Installing a VMware Aria Operation for Logs Content Pack for NSX

Reading Time: 6 minutes

Installing a VMware Aria Operations for Logs Content Pack for NSX is an article that shows how to install the content pack for NSX in VMware Aria Operations for Logs.

Before anything, we wrote some articles about VMware Aria Operations for Logs.

The first one is How to Deploy VMware Aria Operations for Logs. In this article is possible to know what is it and how to install it:
How to Deploy VMware Aria Operations for Logs – DPC Virtual Tips

The second one is Clustering VMware Aria Operations for Logs. Here, we can create a cluster of VMware Aria Operations for Logs:
Clustering VMware Aria Operations for Logs – DPC Virtual Tips

If you do not know about that, it is a good idea to check each one before continuing to read this post!

What is a Content Pack?

A content pack is like an add-on that we can install in the VMware Aria Operations for Logs. Inside it, we have dashboards, extracted fields, saved queries, and alerts that are used to analyze all logs redirected from a VMware Aria Operations instance.

In simple words, a content pack is a simple way to process your log files and show them to you in a structured way!

When we deploy the VMware Operations Aria for Logs, by default we have some content packs. But, we can check all available content packs and install them based on our needs.

We can access the “Content Pack Marketplace” and search for the content pack that we need:

In addition to the marketplace, you can import manually a content pack by selecting the option “IMPORT CONTENT PACK”:

Installing the NSX Content Pack

To install the NSX content pack, access the menu Content Packs –> Marketplace –> Under the search box type NSX –> and select the content pack “VMware-NSX”, as we can see in the picture below:

Accept the license agreement and click on “INSTALL”:

Here, we have all the necessary instructions for the NSX components to send logs to the VMware Aria Operations for Logs.
For the NSX Manager Appliance, we have a configuration. For the Host Transport Nodes (ESXi or KVM), we have another configuration:

In the box below, it is possible to find the entire “NSX Setup Instructions” (I copied them from the GUI pop-up and pasted here):

1. NSX appliance configuration:
Use NSX Command-Line Interface (CLI) to configure rsyslog server or VMware Aria Operations for Logs Agent for each components to send log messages to VMware Aria Operations for Logs server:
   # set logging-server <VMware Aria Operations for Logs server[:port]> proto <tcp|udp|tls|li|li-tls> level <alert|crit|debug|emerg|err|info|notice|warning> [facility <#>] [messageid <id>] [structured-data <structured-data>] [certificate <cert>]
Steps:
 - Get access to the NSX Appliance and Edge components CLI
 - Use one of the following CLI commands(depend on which forwarding method you would like to choose):
   Use rsyslog server for log forwarding by udp protocol
     # set logging-server <rsyslog server IP/FQDN> proto udp level info
   OR
   Use rsyslog server for log forwarding by tls protocol
     # set logging-server <rsyslog server IP/FQDN> proto tls level info
   OR
   Use VMware Aria Operations for Logs agent for log forwarding
     # set logging-server <VMware Aria Operations for Logs server IP/FQDN> proto li level info
   OR
   Use VMware Aria Operations for Logs agent for log forwarding by tls protocol
     # set logging-server <VMware Aria Operations for Logs server IP/FQDN> proto li-tls level info
Notes:
 1) When using protocol li/li-tls, port number 9000/9543 should be used, respectively. These port definitions for li and li-tls are selected automatically by default starting in NSX-T 2.5.
 2) When using protocol tls/li-tls, additional certificate file(s) are required. For tls, a CA certificate and a pair of certificate and private key for the NSX appliance need to be specified. For the li-tls protocol, a CA certificate file needs to be specified.
 3) The certificate and key file(s) should be copied to /image/vmware/nsx/file-store for access from the NSX CLI.
 4) If a logging server is already configured using udp/tcp/tls, please do not configure another one using li/li-tls to avoid duplicate logs, and vice versa.

2. ESXi hosts configuration:
There are two ways to configure ESXi to forward logs to the VMware Aria Operations for Logs servers.
1) If ESXi hosts are managed by vSphere instance, configure vSphere integration by using VMware Aria Operations for Logs Administration -> vSphere page.
OR
2) Use ESXi CLI to configure VMware Aria Operations for Logs server for log forwarding.
Steps:
 - Get access to the ESXi components Command-Line Interface
 - Execute the following command
     # esxcli network firewall ruleset set -r syslog -e true
     # esxcli network firewall refresh
     # esxcli system syslog config set --loghost=udp://<VMware Aria Operations for Logs server>:514
     # esxcli system syslog reload

3. KVM hosts configuration:
If there are KVM hosts in the environment, their log forwarding also need to be configured.
Steps:
 - Get access to the KVM shell
 - Edit the /etc/rsyslog.d/10-vmware-enable-rfc5424.conf file
     # vim /etc/rsyslog.d/10-vmware-enable-rfc5424.conf
     # Add line `*.* @<VMware Aria Operations for Logs server>:514;RFC5424fmt`
 - Restart rsyslog
     # systemctl restart rsyslog

Notes:
 1) Currently, all Policy appliance UI and API operations such as Segment/Tier-0/1 gateway creation/update/deletion are not supported in the VMware Aria Operations for Logs dashboard including alerting. Only the Manager UI and API is supported. To use the Manager UI and API please follow these steps:
  - for NSX-T 2.x
    Perform operations under the "Advanced Networking & Security" tab.
  - for NSX-T 3.x
    Go to the "System" tab in the NSX UI and then under "User Interface Settings", change the default mode to Manager.
 2) Distributed firewall rule logging is disabled by default and needs to be enabled in order to have data shown in the "NSX - Distributed Firewall - Traffic" dashboard.

For additional facility and messageid options, or further syslog details, please check NSX Administration Guide.

After that, we can see the NSX content pack details under the menu Content Packs:

Under the Dashboards menu, we can access the NSX content pack to see the information related to the NSX environment:

Using the instructions provided by the NSX content pack, we can access each NSX Manager Appliance and each Edge Transport Node and configure each one to send logs to the VMware Aria Operations for Logs.
In this case, for instance, the IP address is 192.168.255.91 is the IP address of our VMware Aria Operations for Logs:

set logging-server 192.168.255.91 proto li level info

After some time, we can access the NSX dashboard and see the data is being populated:

Also, we can explore the logs under the menu Explore Logs. This is a powerful menu in which we can apply a lot of filters. In this example, we are filtering for logs related to the NSX Distributed Firewall. It is possible to apply some conditionals in the filter just to select the logs based on our needs:

That’s it 🙂
I hope that this article can help you!