When logging is enabled for NSX-T IDS/IPS, you can look at log files to troubleshoot issues.

Below is a sample log file for NSX-T IDS/IPS, located in /var/log/nsx-idps/nsx-idps-events.log:
"signature":"LASTLINE Command&Control: (RAT) Remcos RAT","category":"A Network Trojan was Detected","severity":1,"source":{"ip":"","port":1965},"target":{"ip":"","port":49320},
"metadata":{"detector_id":["96797"],"severity":["100"],"confidence":["80"],"exploited":["None"],"blacklist_mode":["REAL"],"ids_mode":["REAL"],"threat_name":["Remcos RAT"],
Field Description
Timestamp The timestamp of the packet on top of which the alert was triggered.
flow_id The unique identifier for each flow tracked by nsx-idps.
event_type The type of event generated by the IDPS engine. For alerts, the event type will always be "alert" (regardless of the action performed).
src_ip The source IP of the packet on top of which the alert triggered. Depending on the alert characteristics, this might be the address of the client, or the address of the server. Refer to the field "direction" to determine the client.
src_port The source port of the packet on top of which the alert triggered.
dest_ip The destination IP of the packet on top of which the alert triggered.
dest_port The destination port of the packet on top of which the alert triggered.
proto The IP protocol of the packet on top of which the alert triggered.
direction The direction of the packet compared to the flow direction. The value will be "to_server" for a packet flowing from client to server, and "to_client" for a packet flowing from server to client.

Any fields not included on the NSX Metadat table are for internal use only.

NSX Metadata Description
metadata.flowbits and metadata.flowints This field constitutes a dump of the internal flow state. The variables are dynamically set by various signatures or Lua scripts operating on the specific flow. The semantics and nature of the fields are primarily internal, and may vary across IDS bundles updates.
nsx_metadata.flow_src_ip The IP address of the client. Can be derived by looking at the packets endpoints, and at the packet direction.
nsx_metadata.flow_dest_ip The IP address of the server.
nsx_metadata.flow_dir The direction of the flow with respect to the originating virtual machine. Value is 1 for flows that are inbound to the monitored virtual machine, and 2 for flows that are outbound to the monitored virtual machine.
nsx_metadata.rule_id The DFW::IDS rule ID to which the packet matched.
nsx_metadata.profile_id The context profile ID that was used by the matched rule.
nsx_metadata.user_id The user ID whose traffic generated the event.
nsx_metadata.vm_uuid The identifier of the virtual machine whose traffic generated the event.
alert.action The action performed by nsx-idps on packet (Allowed/Blocked). Depends on the configured Rule Action.
alert.gid, alert.signature_id, alert.rev The identifier of the signature, and its revision. A signature can maintain the same identifier, and be updated to a newer version by increasing the revision.
alert.signature A short description of the detected threat.
alert.category The category of the detected threat. This is usually a very coarse/inaccurate categorization. Mode details can be found in alert.metadata.
alert.severity The priority of the signature, as derived from the alert category. Higher priority alerts are usually associated with more severe threats.
alert.source/alert.target Information on the attack direction, which is not necessarily matching the flow direction. The source of the alert will be the attacking endpoint, while the target of the alert will be the victim of the attack.
alert.metadata.detector_id An internal identifier of the detection used by the NDR component to associate threat metadata and documentation.
alert.metadata.severity 0-100 range of the severity of the threat. This value is a function of the alert.metadata.threat_class_name.
alert.metadata.confidence 0-100 range of the degree of confidence in the correctness of the detection. Signatures that are released despite the potential for false positives report a low degree of confidence (<50).
alert.metadata.exploited A modifier to express whether the attacker reported in the detection is likely to be a compromised host (i.e. endpoint information should not be considered a reliable IoC).
alert.metadata.blacklist_mode Internal only.
alert.metadata.ids_mode The operation mode for the signature. Current possible values are REAL (produces real-mode detections in the NDR product), and INFO (produces info-mode detections in the NDR product).
alert.metadata.threat_name The name of the detected threat. The threat name is curated in the context of the NDR product as part of a well defined ontology, and is the most reliable source of information on the nature of the attack.
alert.metadata.threat_class_name Name of the high level class of the attack to which the threat pertains. Threat classes are high level categories with values such as "command&control", "drive-by," and "exploit."
alert.metadata.server_side A modifier to express whether the threat is meant to effect servers or clients. It is equivalent to the information expressed by the alert.source, and alert.target attributes.
alert.metadata.flip_endpoints A modifier to express whether the signature is expected to match on packets flowing from server to client, rather than client to server.
alert.metadata.ll_expected_verifier Internal only.
flow.pkts_toserver/flow.pkts_toclient/flow.bytes_toserver/flow.bytes_toclient Information on the number of packets/bytes that were seen in a given flow at the time of the alert. Note that this information does not express the total amount of packets belonging to the flow. This information expresses the partial counts at the moment in which the alert was generated.
flow.start The timestamp of the first packet belonging to the flow.