Working with NSX Distributed Firewall I needed a way to help me audit the impact of a proposed firewall rule on specific systems. In the physical firewall world I would normally create a rule for the traffic and allow it, but log the allow. As I dug into Syslog for the distributed firewall I discovered that firewall log messages are sent to the same Syslog collector as other ESXi messages, firewall messages can't be directed to a security specific syslog server.
I honestly hadn't spent much time with Log Insight, but I knew we had the lab servers pointed to a Log Insight box so I began to dig around with it. I was honestly impressed with how intuitive and easy to use LogInsight is. The field extraction functionally of Interactive Analytics let's you quickly slice and dice massive amounts of log data exactly as you would like to see it, and I didn't have to learn another query language. Everything "Just Works" and I was able to isolate firewall logs down to specific systems and rule ID's quickly.
Since there doesn't appear to be an official NSX Content Pack for Log Insight yet I wrote a quick community content pack for Distributed Firewall. It can be downloaded from the VMTN Community Forums here.
The pack extracts the Rule ID, Pass / Drop, Rule ID, Source IP, Source Port, Destination IP, and Destination Port fields. It includes a dashboard with a few charts, and some queries to get you started in interactive analytics to slice and dice the syslog data.
Instructions on importing the content pack are here, once it is imported you can select the Distributed Firewall dashboard by clicking on the dashboard menu at the top left.
The built in queries included on the dashboard are :
- Count of drop events over time grouped by Rule ID
- Count of drops grouped by Source IP
- Count of drops grouped by Destination Port, Destination IP
- Count of Allow-Log events over time grouped by Rule ID
- Count of Allow-Log events grouped by Source IP
- Count of Allow-Log events grouped by Destination IP, Destination Port
For my use case of analyzing the impact of a rule on the environment I would start with the "Count of Allow-Log events grouped by Rule ID" query. Then select the rule ID I'd like to analyze, and add a filter for a specific source IP if I needed to narrow it down further.
Once I have my lab rebuilt I'll add a short video demo.