NSX-T Syslog Configuration

Intro

Unfortunately unlike NSX-V, NSX-T does not have a simple GUI configuration for syslog instead each component needs to be manually configured and that includes the hosts.

Having said that the configuration is pretty simple and I’ll run through how to setup the Managers, Edge nodes and ESXi hosts with a simple Syslog configuration.

NSX-T Manager Configuration

Syslog configuration is done at the command line so the first step is to SSH to our NSX-T manager/s.

I’ll be setting the syslog to use my Log insight server Lablog01 192.168.10.8 via UDP.
Once connected to setup basic syslogging run the command set logging-server 192.168.10.8 proto udp level info

MulNSXT01> set logging-server 192.168.10.8 proto udp level info 
        WARNING - You are configuring udp-based log forwarding. This will send sensitive information unencrypted over the network. The Splunk App for NSX-T only accepts TLS connections.

Edge Node Configuration

The configuration is the same for Edge Nodes so connect to the console or SSH and run the command again

DCA-MulNSXT-ESG01> set logging-server 192.168.10.8 proto udp level info
        WARNING - You are configuring udp-based log forwarding. This will send sensitive information unencrypted over the network. The Splunk App for NSX-T only accepts TLS connections.

ESXi Configuration

The configuration for ESXi is slightly different and we also want to enable the Firewall logging at the same time so SSH to your hosts and run the following commands

esxcli network firewall ruleset set -r syslog -e true
esxcli system syslog config set –loghost=udp://<log server IP>:<port> esxcli system syslog reload
esxcli system syslog mark -s “This is a test message”

Note the double dash before loghost is not shown in the text above as the blog post removed it for some reason but it is show in the console display below.

[root@DCA-MulComp01:~] esxcli network firewall ruleset set -r syslog -e true
[root@DCA-MulComp01:~] esxcli system syslog config set --loghost=udp://192.168.10.8:514
[root@DCA-MulComp01:~] esxcli system syslog reload
[root@DCA-MulComp01:~] esxcli system syslog mark -s "This is a test message"

The first two commands configure the firewall logging and the syslog server the third reloads the syslog and the last one is s test message so we can see that syslog is working.
If I log into my Log insight server I can see the test message logged successfully.

To test the firewall is logging I create a simple rule and add a tag to it.

By filtering by the tag I can see the traffic flow was logged.

Checking and Removing Syslog Configuration

To check the syslog configuration from an ESXi host simply run the command esxcli system syslog config get

[root@DCA-MulComp01:~] esxcli system syslog config get
   Check Certificate Revocation: false
   Default Network Retry Timeout: 180
   Dropped Log File Rotation Size: 100
   Dropped Log File Rotations: 10
   Enforce SSLCertificates: true
   Local Log Output: /scratch/log
   Local Log Output Is Configured: false
   Local Log Output Is Persistent: true
   Local Logging Default Rotation Size: 1024
   Local Logging Default Rotations: 8
   Log To Unique Subdirectory: false
   Message Queue Drop Mark: 90
   Remote Host: udp://192.168.10.8:514
   Strict X509Compliance: false

From an NSX-T manager or Edge node run get logging-servers

DCA-MulNSXT-ESG01> get logging-servers 
Mon Dec 28 2020 UTC 17:37:16.600
192.168.10.8:514 proto udp level info

To clear the syslog configuration from NSX-T managers or Edge nodes run clear logging-servers

Leave a Reply

Your email address will not be published. Required fields are marked *