How to export NSX-T firewall logs to a SIEM
Easily the most common question I hear when talking to those considering using NSX for its firewall capabilities, is "can I send logs from NSX to splunk (or SIEM of choice)??"
Thankfully - the answer is YES! Unfortunately, though, it's not the most straightforward process. In today's blog, I'm going to tell you how to do it though, so let's jump right in!
It's important to note that to send syslog from NSX, you have to configure it at multiple points within the NSX-T product. Those places we'll have to touch to configure syslog, include:
Your NSX-T Manager
Your NSX-T Edge Nodes
Your NSX-T Transport Nodes (aka: your vSphere Hosts)
Also - don't forget to enable logging on your actual firewall rules/policy!
I find it easiest to just start at the top of the list and work our way down - so let's start with the NSX-T Manager and go from there.
Configuring Syslog on NSX-T Manager & Edge Nodes
It's critical to note that the process for setting up syslog on your NSX-T Manager is the same as the edge nodes. Syslog config is NOT pushed to the edge nodes by the manager, so make sure you do both if you also want syslog to be sent in relation to your T0/T1 services.
SSH into your NSX-T Manager & Edge Nodes
Access the NSX CLI (you'll see an "nsx>" prompt on the manager, and a regular SSH prompt on your edge nodes)
set logging-server <SIEM-or-Syslog Server IP> proto udp level info facility local6 messageid SYSTEM,FABRIC
Confirm successful configuration by issuing "get logging-servers" to confirm
NOTE: If you make a mistake, or want to clear the syslog config - you can use "clear logging-servers"
NOTE on messageid's: If you're unsure which messageid's you should select, take a look at the official doc which details which messageid's are tied to specific events inside of NSX-T here.
It's worth mentioning that the above process does not leverage secure remote login (via certificates). If you wish to configure syslog with certs, you can use this link to the official doc which walks you through the process.
Next, you'll want to configure syslog on your ESXi hosts following the process below on each host.
Configuring Syslog on your ESXi hosts
SSH into your ESXi host
esxcli network firewall ruleset set -r syslog -e true (Allow syslog traffic through ESXi firewall)
esxcli system syslog config set --loghost=udp://<log server IP>:<port>
Confirm config: esxcli system syslog config get
Generate a test message to your SIEM/Syslog server
esxcli system syslog reload esxcli system syslog mark -s "This is a test"
I hope you found this useful, and got syslog up and running from NSX-T to your SIEM or syslog server (such as vRealize Log Insight). If you're still in the process of operationalizing NSX-T and want some additional help - be sure to check out my YouTube channel here.