Unfortunately unlike NSX-V, NSX-T does not have a simple GUI configuration for syslog instead each component needs to be manually configured and that includes the hosts.
Having said that the configuration is pretty simple and I’ll run through how to setup the Managers, Edge nodes and ESXi hosts with a simple Syslog configuration.
NSX-T Manager Configuration
Syslog configuration is done at the command line so the first step is to SSH to our NSX-T manager/s.
I’ll be setting the syslog to use my Log insight server Lablog01 192.168.10.8 via UDP.
Once connected to setup basic syslogging run the command set logging-server 192.168.10.8 proto udp level info
MulNSXT01> set logging-server 192.168.10.8 proto udp level info WARNING - You are configuring udp-based log forwarding. This will send sensitive information unencrypted over the network. The Splunk App for NSX-T only accepts TLS connections.
Edge Node Configuration
The configuration is the same for Edge Nodes so connect to the console or SSH and run the command again
DCA-MulNSXT-ESG01> set logging-server 192.168.10.8 proto udp level info WARNING - You are configuring udp-based log forwarding. This will send sensitive information unencrypted over the network. The Splunk App for NSX-T only accepts TLS connections.
The configuration for ESXi is slightly different and we also want to enable the Firewall logging at the same time so SSH to your hosts and run the following commands
esxcli network firewall ruleset set -r syslog -e true
esxcli system syslog config set –loghost=udp://<log server IP>:<port> esxcli system syslog reload
esxcli system syslog mark -s “This is a test message”
Note the double dash before loghost is not shown in the text above as the blog post removed it for some reason but it is show in the console display below.
[root@DCA-MulComp01:~] esxcli network firewall ruleset set -r syslog -e true [root@DCA-MulComp01:~] esxcli system syslog config set --loghost=udp://192.168.10.8:514 [root@DCA-MulComp01:~] esxcli system syslog reload [root@DCA-MulComp01:~] esxcli system syslog mark -s "This is a test message"
The first two commands configure the firewall logging and the syslog server the third reloads the syslog and the last one is s test message so we can see that syslog is working.
If I log into my Log insight server I can see the test message logged successfully.
To test the firewall is logging I create a simple rule and add a tag to it.
By filtering by the tag I can see the traffic flow was logged.
Checking and Removing Syslog Configuration
To check the syslog configuration from an ESXi host simply run the command esxcli system syslog config get
[root@DCA-MulComp01:~] esxcli system syslog config get Check Certificate Revocation: false Default Network Retry Timeout: 180 Dropped Log File Rotation Size: 100 Dropped Log File Rotations: 10 Enforce SSLCertificates: true Local Log Output: /scratch/log Local Log Output Is Configured: false Local Log Output Is Persistent: true Local Logging Default Rotation Size: 1024 Local Logging Default Rotations: 8 Log To Unique Subdirectory: false Message Queue Drop Mark: 90 Remote Host: udp://192.168.10.8:514 Strict X509Compliance: false
From an NSX-T manager or Edge node run get logging-servers
DCA-MulNSXT-ESG01> get logging-servers Mon Dec 28 2020 UTC 17:37:16.600 192.168.10.8:514 proto udp level info
To clear the syslog configuration from NSX-T managers or Edge nodes run clear logging-servers