After configuring event log servers in the Active Directory, you need to turn on the Event Log Sources or VMware Aria Operations for Logs.

When using event log scraping, ensure that NTP is correctly configured across all devices. See Time Synchronization between NSX Manager, vIDM, and Related Components.

Note:

Event log scraping enables IDFW for physical devices. Event log scraping can be used for virtual machines, however guest introspection will take precedence over event log scraping. Guest Introspection is enabled through VMware Tools and if you are using the complete VMware Tools installation and IDFW, guest introspection will take precedence over event log scraping.

VMware Aria Operations for Logs 8.6 and later is supported with the provider configurations:
  • Palo Alto Global Protect
  • Aruba ClearPass
For more information about configuring VMware Aria Operations for Logs see Integrate vRealize Log Insight with NSX Identity Firewall.

Navigate to Security > General Settings > Identity Firewall Event Log Sources and toggle the button for Event Log Sources or vRealize Log Insight.