If you are not familiar with NSX-T and LogInsight, this blogpost is not for you: It’s an expert-level blog post regarding these products.
When composing or implementing distributed firewall rules, you probably rely on real-time information which are send from the vSphere ESXi hosts to LogInsight for distributed firewall rules which have logging enabled!
A NSX-T content pack for LogInsight exist which helps you to identify the required pieces of information using specific “fields”.
Currently version 4.0.7 of the NSX-T content pack is available, but it contains a flaw/error:
- The ‘vmw_nsxt_firewall_ruleid’ field does not supply you with any information, due a misconfiguration in the ‘appname’-filter.
I’ve resolved this issue, and you can find the updated version of the NSX-T content-pack HERE on my github (no it’s not an official one).
- uninstall the NSX-T content pack from Log-Insight
- download and install my version! (it looks the same .. but this is the working version!).
So now we have a working Loginsight platform, let’s kick things up a notch!
LogInsight is great, but not blissful: It only returns IP information, which you have to manually convert to a DNS record to find out the server name (or search for the IP address in the vCenter UI). When you have found out the server name, you again have to manually find out the matching security groups within the NSX-T UI.
In one word: dreadful ..
well .. NOT ANYMORE:
I’ve created a powershell script, which helps you with the problem mentioned above.
It connects to the NSX-T manager, vCenter server and LogInsight: It will ask you to select a NSX-T DFW Security Policy and one or more related firewall rules.
The script will retrieve all corresponding firewall logs from LogInsight and returns all related information like: DNS name, server names and corresponding security groups in one simple overview.
- By adjusting the timestamp parameter of the Get-LoginsightNSXtEvents powershell cmdlet (lines 430 and 432), you can narrow the search timeline: default is 7 days (7d), but for real-time information I ussually use 6 minutes (6m).
- By adjusting the limit parameter of the Get-LoginsightNSXtEvents powershell cmdlet, you can specify the amount of eventlogs which should be returned. PS be aware that the script will only show you the UNIQUE events!
- By modifying the security group name filter (line 395), you can pre-filter/narrow the returned security group information (which also enhanced the processing time of the script).
This script will transform you from a NSX-t noob into an NSX-T guru, as it will greatly help you with composing and/or implementing your NSX-T distributed firewall rules. Your boss will thank you!
PS .. Yes .. you can modify this script so it can automatically creates exception rules .. (but you didn’t hear this from me).