Monitoring VMware NSX Cloud Platform

Overview

TOS Aurora monitors the VMware platform for policy revision changes. For TOS Aurora to show full accountability details (who made the policy changes and when the changes were made), you must also configure the platform to send syslogs.

To see which TOS features are supported for your device, review the feature support table.

Prerequisites

• Monitoring: You must have a user with read-only permissions for the NSX manager and for NSX-V, also a user with at least read-only permissions for the vCenter server. See Creating Read-only accounts for NSX devices for details.
• Provisioning: You must have a user with admin permissions.

By default, changes to unlogged rules do not trigger new revisions on TOS Aurora. Therefore, unlogged changes created by tools such as Service Composer will not trigger a TOS Aurora revision. See Tracking Unlogged Rules for details.

Add a Device

1. Select VMware NSX > NSX:

   

2. Configure the device settings:

   

   • Name for Display

   • Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.

   • Get revisions from one of the following:

     • NSX Manager IP Address: Enter the IP address of the NSX manager.
     • Offline File: (If available) Revisions are manually uploaded to TOS Aurora for Offline Analysis.
     • vCenter IP Address: For NSX-V devices only, enter the IP address of the vCenter device.

   • NSX Manager Type: The NSX Manager type (NSX-V or NSX-T).

   • Enable Topology: Collects routing information for building the network Interactive Map.

     Topology options for Advanced management mode are configured when you import managed devices.

   • For NSX-T devices, if the device uses dynamic addressing (such as DHCP) or dynamic routing protocols (such as OSPF), select Collect dynamic topology information.

   • ST server: In a distributed deployment, select which TOS Aurora cluster monitors this device (not shown in image).

3. Click Next.

4. Configure the TOS Aurora connection to the VMware device, according to the parameters required by the device:

   

   • Enter admin credentials for the NSX manager

   • For NSX-V devices only, enter appropriate vCenter details.

     • Enter credentials for the vCenter server - with at least read-only permissions
     • Enter the vCenter host name if configuring an external device for VMware NSX syslogs.

   • To use default settings (recommended in most cases), leave the Port number blank.

     The device must be configured to use SSH version 2.

   • Click Retrieve Certificate to setup encrypted communication between TOS Aurora and the VMware device.

     The certificate, and the following message, appear:

     

     The certificate is retrieved from the vCenter over port 8443.

5. Click Next.

   The Monitoring Settings page appears:

   

6. To use timing settings from the Timing page, select Default. Otherwise, select Custom and configure the monitoring mode and settings:

   • Real-Time Monitoring: Applies only if syslogs are configured. In Custom settings:

     • 'Install policy' interval: When two or more Install Policy events for the same policy occur within this time interval, TOS Aurora combines the events into a single Install Policy revision (Default: 60 seconds)
     • Automatic fetch frequency: Frequency (in minutes) for automatic fetch 

   • Periodic Polling, select Custom settings and configure the Polling frequency: How often TOS Aurora fetches the configuration from each device.

     If you select 1 day, you can then select the exact time (hour and minute) for the daily polling.

7. Click Next.

8. Save the configuration.

   The VMware device now appears in the Monitored Devices tree.

Configure a Monitored Device

After you add a device, further configuration options are available.

Options vary depending on your environment.

• Edit configuration: Use the wizard to modify selected device settings. See Add a Device in this topic.

• Delete this device: Type yes to confirm that you want to delete the device.

• Import Logical Routers: Select the Logical Routers to import. Logical Routers are used for topology only.

• Migrate (ST servers): Available in distributed deployments. Select the server where the device will be monitored and click Migrate.

• Migrate (Domains): Available in multi-domain deployments. Select the domain where the device will be monitored and click Migrate.

How Do I Get Here?

SecureTrack > Monitoring > Manage Devices