NSX Malware Prevention feature runs on NSX Edges, service virtual machine (on ESXi hosts), and NSX Application Platform. The product logs generated on NSX Edges and service virtual machines conform to the RFC 5424 log message standard.
Log Messages
On NSX appliances, syslog messages conform to the RFC 5424 standard. Additional product logs are written to the /var/log directory.
- On an NSX Edge, malware analysis log messages for extracted files are provided by the Gateway Malware Prevention service on the active tier-1 gateway.
- On an ESXi host, malware analysis log messages for files downloaded on the workload VMs, which are running on the host, are provided by the Malware Prevention Service VM on the ESXi host.
- For files that are extracted by both Gateway Malware Prevention service and Distributed Malware Prevention service, malware analysis log messages are provided by the Security Analyzer microservice, which is running on the NSX Application Platform.
Remote logging is also supported. To consume NSX Malware Prevention feature logs, you can configure NSX Edges, NSX Application Platform, and NSX Malware Prevention service virtual machines to send or redirect log messages to a remote log server.
Remote Logging on NSX Edge
You must configure remote logging on each NSX Edge node individually. To configure the remote logging server on an NSX Edge node by using the NSX CLI, see Configure Remote Logging.
To configure the remote logging server on an NSX Edge node by using the NSX Manager UI, see Add Syslog Servers for NSX Nodes.
Remote Logging on NSX Application Platform
To redirect NSX Application Platform log messages to an external log server, you must run a REST API.
For information about the REST API along with sample request body, response, and code samples, see the VMware Developer Documentation portal.
Remote Logging on NSX Malware Prevention Service Virtual Machine
This functionality is supported starting in NSX 4.1.2.
- In NSX 4.1.2 or later
-
To redirect NSX Malware Prevention service virtual machine (SVM) log messages to an external log server, you can log in to the SVM as an admin user, and run NSX CLI commands on the SVM. To learn more, see Configure Remote Logging on an NSX Malware Prevention Service Virtual Machine.
- In NSX 4.1.1 or earlier
-
Configuration of remote logging on the NSX Malware Prevention SVM is not supported. However, you can copy the syslog file from each NSX Malware Prevention SVM by logging on to the SVM with an SSH connection.
SSH access to the admin user of the SVM is key-based (public-private key pair). A public key is needed when you are deploying the service on an ESXi host cluster, and a private key is needed when you want to start an SSH session to the SVM.
For more information, see Log in to the NSX Malware Prevention Service Virtual Machine.
After logging in to the SVM, use the sftp or the scp command to copy the syslog file from the /var/log directory at that particular time. If multiple syslog files are available at this location, they are compressed and stored at the same path.
More Information about Logging
Interpret NSX Malware Prevention Event Log Messages
The format of the log messages for NSX Malware Prevention events on the service virtual machine and NSX Edge is the same. However, for events on the NSX Application Platform, the format of the log messages is different.
The following event log message is generated by the sa-events-processor
microservice, which is a pod that runs on the NSX Application Platform.
Example:
{"log":"{\"log\":\"\\u001b[37m2022-06-01T01:42:58,725\\u001b[m \\u001b[32mINFO \\u001b[m[\\u001b[1;34mfileEventConsumer-1\\u001b[m] \\u001b[1;33mc.v.n.s.e.k.EventsProcessorConsumerService\\u001b[m: SECURITY [nsx@6876 comp=\\\"nsx-manager\\\" level=\\\"INFO\\\" subcomp=\\\"manager\\\"] Event number 2 received from topic: ams-file-seen-events partition: 0 and offset: 212640 is: FileInspectionEvent(id=0, sha256=29fbd4604acb1da497e8127cd688bf2614f565fc4d4c808989df41c4a6fb924d, sha1=549cb3f1c85c4ef7fb06dcd33d68cba073b260ec, md5=65b9b68668bb6860e3144866bf5dab85, fileName=drupdate.dll, fileType=PeExeFile, fileSize=287024, inspectionTime=1654047770305, clientPort=0, clientIp=null, clientFqdn=null, clientVmId=500cd1b6-96b6-4567-82f4-231a63dead81, serverPort=0, serverIp=null, serverFqdn=null, serverVmId=null, applicationProtocol=null, submittedBy=SYSTEM, isFoundByAsds=true, isBlocked=false, allowListed=false, verdict=BENIGN, score=0, analystUuid=null, submissionUuid=null, tnId=38c58796-9983-4a41-b9f2-dc309bd3458d, malwareClass=null, malwareFamily=null, errorCode=null, errorMessage=null, nodeType=1, gatewayId=, analysisStatus=COMPLETED, followupEvent=false, httpDomain=null, httpMethod=null, path=null, referer=null, userAgent=null, contentDispositionFileName=null, isFileUpload=false, startTime=1654047768828, endTime=1654047768844, ttl=1654220570304)\\n\",\"stream\":\"stdout\",\"time\":\"2022-06-01T01:42:58.725811209Z\"}","log_processed":{"log":"\u001b[37m2022-06-01T01:42:58,725\u001b[m \u001b[32mINFO \u001b[m[\u001b[1;34mfileEventConsumer-1\u001b[m] \u001b[1;33mc.v.n.s.e.k.EventsProcessorConsumerService\u001b[m: SECURITY [nsx@6876 comp=\"nsx-manager\" level=\"INFO\" subcomp=\"manager\"] Event number 2 received from topic: ams-file-seen-events partition: 0 and offset: 212640 is: FileInspectionEvent(id=0, sha256=29fbd4604acb1da497e8127cd688bf2614f565fc4d4c808989df41c4a6fb924d, sha1=549cb3f1c85c4ef7fb06dcd33d68cba073b260ec, md5=65b9b68668bb6860e3144866bf5dab85, fileName=drupdate.dll, fileType=PeExeFile, fileSize=287024, inspectionTime=1654047770305, clientPort=0, clientIp=null, clientFqdn=null, clientVmId=500cd1b6-96b6-4567-82f4-231a63dead81, serverPort=0, serverIp=null, serverFqdn=null, serverVmId=null, applicationProtocol=null, submittedBy=SYSTEM, isFoundByAsds=true, isBlocked=false, allowListed=false, verdict=BENIGN, score=0, analystUuid=null, submissionUuid=null, tnId=38c58796-9983-4a41-b9f2-dc309bd3458d, malwareClass=null, malwareFamily=null, errorCode=null, errorMessage=null, nodeType=1, gatewayId=, analysisStatus=COMPLETED, followupEvent=false, httpDomain=null, httpMethod=null, path=null, referer=null, userAgent=null, contentDispositionFileName=null, isFileUpload=false, startTime=1654047768828, endTime=1654047768844, ttl=1654220570304)","stream":"stdout","time":"2022-06-01T01:42:58.725811209Z"},"kubernetes":{"pod_name":"sa-events-processor-55bcfcc46d-4jftf","namespace_name":"nsxi-platform","pod_id":"305953f7-836b-4bbb-ba9e-00fdf68de4ae","host":"worker03","container_name":"sa-events-processor","docker_id":"93f81f278898e6ce3e14d9a37e0e10a502c46fe53c9ad61680aed48b94f7f8bf","container_hash":"projects.registry.vmware.com/nsx_application_platform/clustering/sa-events-processor@sha256:b617f4bb9f3ea5767839e39490a78169f7f3d54826b89638e4a950e391405ae4","container_image":"projects.registry.vmware.com/nsx_application_platform/clustering/sa-events-processor:19067767"}}
In this sample event log message, observe that apart from the standard log attributes, such as date
(2022-06-01T00:42:58,326), log level
(INFO), and filterable attributes, such as module
(SECURITY), container_name
(sa-events-processor), additional attributes are present in a JSON style format. The following table lists these additional attributes.
Key | Sample Value |
---|---|
id |
0 |
sha256 |
29fbd4604acb1da497e8127cd688bf2614f565fc4d4c808989df41c4a6fb924d |
sha1 |
549cb3f1c85c4ef7fb06dcd33d68cba073b260ec |
md5 |
65b9b68668bb6860e3144866bf5dab85 |
fileName |
drupdate.dll |
fileType |
PeExeFile |
fileSize |
287024 |
inspectionTime |
1654047770305 |
clientPort |
0 |
clientIP |
null |
clientFqdn |
null |
clientVmId |
500cd1b6-96b6-4567-82f4-231a63dead81 |
serverPort |
0 |
serverIp |
null |
serverFqdn |
null |
serverVmId |
null |
applicationProtocol |
null |
submittedBy |
SYSTEM |
isFoundByAsds |
true |
isBlocked |
false |
allowListed |
false |
verdict |
BENIGN |
score |
0 |
analystUuid |
null |
submissionUuid | null |
tnId | 38c58796-9983-4a41-b9f2-dc309bd3458d |
malwareClass |
null |
malwareFamily |
null |
errorCode |
null |
errorMessage |
null |
nodeType |
1 |
gatewayId |
|
analysisStatus |
COMPLETED |
followupEvent |
false |
httpDomain |
null |
httpMethod |
null |
path |
null |
referer |
null |
userAgent |
null |
contentDispositionFileName |
null |
isFileUploaded |
false |
startTime |
1654047768828 |
endTime |
1654047768844 |
ttl |
1654220570304 |
Troubleshoot Syslog Issues
If the remote log server that you configured is unable to receive logs, see Troubleshooting Syslog Issues.
Collect Support Bundles
- To collect support bundles for Management Nodes, NSX Edges, and Hosts, see Collect Support Bundles.
- To collect support bundles for NSX Application Platform, see the Deploying and Managing the VMware NSX Application Platform documentation at https://docs.vmware.com/en/VMware-NSX/index.html.
- (In NSX 4.1.2 or later): To collect support bundles for NSX Malware Prevention SVMs running on vSphere host clusters that are activated for NSX Distributed Malware Prevention service, see Collect Support Bundle for an NSX Malware Prevention Service Virtual Machine.