Overview:
Being able to view log information is critical in being able to ensure the Edge Gateway is functioning as expected. All services that the Edge provides can be logged. The NSX Edge relies on configuration and management from either the vSphere Web Client or directly via API calls which can then be consumed via a REST API interface or via a customer written portal such as Zettagrid’s MyAccount Portal.
- DHCP (Service Wide)
- NAT (Individual Rules)
- Firewall (Individual Rules)
- IPSec VPN (Service Wide)
- SSL-VPN Plus (Service Wide)
- Routing (Service Wide)
- Load Balancer(Service Wide)
There are a number of logging levels available:
- Debug
- Alert
- Critical
- Error
- Warning
- Notice
- Info
- Debug
Each selected level will provide a different level of messaging with Debug being the noisiest level.
You can configure one or two remote syslog servers. NSX Edge Service events and logs related to firewall events that flow from NSX Edge appliances are sent to the syslog servers. There are a number of Syslog Servers that are available for download or you might have your own flavor deployed already into your environment.
DHCP:
Under the DHCP Tab where the service is enabled check the box and select the logging level.
Routing:
Under the Routing Tab under Global Configuration and Dynamic Routing Configuration, click on the Edit button and check the box and select the logging level.
Load Balancer:
Under the Load Balancer Tab under Global Configuration click on the edit button check the box and select the logging level
VPN:
Under the VPN Tab and under IPSec VPN expand the Logging Policy (you can see the consistency in the Web UI coming through here) check the Enable Logging box and select the logging level. Once that’s done click on the Publish Changes button to commit the config.
SSL VPN-Plus:
Under the SSL VPN-Plus Tab and under Server Settings expand the Logging Policy and click on Change button check the box and select the logging level.
NAT:
Every NAT rule can be logged individually. To enable this check the Enable Logging box while configuring or editing each NAT Rule.
Firewall Rule:
Finally each Firewall rule can be logged individually. To enable logging under the Firewall Tab when configuring or modifying the Action even of a rule you have the option to select Log or Do Not Log as shown below.
Configuring Syslogging via the NSX API:
Below are the key API commands to configure and manage Logging.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# # ENABLING SYSLOG # API CALL: https://NSX-MGR-IP/api/4.0/syslog/config # METHOD: PUT # CONTENT-TYPE: application/xml #BASIC DEFAULT <syslog> <protocol>udp</protocol> <serverAddresses> <ipAddress>192.168.80.2</ipAddress> </serverAddresses> </syslog> #ALL OPTIONS <syslog> <protocol>udp</protocol> <!-- Optional. Default is "udp". Valid values : tcp|udp --> <serverAddresses> <!-- Maximum 2 remote IPs can be configured. --> <ipAddress>1.1.1.1</ipAddress> <ipAddress>1.1.1.2</ipAddress> </serverAddresses> </syslog> # CLEAR SYSLOG # API CALL: https://NSX-MGR-IP/api/4.0/syslog/config # METHOD: DELETE #EXAMPLE RESPONSE None 204 Response Confirmation |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# # GET SYSLOG # API CALL: https://NSX-MGR-IP/api/4.0/syslog/config # METHOD: GET #EXAMPLE RESPONSE <syslog> <version>6</version> <enabled>true</enabled> <protocol>udp</protocol> <serverAddresses> <ipAddress>192.168.80.2</ipAddress> </serverAddresses> </syslog> |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
# # DHCP SYSLOG # API CALL: https://NSX-MGR-IP/api/4.0/dhcp/config # METHOD: PUT # CONTENT-TYPE: application/xml #EXAMPLE CONFIG SNIPPIT <logging> <enable>true</enable> <logLevel>info</logLevel> </logging> # ROUTING SYSLOG # API CALL: https://NSX-MGR-IP/api/4.0/routing/config/general # METHOD: PUT # CONTENT-TYPE: application/xml #EXAMPLE CONFIG SNIPPIT <logging> <enable>true</enable> <logLevel>info</logLevel> </logging> # LOAD BALANCER SYSLOG # API CALL: https://NSX-MGR-IP/api/4.0/loadbalancer/config # METHOD: PUT # CONTENT-TYPE: application/xml #EXAMPLE CONFIG SNIPPIT <logging> <enable>true</enable> <logLevel>info</logLevel> </logging> # VPN SYSLOG # API CALL: https://NSX-MGR-IP/api/4.0/ipsec/config/ # METHOD: PUT # CONTENT-TYPE: application/xml #EXAMPLE CONFIG SNIPPIT <logging> <enable>true</enable> <logLevel>info</logLevel> </logging> # SSL VPN-PLUS SYSLOG # API CALL: https://NSX-MGR-IP/api/4.0/sslvpn/config/ # METHOD: PUT # CONTENT-TYPE: application/xml #EXAMPLE CONFIG SNIPPIT <logging> <enable>true</enable> <logLevel>info</logLevel> </logging> |
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# # SET NAT LOGGING # API CALL: https://NSX-MGR-IP/api/4.0/nat/config # METHOD: PUT #LOGGING SNIPPIT <nat> <natRule> ... <loggingEnabled>true</loggingEnabled> <!-- Optional. Default is "false" --> ... </natRule> </nat> |
1 2 3 4 5 6 7 8 9 10 11 |
# SET FIREWALL LOGGING # API CALL: https://NSX-MGR-IP/api/4.0/firewall/config/rules/config # METHOD: PUT #LOGGING SNIPPIT <rule> <ruleTag>1</ruleTag> <!-- Optional. This can be used to specify user controlled ids on VSE. The inputs here should be 1-65536. If ... <loggingEnabled>true</loggingEnabled> <!-- Optional. Defaults to false --> ... </rule> |