To redirect NSX Malware Prevention service virtual machine (SVM) log messages to a remote log server, you can log in to the SVM on the hosts of the vSphere host clusters that are activated for NSX Distributed Malware Prevention service, and configure remote logging by running NSX CLI commands.

Remote logging on NSX Malware Prevention SVMs is supported starting in NSX 4.1.2.

Currently, only log messages for the NSX Malware Prevention file analysis lifecycle events are redirected to the remote log server. Typically, file analysis starts when a file is downloaded on a workload VM that is protected by an NSX Malware Prevention security policy. The downloaded file is processed by various components and a verdict is returned. The results provided by important intermediate components are logged in the syslog file on the SVM.

Some examples of file analysis lifecycle events are as follows:
  • File intercepted
  • Verdict cache hit
  • File sent for local (static) analysis
  • File sent for cloud (dynamic) analysis
  • Verdict obtained
  • Policy enforced

If you want to redirect log messages for SVM health monitoring events, including SVM resource consumption, such as CPU usage, disk usage, and memory usage, you can configure remote logging on the NSX Manager CLI. Alternatively, you can monitor these health events on the Alarms page of the NSX Manager UI. For more information about the NSX Malware Prevention health events, see the NSX Event Catalog.

The following protocols are supported for configuring remote logging on the SVM:
  • TCP
  • UDP
  • TLS (secure remote logging)

TCP has the advantage of being more reliable, whereas UDP has the advantage of requiring less system and network overhead. TLS protocol has additional overhead but provides encrypted traffic between the SVM and the remote log server.

Aria Operations for Logs protocols (LI and LI-TLS) are not supported for configuring remote logging on the SVM.

Prerequisites

  • The VMware vCenter administrator must activate SSH access to the SVM on each host. For more information, see the Prerequisites section in Log in to the NSX Malware Prevention Service Virtual Machine.
  • Familiarize yourself with the set logging-server CLI command. For more information, see the Malware Prevention Service VM documentation in the NSX Command-Line Interface Reference.
  • If you want to specify the TLS protocol for configuring a remote log server, copy the server certificates, client certificates, and the client key to /var/vmware/nsx/file-store on each NSX Malware Prevention SVM by using the copy url <url> [file <filename>] CLI command.

    In the following example, the copy command is run on the SVM. So, by default, the client-key.pem file from the source location is copied to /var/vmware/nsx/file-store on the SVM.

    Example: 
    svm> copy url scp://[email protected]:/home/user/openssl/client-key.pem
The authenticity of host '1.2.3.4 (1.2.3.4)' can't be established.
ECDSA key fingerprint is SHA256:abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '1.2.3.4' (ECDSA) to the list of known hosts.
[email protected]'s password:
client-key.pem                                100% 1704     8.0KB/s   00:00
  • To configure a secure connection to a remote log server, verify that the server is configured with CA-signed certificates. For example, if you have a Aria Operations for Logs server vrli.prome.local as the log server, you can run the following command from a client to see the certificate chain on the log server:
    root@caserver:~# echo -n | openssl s_client -connect vrli.prome.local:443  | sed -ne '/^Certificate chain/,/^---/p'
depth=2 C = US, L = California, O = GS, CN = Orange Root Certification Authority
verify error:num=19:self signed certificate in certificate chain
Certificate chain
 0 s:/C=US/ST=California/L=HTG/O=GSS/CN=vrli.prome.local
   i:/C=US/L=California/O=GS/CN=Green Intermediate Certification Authority
 1 s:/C=US/L=California/O=GS/CN=Green Intermediate Certification Authority
   i:/C=US/L=California/O=GS/CN=Orange Root Certification Authority
 2 s:/C=US/L=California/O=GS/CN=Orange Root Certification Authority
   i:/C=US/L=California/O=GS/CN=Orange Root Certification Authority
---
DONE

Procedure

  1. Log in to the NSX Malware Prevention SVM as an admin user.
    For a detailed information, see Log in to the NSX Malware Prevention Service Virtual Machine.
  2. Run the following command to configure a remote log server on the SVM: 
    svm> set logging-server <hostname-or-ip-address[:port]> proto <proto> level <level> messageid SECURITY [facility <facility>] [serverca <filename>] [clientca <filename>] [certificate <filename>] [key <filename>] [structured-data <structured-data>]

    This command redirects SVM log messages to the specified IP address or FQDN of the server at the specified port. If a port is not mentioned, the default port for the specified protocol is used. For example, port 514 for TCP and UDP; port 6514 for TLS.

    The messageid parameter is preconfigured. Currently, logs with only SECURITY message ID is supported.

    To learn about filtering log messages and specifying facilities in this command, see the Malware Prevention Service VM documentation in the NSX Command-Line Interface Reference.

    Example 1: To redirect SVM log messages to the 10.1.1.1 log server by using the UDP protocol, run the following command:

    svm> set logging-server 10.1.1.1 proto udp level info messageid SECURITY
    Example 2: To redirect SVM log messages securely to a remote log server by using the TLS protocol, run the following command: 
    svm> set logging-server <hostname-or-ip-address[:port]> proto tls level info messageid SECURITY serverca <ca-cert.pem> clientca <ca-cert.pem> certificate <client-cert.pem>  key <client-key.pem>

    As mentioned in the Prerequisites section of this documentation, the server certificates, client certificates, and client key must be copied to /var/vmware/nsx/file-store on each NSX Malware Prevention SVM.

    Note the following:
    • For the serverCA parameter, only the root certificate is required, not the full chain.
    • If clientCA is different from serverCA, only the root certificate is required.
    • The certificate should hold the full chain of the NSX Malware Prevention SVM. The certificate should be NDcPP compliant - EKU, BASIC, and CDP (CDP check can be ignored).
    Example of a successful logging in /var/log/syslog: 
    2023-06-26T18:22:21.504Z NSX 3671 - [nsx@6876 comp="nsx-mps-svm" subcomp="cli" username="admin" level="INFO"] {10000} CMD: set logging-server 1.2.3.4 proto tls level info serverca ca-cert.pem clientca ca-cert.pem certificate client-cert.pem key client-key.pem
 
2023-06-26T18:22:24.677Z rsyslogd - - -  nsd_ossl: TLS Connection initiated with remote syslog server. [v8.2304.0]
2023-06-26T18:22:26.894Z NSX 932 - [nsx@6876 comp="nsx-mps-svm" subcomp="node-mgmt" username="admin" level="INFO"] Connection to 1.2.3.4:6514 is established
 
2023-06-26T18:22:28.116Z NSX 3671 - [nsx@6876 comp="nsx-mps-svm" subcomp="cli" username="admin" level="INFO" audit="true"] CMD: set logging-server 1.2.3.4 proto tls level info serverca ca-cert.pem clientca ca-cert.pem certificate client-cert.pem key client-key.pem (duration: 6.611s), Operation status: CMD_EXECUTED
    Note: After completing the syslog exporter configuration, you must delete all the certificates and keys from /var/vmware/nsx/file-store to avoid potential security vulnerabilities.

    Example 3: To redirect log messages for NSX Malware Prevention health monitoring events, run the following command on the NSX Manager CLI:

    nsx> set logging-server 10.1.1.1 proto udp level info messageid MONITORING structured-data eventFeatureName="malware_prevention_health"

    Observe that in this command, the messageid parameter is set to MONITORING.

  3. To view the logging configuration on the SVM, run the get logging-servers command.

    Example: To redirect log messages for to securely to a remote log server

    svm> get logging-servers
Tue Jun 27 2023 UTC 05:18:57.098
1.2.3.4:514 proto udp level info messageid SECURITY exporter_name 694ab1dc-0250-4cae-a7a4-3dde205225a3
  4. (Optional) To verify IP table rules for all logging servers, run the verify logging-servers command.
  5. (Optional) To delete a specific logging server configuration, run the following command:
    Example: 
    svm> del logging-server 1.2.3.4:514 proto udp level info messageid SECURITY