您可以使用 VMware Aria Operations for Logs 來檢視 NSX 環境的安全性流量記錄。
- TLS 檢查
- 閘道 IDPS
- URL 篩選
從 NSX 3.2.1 開始,TLS 檢查和閘道 IDPS 可在生產環境中使用,並且完全受支援。在 NSX 3.2.0 中,只在技術預覽模式下才能使用這些功能。如需詳細資訊,請參閱《NSX 版本說明》。
統一安全性記錄
所有安全性類別都以統一安全性記錄格式產生統一安全性流量記錄,並儲存在節點上的單一記錄檔中。此單一記錄將匯出至設定給 VMware Aria Operations for Logs 的 Syslog 伺服器。然後,VMware Aria Operations for Logs 會處理記錄來提供進一步的記錄管理、分析,並使用 NSX 內容套件來顯示記錄。
在 vRealize Log Insight 上顯示記錄
現有 NSX 內容套件中新增了 [NSX - 統一安全性流量記錄] 儀表板。此儀表板顯示圖表 Widget,這些是安全性流量記錄的視覺表示。
VMware Aria Operations for Logs 的內容套件是外掛程式。其中包含與特定一個產品或一組記錄相關的儀表板、擷取的欄位、儲存的查詢及警示。
NSX 內容套件已在 VMware Aria Operations for Logs 市集上推出。
如需有關 VMware Aria Operations for Logs 及如何從內容套件市集安裝內容套件的詳細資訊,請參閱《使用 VMware Aria Operations for Logs》產品文件中的〈從內容套件市集安裝內容套件〉一章。
前 N 個和過去 X 小時
您還可以使用互動式分析和內容套件,查詢 VMware Aria Operations for Logs 中的事件,以獲得過去 X 小時的前 N 個資訊。
遠端記錄伺服器
若要將記錄傳送至遠端記錄伺服器,必須分別在每個節點上為 NSX 應用裝置和 Hypervisor 設定遠端記錄。
如需詳細資訊,請參閱設定遠端記錄。
如果遠端記錄伺服器不接收記錄,請參閱對 Syslog 問題進行疑難排解。
統一安全性記錄格式
cat /var/log/syslog | grep 'unified-logs'
記錄訊息範例:
2021-10-12T09:00:46.192Z nsxedge-18734920-1-mps29 NSX 22621 SYSTEM [nsx@6876 comp="nsx-edge" subcomp="tls-proxy" s2comp="unified-logs" level="INFO"] {"event_type": "fw-flow-terminate-log", "event_trigger": ["fw-rule-log"], "origin": {"fw_type": "gateway", "fw_uuid": "79427614-4a0d-2692-032c-eb4692f717a9", "node_uuid": "ec11a626-f425-3bc2-671d-a656500003b2"}, "flow": {"start": "2021-10-12T09:00:46.723Z", "end": "2021-10-12T09:00:46.773Z", "ip_ver": "ipv4", "flow_id": "0x1e0000704f000018", "src_ip": "192.168.100.160", "src_port": 25700, "dest_ip": "1.1.5.10", "dest_port": 443, "proto": "TCP", "tcp_flags": "", "bytes_toserver": 95, "bytes_toclient": 29873, "reason": "FIN-close", "final_action": "PASS"}, "fw": {"action": "PASS", "rule_id": 1002, "direction": "", "rule_tag": ""}, "http": {"http_method": "", "hostname": "www.facebook.com", "url": "www.facebook.com/benign_pdf1.pdf", "scheme": "", "http_user_agent": "", "status": "", "site_category": ""SOCIAL_NETWORK"", "site_reputation": "Trustworthy"},"tls_inspection": {"action": "PASS", "rule_id": 1008, "domain": "www.facebook.com", "cert_status": "ok", "tls_version_toserver": "TLSv1.2", "cipher_to_server": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "reason": "", "tls_rule_tag": "TLS External Rule"}, "idps": {"action": "PASS", "rule_id": 1007, "ids_profile_id": "00000000-0000-0000-0000-000000000000", "alert_event": ["SOCIAL_NETWORK"], "protocol_event": ["http"]}, "app_id": {"app": ""APP_HTTP", "APP_FACEBOOK", "APP_SSL""}
2021-11-11T04:07:37.489Z nsxedge-18866667-2-NAT-fc-3-nov NSX 27330 SYSTEM [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="unified-logs" level="INFO"] {"event_type": "fw-flow-terminate-log", "event_trigger": ["ids-rule-log"], "origin": {"fw_type": "gateway", "fw_uuid": "544ee558-fad0-e624-019f-e8e3e0472c91", "node_uuid": "dabf16c9-ec11-833c-0c00-8c832f771729"}, "flow": {"start": "2021-11-11T04:07:07.000Z", "end": "2021-11-11T04:07:37.000Z", "ip_ver": "ipv4", "flow_id": "0xd44d00306e0a0004", "src_ip": "1.1.1.10", "src_port": 35714, "dest_ip": "10.142.7.1", "dest_port": 53, "proto": "UDP", "tcp_flags": "FPW", "bytes_toserver": 297878, "bytes_toclient": 71, "pkts_toserver": 71, "pkts_toclient": 1, "reason": "FIN-close", "final_action": "PASS"}, "fw": {"action": "PASS", "rule_id": 2025, "direction": "", "rule_tag": ""}, "l7profile": {"entry_id": "00000000-0000-0000-0000-000000000000", "action": "PASS"}, "http": {"http_method": "", "hostname": "", "url": "", "scheme": "", "http_user_agent": "", "status": "", "site_category": "", "site_reputation": "UNKNOWN"}, "idps": {"action": "IDP_DETECT", "rule_id": 2028, "ids_profile_id": "9872e27a-ead4-4c93-af5f-4df1ec0c73e1", "alert_event": [], "protocol_event": []}, "app_id": {"app": ""APP_DNS""}}
2021-11-08T08:30:59.208Z nsxedge-18866667-2-NAT-fc-3-nov NSX 9495 SYSTEM [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="unified-logs" level="INFO"] {"event_type": "fw-flow-terminate-log", "event_trigger": ["fw-rule-log"], "origin": {"fw_type": "gateway", "fw_uuid": "544ee558-fad0-e624-019f-e8e3e0472c91", "node_uuid": "dabf16c9-ec11-833c-0c00-8c832f771729"}, "flow": {"start": "2021-11-08T08:30:57.000Z", "end": "2021-11-08T08:30:59.000Z", "ip_ver": "ipv4", "flow_id": "0x4001006c04000000", "src_ip": "1.1.1.10", "src_port": 43600, "dest_ip": "13.226.234.18", "dest_port": 80, "proto": "TCP", "tcp_flags": "FREW", "bytes_toserver": 54968, "bytes_toclient": 444, "pkts_toserver": 444, "pkts_toclient": 7, "reason": "FIN-close", "final_action": "PASS"}, "fw": {"action": "PASS", "rule_id": 1004, "direction": "", "rule_tag": ""}, "l7profile": {"entry_id": "e9580107-2749-471c-be82-715d530bf4d4", "action": "PASS"}, "http": {"http_method": "", "hostname": "", "url": "espn.com/", "scheme": "", "http_user_agent": "", "status": "", "site_category": ""SPORTS"", "site_reputation": "TRUSTWORTHY"}, "app_id": {"app": ""APP_HTTP", "APP_ESPN""}}