)

For TCP connections, the actual reason that a connection is terminated is indicated after the keyword TCP.

If TERM is the reason for a TCP session, then an additional explanation appears in the PROTO row. The possible reasons for terminating a TCP connection include: RST (TCP RST packet), FIN (TCP FIN packet), and TIMEOUT (idle for too long)

In the example above, it is RST. So it means that there is a RST packet in the connection that must be reset.

For non-TCP connections (UDP, ICMP or other protocols), the reason for terminating a connection is only TIMEOUT.

Source IP address and port

IP address/port

Destination IP address and port

IP address/port

TCP flags

S (SYN), SA (SYN-ACK), A (ACK), P (PUSH), U (URGENT), F (FIN), R (RESET)

Number of packets

Number of packets.

22/14 - in packets / out packets

Number of bytes

Number of bytes.

7684/1070 - in bytes/ out bytes

To enable a rules message, log in to vSphere Web Client:

  1. Enable the Log column on the Networking & Security > Firewall page.

  2. Enable logging for a rule by hovering over the Log table cell and clicking the pencil icon.

Note:

If you want customized text to be displayed in the firewall log message, you can enable the Tag column and add the required text by clicking the pencil icon.

Audit and System Event Logs

Audit logs include administration logs and Distributed Firewall configuration changes. These are stored in /home/secureall/secureall/logs/vsm.log.

System event logs include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, and so on. These logs are stored in /home/secureall/secureall/logs/vsm.log.

To view the audit and system event logs on the UI, navigate to Networking & Security > Installation > Management and double-click the IP address of the NSX Manager. Then click the Monitor tab.

For more information, see NSX Logging and System Events.