When logging is enabled for NSX-T IDS/IPS, you can look at log files to troubleshoot issues.
Below is a sample log file for NSX-T IDS/IPS, located in /var/log/nsx-idps/nsx-idps-events.log:
{"timestamp":"2021-08-10T01:01:15.431231+0000","flow_id":1906423505866276,"pcap_cnt":40,"event_type":"alert","src_ip":"192. 168.100.166","src_port":49320,"dest_ip":"185.244.30.17","dest_port":1965,"proto":"TCP","direction":"to_server","metadata": {"flowbits":["LL.verifier_tcp_successful","LL.verifier_tcp_failed","LL.verifier_tcp_blocked"],"flowints": {"intraflow_beacon_num_strides":0,"intraflow_beacon_last_ts":1628557275,"intraflow_beacon_packets_seen":1,"intraflow_beacon_grp_1" :1,"intraflow_beacon_grp_1_cnt":0,"intraflow_beacon_grp_2":1,"intraflow_beacon_grp_2_cnt":0,"intraflow_beacon_grp_3":1, "intraflow_beacon_grp_3_cnt":0,"intraflow_beacon_prior_seq":1762155507,"intraflow_beacon_prior_ack":1700774517, "intraflow_beacon_num_runts":0,"intraflow_beacon_sni_seen":0}},"nsx_metadata":{"flow_src_ip":"192.168.100.166", "flow_dest_ip":"185.244.30.17","flow_dir":2,"rule_id":1001,"profile_id":"f7169d04-81bf-4c73-9466-b9daec6220de", "user_id":0,"vm_uuid":"b1396a3e-3bf9-4fd7-839d-0709c86707b0"},"alert":{"action":"allowed","gid":1,"signature_id":1096797,"rev":14556, "signature":"LASTLINE Command&Control: (RAT) Remcos RAT","category":"A Network Trojan was Detected","severity":1,"source":{"ip":"185.244.30.17","port":1965},"target":{"ip":"192.168.100.166","port":49320}, "metadata":{"detector_id":["96797"],"severity":["100"],"confidence":["80"],"exploited":["None"],"blacklist_mode":["REAL"],"ids_mode":["REAL"],"threat_name":["Remcos RAT"], "threat_class_name":["command&control"],"server_side":["False"],"flip_endpoints":["False"],"ll_expected_verifier":["default"]}}, "flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":808,"bytes_toclient":66,"start":"2021-08-10T01:01:15.183844+0000"}}
Field | Description |
---|---|
Timestamp | The timestamp of the packet on top of which the alert was triggered. |
flow_id | The unique identifier for each flow tracked by nsx-idps. |
event_type | The type of event generated by the IDPS engine. For alerts, the event type will always be "alert" (regardless of the action performed). |
src_ip | The source IP of the packet on top of which the alert triggered. Depending on the alert characteristics, this might be the address of the client, or the address of the server. Refer to the field "direction" to determine the client. |
src_port | The source port of the packet on top of which the alert triggered. |
dest_ip | The destination IP of the packet on top of which the alert triggered. |
dest_port | The destination port of the packet on top of which the alert triggered. |
proto | The IP protocol of the packet on top of which the alert triggered. |
direction | The direction of the packet compared to the flow direction. The value will be "to_server" for a packet flowing from client to server, and "to_client" for a packet flowing from server to client. |
Any fields not included on the NSX Metadat table are for internal use only.
NSX Metadata | Description |
---|---|
metadata.flowbits and metadata.flowints | This field constitutes a dump of the internal flow state. The variables are dynamically set by various signatures or Lua scripts operating on the specific flow. The semantics and nature of the fields are primarily internal, and may vary across IDS bundles updates. |
nsx_metadata.flow_src_ip | The IP address of the client. Can be derived by looking at the packets endpoints, and at the packet direction. |
nsx_metadata.flow_dest_ip | The IP address of the server. |
nsx_metadata.flow_dir | The direction of the flow with respect to the originating virtual machine. Value is 1 for flows that are inbound to the monitored virtual machine, and 2 for flows that are outbound to the monitored virtual machine. |
nsx_metadata.rule_id | The DFW::IDS rule ID to which the packet matched. |
nsx_metadata.profile_id | The context profile ID that was used by the matched rule. |
nsx_metadata.user_id | The user ID whose traffic generated the event. |
nsx_metadata.vm_uuid | The identifier of the virtual machine whose traffic generated the event. |
alert.action | The action performed by nsx-idps on packet (Allowed/Blocked). Depends on the configured Rule Action. |
alert.gid, alert.signature_id, alert.rev | The identifier of the signature, and its revision. A signature can maintain the same identifier, and be updated to a newer version by increasing the revision. |
alert.signature | A short description of the detected threat. |
alert.category | The category of the detected threat. This is usually a very coarse/inaccurate categorization. Mode details can be found in alert.metadata. |
alert.severity | The priority of the signature, as derived from the alert category. Higher priority alerts are usually associated with more severe threats. |
alert.source/alert.target | Information on the attack direction, which is not necessarily matching the flow direction. The source of the alert will be the attacking endpoint, while the target of the alert will be the victim of the attack. |
alert.metadata.detector_id | An internal identifier of the detection used by the NDR component to associate threat metadata and documentation. |
alert.metadata.severity | 0-100 range of the severity of the threat. This value is a function of the alert.metadata.threat_class_name. |
alert.metadata.confidence | 0-100 range of the degree of confidence in the correctness of the detection. Signatures that are released despite the potential for false positives report a low degree of confidence (<50). |
alert.metadata.exploited | A modifier to express whether the attacker reported in the detection is likely to be a compromised host (i.e. endpoint information should not be considered a reliable IoC). |
alert.metadata.blacklist_mode | Internal only. |
alert.metadata.ids_mode | The operation mode for the signature. Current possible values are REAL (produces real-mode detections in the NDR product), and INFO (produces info-mode detections in the NDR product). |
alert.metadata.threat_name | The name of the detected threat. The threat name is curated in the context of the NDR product as part of a well defined ontology, and is the most reliable source of information on the nature of the attack. |
alert.metadata.threat_class_name | Name of the high level class of the attack to which the threat pertains. Threat classes are high level categories with values such as "command&control", "drive-by," and "exploit." |
alert.metadata.server_side | A modifier to express whether the threat is meant to effect servers or clients. It is equivalent to the information expressed by the alert.source, and alert.target attributes. |
alert.metadata.flip_endpoints | A modifier to express whether the signature is expected to match on packets flowing from server to client, rather than client to server. |
alert.metadata.ll_expected_verifier | Internal only. |
flow.pkts_toserver/flow.pkts_toclient/flow.bytes_toserver/flow.bytes_toclient | Information on the number of packets/bytes that were seen in a given flow at the time of the alert. Note that this information does not express the total amount of packets belonging to the flow. This information expresses the partial counts at the moment in which the alert was generated. |
flow.start | The timestamp of the first packet belonging to the flow. |