A couple of years ago I wrote this https://vdives.com/2020/12/28/nsx-t-syslog-configuration/ to cover the configuration of syslog on the NSX Managers and Edge Nodes as at the time there was no way to configure it within the UI. Instead it had to be done manually on each edge node and on the NSX Manager, while this wasn’t too bad it all depends on how many Edges you have as a manual process it’s prone to typo mistakes and misconfiguration.
VMware I presume were aware of this issue and as such in release 3.2 they added the ability to set this configuration in the UI instead, unless you read the release notes or went through the 3.2 admin guide it is possible you are not aware of this feature, I still see deployments that have configured the syslog the old way rather than via the UI.
Having said that the UI method will affect all Managers and Edges with the same settings so there is still a viable reason for doing it manually if you require different settings for different edges for example.
Manual Syslog configuration
As a brief reminder here is how we set and check the syslog configuration on the NSX manager
NSXTMan01> set logging-server 192.168.10.8 proto udp level info WARNING - You are configuring udp-based log forwarding. This will send sensitive information unencrypted over the network. The Splunk App for NSX-T only accepts TLS connections. NSXTMan01> get logging-servers Fri Jan 20 2023 UTC 11:32:36.970 192.168.10.8:514 proto udp level info exporter_name 878f1e3d-eac1-4028-bc13-f9b0bafb10f4
This is how we manually set the syslog configuration on an Edge which is the same process as a manager.
DCA-EN01a> set logging-server 192.168.10.8 proto udp level info WARNING - You are configuring udp-based log forwarding. This will send sensitive information unencrypted over the network. The Splunk App for NSX-T only accepts TLS connections. DCA-EN01a> get logging-servers Fri Jan 20 2023 UTC 11:33:27.389 192.168.10.8:514 proto udp level info exporter_name 8f7ac42f-f6cc-4ef9-a31d-aa9be731cb20
We can also set and check the NTP settings from the CLI below is the current NTP setting for my manager.
NSXTMan01> get ntp-server Fri Jan 20 2023 UTC 11:36:39.023 192.168.10.4
Syslog via the UI
OK so lets setup the syslog via the UI. Navigate to System > Fabric > Profiles > Node Profiles then select All NSX Nodes then under Syslog Servers click +ADD
Enter the IP or FQDN of the syslog server, the Port and Protocol and the desired Log Level then click ADD
This configuration will be pushed to the NSX Managers and the Edges note it will overwrite any setting that is already there below we can see the NSX manager is now set to log to 192.168.10.10 with log level notice. When we first check it the syslog server was set to 192.168.10.8with log level info so it has replaced the configuration.
NSXTMan01> get logging-servers Fri Jan 20 2023 UTC 11:40:25.843 192.168.10.10:514 proto udp level notice exporter_name 5cc8a934-90ac-4c82-ad1c-3bda76c7673c
The same can be seen for the Edge.
DCA-EN01a> get logging-servers Fri Jan 20 2023 UTC 11:40:33.095 192.168.10.10:514 proto udp level notice exporter_name 06aa820b-490d-4922-a698-5e6725c2a543
NTP UI setting
We can also change the NTP and SNMP settings here I am adding two NTP servers click EDIT under the Summary section.
Select the Timezone and then add the NTP Servers and click SAVE
We can now see the configured NTP servers
If we check our manager we can see the two NTP servers configured
NSXTMan01> get ntp-server Fri Jan 20 2023 UTC 11:42:44.650 192.168.10.4 192.168.10.5
And on the Edge.
DCA-EN01a> get ntp-server Fri Jan 20 2023 UTC 11:42:42.166 192.168.10.4 192.168.10.5
Any new Edges that are deployed to the system will automatically get the settings configured here so it saves a lot of hassle and potential user input errors. Remember though if you need different settings then you still have to do all this manually at the CLI.
One thought to “NSX-T Syslog Configuration Revisited”
Thanks for the Article, I have been trying to send Transport Node (ESXI) to Cribl, when setting it on the ESXI Host using the ESXCLI Command, we don’t see DFW Logs, should we be seeing these logs come through by default,
Would the setting in the UI help use instead of doing it manually on each host?