Beginning with the 4.5 release, Gateways can export NAT information via a remote syslog server or via telegraf to the desired destination. With NAT information streamed, Operators can determine who the original sender is for any NAT applied flow.

Prerequisites

  • Only Operators and Partners can configure Gateway NAT entry syslog. If an Operator grants Gateway management access to a Partner, the Partner can configure NAT entry syslog.
    Note: The maximum remote syslog servers is two per Gateway.

Procedure (Via Remote Server)

To configure syslog settings for Gateways via a remote server, perform the steps below.

  1. From the SD-WAN Orchestrator, go to Gateways.

    The SD-WAN Gateways page appears.

  2. Select a Gateway to configure NAT entry syslog.

    The Configure Settings page for the selected Gateway appears.

  3. Scroll down to the Syslog Settings area.

  4. In the Syslog Settings area, configure the following:
    1. Select a Facility in the Facility drop-down menu.
    2. In the Tag text box, type in the tags.
    3. Enter the IP address of the remote syslog server.
    4. Select a protocol from the Protocol drop-down menu.
    5. Enter port details in the Port text box.
    6. In the Syslog Level drop-down menu, INFO is the only option and is used to stream the NAT entry details entered in the Gateway.
  5. Click the + button to add another Syslog collector, or click Save Changes.

Procedure (Via Telegraf)

For information about configuring syslog settings via telegraf, see the VMware SD-WAN Gateway Monitoring Guide available at https://docs.vmware.com/en/VMware-SD-WAN/index.html.

See the table below for the fields that are included in the NAT event Message.

Table 1. Syslog Event Message Fields
Fields Description
ACTION NAT Insert/NAT Delete
ENTERPRISE_ID Enterprise logical ID
VCE_ID Logical ID of the Edge that the flow originated from.
VCG_ID Logical ID of the Gateway
SEGMENT_ID Segment ID to which the flow belongs to
CLIENT_SRC_ADDR IP address of the origin host behind the Edge, useful for complete end-to-end tracing.
CLIENT_SRC_PORT Source port used by the origin host behind the Edge.
VCG_SRC_ADDR The IP address of the public VCG interface used to transmit this flow.
VCG_SRC_PORT Source port used by the VCG to establish the connection.
DST_ADDR The original destination address of the traffic.
DST_PORT Destination port of the traffic.
PROTOCOL Protocol name
PKTS_SENT Packets transferred to the cloud
BYTES SENT Bytes transferred to the cloud
PKTS_RCVD Packets received from the cloud
BYTES RCVD Bytes received from the cloud
FLOW_DURATION_MS Duration of the flow

Troubleshooting

To perform troubleshooting efforts, follow the steps below.
  1. Check /etc/rsyslog.conf file and verify if the configured server is updated with the correct protocol and port.
  2. Check if the iptable rule is installed for the configured server.
  3. Check "tcpdump.sh -ni any host 127.0.0.1 and port 514 -v" and verify if syslog messages are forwarded from natd to rsyslogd.
  4. Check "tcpdump.sh -ni any host <syslog-collector-ip." and verify if syslog messages are forwarded to the remote syslog.