Principles
- Given a scenario, utilize information contained in technical support bundles/logs to assist in troubleshooting
- Explain usage of CLI for logging
- Configure Syslog(s)
- Configure logging for Dynamic Routing information
- Log Edge Firewall rule processing information
- Log address translation information
- Log VPN traffic
- Configure basic/advanced Load Balancer logging
- Log DHCP assignments
- Log DNS resolutions
- Log security policy session information
- Download NSX Edge tech support logs
- Generate NSX Manager tech support logs
References
- NSX Administration Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf
- NSX Command Line Interface Reference
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_cli.pdf
- Log Insight
https://www.vmware.com/products/vrealize-log-insight.html
Given a scenario, utilize information contained in technical support bundles/logs to assist in troubleshooting
See Objective 9.4
Explain usage of CLI for logging
Use “show log” commands on NSX Manager, Edges and Control Cluster
Configure Syslog(s)
- NSX Manager:
- NSX Manager UI
- Manage -> General -> Syslog Server -> Edit
- NSX Edges
- Edge -> Manage -> Settings -> Appliance Settings
- Configuration -> Change Syslog Configuration
- NSX Controller
NSX -> Installation and Upgrade -> Management -> NSX Controller Nodes -> Edit
- Distributed Firewall
Enable logs on an ESXi host level under Advanced Settings -> Syslog.global.logHost
Configure logging for Dynamic Routing information
Edge -> Manage -> Routing -> Logging Configuration
Log Distributed Firewall rule processing information
- Enable logging on a per-rule basis
Log Edge Firewall rule processing information
- Edge -> Manage -> Firewall
- Edit rule “Action” and select “Log”
Log address translation information
- Edge -> Manage -> NAT
- Select Rule and enable Logging
Log VPN traffic
- Edge -> Manage -> VPN
- Logging Policy -> Enable
Configure basic/advanced Load Balancer logging
- Edge -> Manage -> Load Balancer -> Global Configuration
Basic
Advanced
- Create an application rule for detailed logging
- Application Rules are associated with Virtual Servers
Description | Rule |
log the name of the virtual server | capture request header Host len 32 |
log the amount of data uploaded during a POST | capture request header Content-Length len 10 |
log the beginning of the referrer | capture request header Referer len 20 |
server name (useful for outgoing proxies only) | capture response header Server len 20 |
logging the content-length is useful with “option logasap” | capture response header Content-Length len 10 |
log the expected cache behaviour on the response | capture response header Cache-Control len 8 |
the Via header will report the next proxy’s name | capture response header Via len 20 |
log the URL location during a redirection | capture response header Location len 20 |
Log DHCP assignments
Edge -> Manage -> DHCP -> Enable Logging
Log DNS resolutions
Edge -> Manage -> DNS -> Chang DNS Configuration: Enable Logging
Log security policy session information
- NSX -> Service Composer -> Security Policies -> Policy -> Firewall Rules
- Edit Rules and set Log action to “Yes”
Download NSX Edge tech support logs
Edge -> Manage -> Actions -> Download Tech Support Logs
Generate NSX Manager tech support logs
- NSX Manager GUI -> Gear Icon in top right-hand corner
- Select “Download Tech Support Log”
DFW Logs
- DFW Maximums:
- Throughput: 9Gbps
- Concurrent Connections: 1 Million
- New Connections per section: 131,000
Packet Logs
DFW Logfile: /var/log/dfwpktlogs.log
e.g.
2015-03-10T03:22:22.671Z INET match DROP domain-c7/1002 IN 242 UDP 192.168.110.10/138->192.168.110.255/138
- Cluster ID in the vCenter managed object browser (MOB): domain-c7
- Distributed firewall rule ID: 1002
- Source IP address: 192.168.110.10/138
- Destination IP address: 192.168.110.255/138
The following example shows the results of a ping 192.168.110.10 to 172.16.10.12.
2015-03-10T03:20:31.274Z INET match DROP domain-c27/1002 IN 60 PROTO 1 192.168.110.10->172.16.10.12
2015-03-10T03:20:35.794Z INET match DROP domain-c27/1002 IN 60 PROTO 1 192.168.110.10->172.16.10.1
Audit Logs
- /home/secureall/secureall/logs/vsm.log
- Audit logs include administration logs and Distributed Firewall configuration changes
- System event logs include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, etc