Configuring a VMware NSX-T Device to Send Syslogs

This topic is intended for TOS Administrators.

Overview

Configure the NSX Manager to send change logs to SecureTrack to receive revisions when firewall rules are changed.

Syslog traffic must be configured to arrive to the TOS cluster that monitors the device - see Sending Additional Information via Syslog.

Run the following command:

set logging-server <host>:514 proto udp level info messageid <messageid> [structured-data update="true"]

Use the parameters as follows:

Parameter	Description
`<host>`	Host name or IP address of the SecureTrack server or Syslog-VIP
`<messageid>`	Use `"FIREWALL"` for imperative APIs, or `"-"` (dash) for declarative APIs
`structured-data`	(Optional) Recommended for enhanced log filtering and parsing

For more information, see official VMware documentation: Configure Remote Logging and Log Message IDs.

To receive firewall rule logs from NSX Distributed Firewall, you must also configure the underlying ESXi hosts to forward syslogs to SecureTrack.

Enable the syslog service:

esxcli network firewall ruleset set -r syslog -e true

Set the syslog server (use the Syslog-VIP or external load balancer IP, depending on your TOS configuration):
```
esxcli system syslog config set --loghost=udp://192.168.40.162:514
```
Restart the syslog service:
```
esxcli system syslog reload
```

ESXi can only send one type of syslog message to a single destination.

Use the NSX UI to enable logging for individual Distributed Firewall rules.

Click the Security tab at the top of the screen.
Click Distributed Firewall under East West Security in the left navigation panel.
Select a firewall rule you want to monitor.
Click the settings (cogwheel) icon next to the rule.

The Settings window opens.
Turn on the Enable toggle next to Logging.
Click Apply.
Click Publish in the top right to apply the changes.