After configuring event log servers in the Active Directory, you need to turn on the Event Log Sources or Aria Operations for Logs.

When using event log scraping, ensure that NTP is correctly configured across all devices. See the topic Time Synchronization between NSX Manager, vIDM, and Related Components.

Note:

Event log scraping enables IDFW for physical devices. Event log scraping can be used for virtual machines, however guest introspection will take precedence over event log scraping. Guest Introspection is enabled through VMware Tools and if you are using the complete VMware Tools installation and IDFW, guest introspection will take precedence over event log scraping.

Aria Operations for Logs 8.6 and later is supported with the provider configurations:
  • Palo Alto Global Protect
  • Aruba ClearPass
For more information about configuring Aria Operations for Logs (formerly known as vRealize Log Insight) see Integrate vRealize Log Insight with NSX Identity Firewall.

Navigate to Security > General Settings > Identity Firewall Event Log Sources and toggle the button for Event Log Sources or Aria Operations for Logs.