An NSX administrator is reviewing syslog and notices that Distributed Firewall Rules hit counts are not being logged.
What could cause this issue?
A. Syslog Is not configured on the NSX Manager
B. Distributed Firewall Rule Logging is not enabled
C. Zero Trust Security Is not enabled
D. Syslog is not configured on the ESXI transport node
http://www.iwan.wiki/The_proper_way_of_configuring_syslog_services_on_NSX-T_components
D is correct
I think D is correct
Enable logging on the Host Transport Nodes (ESXi Hosts)
In order to log Distributed Firewall Rules (DFW) you need to enable commands on the Host Transport nodes (ESXi hosts) itself. You don’t need any logging configuration on the NSX-T Manager and we tested this by removing the commands on the manager:
nsxapp-01a> del logging-server 192.168.110.24 proto udp level info
nsxapp-01a> get logging-servers
nsxapp-01a>
And we have added the following configuration into the Host Transport nodes:
[root@esxcomp-02a:~] esxcli network firewall ruleset set -r syslog -e true
[root@esxcomp-02a:~] esxcli system syslog config set –loghost=udp://192.168.110.24:514
[root@esxcomp-02a:~] esxcli system syslog reload
[root@esxcomp-02a:~] esxcli system syslog mark -s “This is a test message”
[root@esxcomp-02a:~] esxcli system syslog config get
Default Network Retry Timeout: 180
Dropped Log File Rotation Size: 100
Dropped Log File Rotations: 10
Enforce SSLCertificates: false
Local Log Output: /scratch/log
Local Log Output Is Configured: false
Local Log Output Is Persistent: true
Local Logging Default Rotation Size: 1024
Local Logging Default Rotations: 8
Log To Unique Subdirectory: false
Message Queue Drop Mark: 90
Remote Host: udp://192.168.110.24:514
We have enabled the DFW firewall and configured a rule with a tag + logging enabled for testing purposes.
Logging-nsxt-210620019-08.png
the question is “..nsx administrator is REVIEWING syslog..”, it means syslog has been configured.
imho, B is the correct answer.
i think B is correct:
https://rutgerblom.com/2019/06/20/nsx-dfw-quick-tip-tag-and-trace/
syslog is beeing reviewed only dfw logging is missing.
I think the answer should be A.
“Firewall generates and stores log files, such as audit logs, rules message logs, and system event logs. You must configure a syslog server for each cluster that has enabled the firewall . The syslog server is specified in the Syslog.global.logHost attribute.”
https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/com.vmware.nsx.logging.doc/GUID-6F9DC53E-222D-464B-8613-AB2D517CE5E3.html
C is incorrect