Objective 9.5 – Administer Logging

Principles

  1. Given a scenario, utilize information contained in technical support bundles/logs to assist in troubleshooting
  2. Explain usage of CLI for logging
  3. Configure Syslog(s)
  4. Configure logging for Dynamic Routing information
  5. Log Edge Firewall rule processing information
  6. Log address translation information
  7. Log VPN traffic
  8. Configure basic/advanced Load Balancer logging
  9. Log DHCP assignments
  10. Log DNS resolutions
  11. Log security policy session information
  12. Download NSX Edge tech support logs
  13. Generate NSX Manager tech support logs

References

  1. NSX Administration Guide

http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

  1. NSX Command Line Interface Reference

http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_cli.pdf

  1. Log Insight

https://www.vmware.com/products/vrealize-log-insight.html

Given a scenario, utilize information contained in technical support bundles/logs to assist in troubleshooting

See Objective 9.4

Explain usage of CLI for logging

Use “show log” commands on NSX Manager, Edges and Control Cluster

Configure Syslog(s)

  • NSX Manager:
    • NSX Manager UI
    • Manage -> General -> Syslog Server -> Edit

  • NSX Edges
    • Edge -> Manage -> Settings -> Appliance Settings
    • Configuration -> Change Syslog Configuration

  • NSX Controller

NSX -> Installation and Upgrade -> Management -> NSX Controller Nodes -> Edit

  • Distributed Firewall

Enable logs on an ESXi host level under Advanced Settings -> Syslog.global.logHost

Configure logging for Dynamic Routing information

Edge -> Manage -> Routing -> Logging Configuration

Log Distributed Firewall rule processing information

  • Enable logging on a per-rule basis

Log Edge Firewall rule processing information

  • Edge -> Manage -> Firewall
  • Edit rule “Action” and select “Log”

Log address translation information

  • Edge -> Manage -> NAT
  • Select Rule and enable Logging

Log VPN traffic

  • Edge -> Manage -> VPN
  • Logging Policy -> Enable

Configure basic/advanced Load Balancer logging

  • Edge -> Manage -> Load Balancer -> Global Configuration

Basic

Advanced

  • Create an application rule for detailed logging
  • Application Rules are associated with Virtual Servers
Description Rule
log the name of the virtual server capture request header Host len 32
log the amount of data uploaded during a POST capture request header Content-Length len 10
log the beginning of the referrer capture request header Referer len 20
server name (useful for outgoing proxies only) capture response header Server len 20
logging the content-length is useful with “option logasap” capture response header Content-Length len 10
log the expected cache behaviour on the response capture response header Cache-Control len 8
the Via header will report the next proxy’s name capture response header Via len 20
log the URL location during a redirection capture response header Location len 20

Log DHCP assignments

Edge -> Manage -> DHCP -> Enable Logging

Log DNS resolutions

Edge -> Manage -> DNS -> Chang DNS Configuration: Enable Logging

Log security policy session information

  • NSX -> Service Composer -> Security Policies -> Policy -> Firewall Rules
  • Edit Rules and set Log action to “Yes”

Download NSX Edge tech support logs

Edge -> Manage -> Actions -> Download Tech Support Logs

Generate NSX Manager tech support logs

  • NSX Manager GUI -> Gear Icon in top right-hand corner
  • Select “Download Tech Support Log”

DFW Logs

  • DFW Maximums:
    • Throughput: 9Gbps
    • Concurrent Connections: 1 Million
    • New Connections per section: 131,000

Packet Logs

DFW Logfile: /var/log/dfwpktlogs.log

e.g.

2015-03-10T03:22:22.671Z INET match DROP domain-c7/1002 IN 242 UDP 192.168.110.10/138->192.168.110.255/138

  • Cluster ID in the vCenter managed object browser (MOB): domain-c7
  • Distributed firewall rule ID: 1002
  • Source IP address: 192.168.110.10/138
  • Destination IP address: 192.168.110.255/138

The following example shows the results of a ping 192.168.110.10 to 172.16.10.12.
2015-03-10T03:20:31.274Z INET match DROP domain-c27/1002 IN 60 PROTO 1 192.168.110.10->172.16.10.12

2015-03-10T03:20:35.794Z INET match DROP domain-c27/1002 IN 60 PROTO 1 192.168.110.10->172.16.10.1

Audit Logs

  • /home/secureall/secureall/logs/vsm.log
    • Audit logs include administration logs and Distributed Firewall configuration changes
    • System event logs include Distributed Firewall configuration applied, filter created, deleted, or failed, and virtual machines added to security groups, etc