You can monitor events and view data of the last 14 days.

To view intrusion events, navigate to Security > IDS/IPS . You can filter the events based on the following criteria:
  • Filter criteria. Select from the following options:
    Filter Criteria Description
    Attack Target Target of the attack.
    Attack Type Type of attack, such as trojan horse, or denial of service (DoS).
    CVSS Common Vulnerability Score (filter based on a score above a set threshold).
    Gateway Name The gateway name on which the event was registered.
    IP Address IP address on which the event was registered.
    Product Affected Vulnerable product or (version), such as Windows XP or Web_Browsers.
    Signature ID Unique ID of the signature rule.
    VM Name The VM (based on logical port) on which the event was registered.
  • Traffic: Select from the following options:
    • All traffic
    • Distributed only
    • Gateway only
  • Signature actions: Select from the following options:
    • Show all signatures
    • Dropped (Prevented)
    • Rejected (Prevented)
    • Alert (Detect Only)
  • Severity rating: Select from the following options:
    • Critical
    • High
    • Medium
    • Low
    • Suspicious

You can toggle the Timeline button to view or hide the timeline graph that is based on severity ratings. The graph presents events that occurred over a selected time span. You can zoom in to the specific time window on this graph to view details of signatures of the related events that happened during the time window.

On the timeline graph, colored dots indicate the unique type of intrusion events and can be clicked for details. The size of the dot indicates the number of times an intrusion event has been seen. A blinking dot indicates that an attack is ongoing. Point to a dot to see the attack name, number of attempts, first occurrence, and other details.
  • Red dots - represent critical severity signature events.
  • Orange dots - represent high severity signature events.
  • Yellow dots - represent medium severity signature events.
  • Gray dots - represent low severity signature events.
  • Purple - represent suspicious severity signature events.

All the intrusion attempts for a particular signature are grouped and plotted at their first occurrence.

Click the arrow next to an event to view details.
Detail Description
Impact Score

Impact score is a combined value of risk score (the severity of the threat) and the confidence score (strength of the detection being correct).

Severity Signature severity of the intrusion.
Last Detected This is the last time the signature was fired.
Details Brief description of what the signature is targeting.
Users Affected Number of users who were impacted by the event.
Workloads Number of workloads affected. Click to view affected workload details.
CVE Details

CVE reference of the vulnerability targeted by the exploit.

CVSS

Common Vulnerability Score of the vulnerability targeted by the exploit.

Intrusion Event Details (latest occurrence) - Source IP address of the attacker and source port used.
Intrusion Event Details (latest occurrence) - Gateway Edge node details that contain the workload on which the event was registered.
Intrusion Event Details (latest occurrence) - Hypervisor Transport node details that contain the workload on which the event was registered.
Intrusion Event Details (latest occurrence) - Target IP address of the victim and destination port used.
Attack Direction Client-Server or Server-Client.
Attack Target Target of the attack.
Attack Type Type of attack, such as trojan horse, or denial of service (DoS).
Product Affected Illustrates what product is vulnerable to the exploit.
Total Events Total number of intrusion attempts for the event.
Intrusion Activity Displays the total number of times this particular IDS signature was triggered, the most recent occurrence, and the first occurrence.
Service Protocol information associated with the event.
Signature ID

Unique ID of the IDS signature.

Signature Revision The revision number of the IDS signature.
Mitre Technique MITRE ATT&CK technique describing the detected activity.
Mitre Tactic MITRE ATT&CK tactic describing the detected activity.
Associated IDS Rule Clickable link to the configured IDS Rule which resulted in this event.
To view full intrusion history, click the View Full Event History link. A window opens with the following details:
Detail Description
Time Detected This is the last time the signature was fired.
Traffic Type

This could be Distributed or Gateway. Distributed indicates East-West traffic flow and Gateway indicates North-South traffic flow.

Workloads/IPs Affected Number of virtual machines or IP addresses which has hit the given attack or vulnerability for a given traffic flow.
Attempts Number of intrusion attempts made for an attack or vulnerability during a given traffic flow.
Source IP address of the attacker.
Destination IP address of the victim.
Protocol Traffic protocol of the detected intrusion.
Rule Rule to which the signature belongs (through the profile).
Profile Profile to which the signature belongs.
Action Any of the following actions that was triggered against the event:
  • Drop
  • Reject
  • Alert
You can also filter intrusion history based on the following criteria:
  • Action
  • Destination IP
  • Destination Port
  • Protocol
  • Rule
  • Source IP
  • Source Port
  • Traffic Type

Logging

NSX components write to log files in the directory /var/log. On NSX appliances, NSX syslog messages conform with RFC 5424. On ESXi hosts, syslog messages conform with RFC 3164.

There are two IDS/IPS related local event log files in the /var/log/nsx-idps folder on ESXi hosts:
  • fast.log - Contains internal logging of nsx-idps process events, with limited information and is used only for debugging purposes.
  • nsx-idps-events.log - Contains detailed information about events (all alerts/drops/rejects) with NSX metadata.
Multi-tenancy
Starting with NSX 4.1.1, multi-tenancy is also supported for NSX IDS/IPS.

The tenant context is logged while handling configuration messages. The context is logged for the following messages:

  1. IdsSignaturesMsg
  2. ContextProfileMsg
  3. SecurityFeatureToggleMsg
  4. RuleMsg - The Rule message does not directly contain the tenant context. It is retrieved from the RuleSectioMsg.
  5. GlobalConfigMsg

These logs are stored in /var/log/nsx-syslog.log. If the VPC or project is missing, empty strings are printed in the tenant context fields. If the org is missing, none of the three tenant context fields are printed.

For more information about multi-tenancy, see NSX Multi-tenancy.
Logging APIs

By default, the IDS/IPS syslog is not enabled. Run the following API to query the current settings.

GET https://<Manager-IP>/api/v1/infra/settings/firewall/security/intrusion-services/

Example Response:

{
    "auto_update": true,
    "ids_ever_enabled": true,
    "ids_events_to_syslog": false,   
    "oversubscription": "BYPASSED",
    "resource_type": "IdsSettings",
    "id": "intrusion-services",
    "display_name": "intrusion-services",
    "path": "/infra/settings/firewall/security/intrusion-services",
    "relative_path": "intrusion-services",
    "parent_path": "/infra",
    "unique_id": "5035623f-255e-4153-945a-cc320451e4a0",
    "realization_id": "5035623f-255e-4153-945a-cc320451e4a0",
    "marked_for_delete": false,
    "overridden": false,
    "_create_time": 1665948964775,
    "_create_user": "system",
    "_last_modified_time": 1680466910136,
    "_last_modified_user": "admin",
    "_system_owned": false,
    "_protection": "NOT_PROTECTED",
    "_revision": 5
}

To enable the sending of NSX IDS/IPS logs to a central log repository, run the following API and set the ids_events_to_syslog variable to true.

PATCH https://<Manager-IP>/api/v1/infra/settings/firewall/security/intrusion-services/

Example Request:

 {
    "auto_update": true,
    "ids_ever_enabled": true,
    "ids_events_to_syslog": true,   
    "oversubscription": "BYPASSED",
    "resource_type": "IdsSettings",
    "id": "intrusion-services",
    "display_name": "intrusion-services",
     .
     .
     .
  }

These events are exported directly from ESXi hosts, so ensure remote syslog is configured on the ESXi host. You must also ensure that the NSX manager and ESXi hosts are also setup to forward syslog messages to the central log repository.

For information about the IDs/IPS APIs, see the NSX API Guide. For more information about configuring remote logging, see Configure Remote Logging and all related information under the section Log Messages and Error Codes.