Beginning with the 4.5 release, Gateways can export NAT information via a remote syslog server or via telegraf to the desired destination. With NAT information streamed, Operators can determine who the original sender is for any NAT applied flow.
- Only Operators and Partners can configure Gateway NAT entry syslog. If an Operator grants Gateway management access to a Partner, the Partner can configure NAT entry syslog.
Note: The maximum remote syslog servers is two per Gateway.
Procedure (Via Remote Server)
To configure syslog settings for Gateways via a remote server, perform the steps below.
- From the SD-WAN Orchestrator, go to Gateways.
The SD-WAN Gateways page appears.
- Select a Gateway to configure NAT entry syslog.
The Configure Settings page for the selected Gateway appears.
- Scroll down to the Syslog Settings area.
- In the Syslog Settings area, configure the following:
- Select a Facility in the Facility drop-down menu.
- In the Tag text box, type in the tags.
- Enter the IP address of the remote syslog server.
- Select a protocol from the Protocol drop-down menu.
- Enter port details in the Port text box.
- In the Syslog Level drop-down menu, INFO is the only option and is used to stream the NAT entry details entered in the Gateway.
- Click the + button to add another Syslog collector, or click Save Changes.
Procedure (Via Telegraf)
For information about configuring syslog settings via telegraf, see the VMware SD-WAN Gateway Monitoring Guide available at https://docs.vmware.com/en/VMware-SD-WAN/index.html.
See the table below for the fields that are included in the NAT event Message.
|ACTION||NAT Insert/NAT Delete|
|ENTERPRISE_ID||Enterprise logical ID|
|VCE_ID||Logical ID of the Edge that the flow originated from.|
|VCG_ID||Logical ID of the Gateway|
|SEGMENT_ID||Segment ID to which the flow belongs to|
|CLIENT_SRC_ADDR||IP address of the origin host behind the Edge, useful for complete end-to-end tracing.|
|CLIENT_SRC_PORT||Source port used by the origin host behind the Edge.|
|VCG_SRC_ADDR||The IP address of the public VCG interface used to transmit this flow.|
|VCG_SRC_PORT||Source port used by the VCG to establish the connection.|
|DST_ADDR||The original destination address of the traffic.|
|DST_PORT||Destination port of the traffic.|
|PKTS_SENT||Packets transferred to the cloud|
|BYTES SENT||Bytes transferred to the cloud|
|PKTS_RCVD||Packets received from the cloud|
|BYTES RCVD||Bytes received from the cloud|
|FLOW_DURATION_MS||Duration of the flow|
- Check /etc/rsyslog.conf file and verify if the configured server is updated with the correct protocol and port.
- Check if the iptable rule is installed for the configured server.
- Check "tcpdump.sh -ni any host 127.0.0.1 and port 514 -v" and verify if syslog messages are forwarded from natd to rsyslogd.
- Check "tcpdump.sh -ni any host <syslog-collector-ip." and verify if syslog messages are forwarded to the remote syslog.