Intro
Unfortunately unlike NSX-V, NSX-T does not have a simple GUI configuration for syslog instead each component needs to be manually configured and that includes the hosts.
Having said that the configuration is pretty simple and I’ll run through how to setup the Managers, Edge nodes and ESXi hosts with a simple Syslog configuration.
NSX-T Manager Configuration
Syslog configuration is done at the command line so the first step is to SSH to our NSX-T manager/s.
I’ll be setting the syslog to use my Log insight server Lablog01 192.168.10.8 via UDP.
Once connected to setup basic syslogging run the command set logging-server 192.168.10.8 proto udp level info
MulNSXT01> set logging-server 192.168.10.8 proto udp level info
WARNING - You are configuring udp-based log forwarding. This will send sensitive information unencrypted over the network. The Splunk App for NSX-T only accepts TLS connections.Edge Node Configuration
The configuration is the same for Edge Nodes so connect to the console or SSH and run the command again
DCA-MulNSXT-ESG01> set logging-server 192.168.10.8 proto udp level info
WARNING - You are configuring udp-based log forwarding. This will send sensitive information unencrypted over the network. The Splunk App for NSX-T only accepts TLS connections.ESXi Configuration
The configuration for ESXi is slightly different and we also want to enable the Firewall logging at the same time so SSH to your hosts and run the following commands
esxcli network firewall ruleset set -r syslog -e true
esxcli system syslog config set –loghost=udp://<log server IP>:<port> esxcli system syslog reload
esxcli system syslog mark -s “This is a test message”
Note the double dash before loghost is not shown in the text above as the blog post removed it for some reason but it is show in the console display below.
[root@DCA-MulComp01:~] esxcli network firewall ruleset set -r syslog -e true
[root@DCA-MulComp01:~] esxcli system syslog config set --loghost=udp://192.168.10.8:514
[root@DCA-MulComp01:~] esxcli system syslog reload
[root@DCA-MulComp01:~] esxcli system syslog mark -s "This is a test message"The first two commands configure the firewall logging and the syslog server the third reloads the syslog and the last one is s test message so we can see that syslog is working.
If I log into my Log insight server I can see the test message logged successfully.
To test the firewall is logging I create a simple rule and add a tag to it.
By filtering by the tag I can see the traffic flow was logged.
Checking and Removing Syslog Configuration
To check the syslog configuration from an ESXi host simply run the command esxcli system syslog config get
[root@DCA-MulComp01:~] esxcli system syslog config get
Check Certificate Revocation: false
Default Network Retry Timeout: 180
Dropped Log File Rotation Size: 100
Dropped Log File Rotations: 10
Enforce SSLCertificates: true
Local Log Output: /scratch/log
Local Log Output Is Configured: false
Local Log Output Is Persistent: true
Local Logging Default Rotation Size: 1024
Local Logging Default Rotations: 8
Log To Unique Subdirectory: false
Message Queue Drop Mark: 90
Remote Host: udp://192.168.10.8:514
Strict X509Compliance: falseFrom an NSX-T manager or Edge node run get logging-servers
DCA-MulNSXT-ESG01> get logging-servers
Mon Dec 28 2020 UTC 17:37:16.600
192.168.10.8:514 proto udp level infoTo clear the syslog configuration from NSX-T managers or Edge nodes run clear logging-servers