Aria Operations for Logs, vRealize Log Insight

NSX User Ops Audit using Aria Operations for Logs

| by Thomas Kopton

Recently, a customer asked me if it’s possible to monitor or retrospectively see which user performed specific actions in NSX using the tools available in the VMware Cloud Foundation (VCF) stack — essentially, a typical user actions audit for NSX.

Although we don’t have an exact match in the current Aria Operations for Logs NSX Content Pack, it’s relatively straightforward to create a custom dashboard that allows you to quickly and clearly see what users are doing in NSX.

In this post, I’ll outline a few ideas on how to start implementing such a requirement. This is intended more as inspiration rather than a complete solution, which doesn’t mean it can’t be used immediately.

Scenario Description

To keep things concise, I’ll first describe the brief scenario we’ll be working with. I want a simple and quick overview of which users have logged into my NSX Manager and who has performed specific actions related to segment configuration, rules, etc.

In this setup, I’m using NSX version 4.2.1.0.0.24304122 and VMware Aria Operations for Logs version 8.18.3-24515748.

Pre-Requisites

Of course, the first requirement is that NSX sends logs to the Aria Operations for Logs instance; you can find the relevant configuration details here:

https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/operations-and-management/log-messages-and-error-codes/configure-remote-logging.html

To make it easier to create the necessary queries for the NSX User Audit Dashboard later on, I configured three custom Extracted Fields. The following image shows these fields. At the end of this post, I will provide a link to my Git repository where all components will be available.

Figure 01: Custom Extracted Fields.

After importing the myNSXExtractedFields v1.0.vlcp file, you should verify that the new Extracted Fields are working as expected by checking both a successful and a failed login in NSX. The following image shows the import option in Operations for Logs.

Figure 02: Importing custom content.

The next two screenshots display two log messages from NSX, one for a successful login and one for a failed login, with the new Extracted Fields in action.

Figure 03: NSX log message with the new Extracted Fields.
Figure 04: NSX log message with the new Extracted Fields – failed login.
Proposed Solution

Now that we’re equipped, we can get started and create queries that will serve as the foundation for our dashboard. I won’t describe each individual query here; these, along with the complete dashboard, can be downloaded from my Git repository and imported into Operations for Logs.

Querying for failed login attempts is very straightforward. The fields available in the NSX Content Pack are logically AND-linked, and we obtain the required information. The next image shows a corresponding log message.

Figure 05: Query with simple logical expression.

The query that will show us who changed what and when regarding the DFW rules is a bit more complex; the following image shows the expanded list of AND-linked fields.

Figure 06: Query with more complex logical expression.

With all the queries I created in this very simple form, the dashboard looks like it does in the next screenshot.

Figure 07: NSX User Actions Audit dashboard.

As I mentioned at the beginning, this is intended to serve as an idea for further expanding and improving the dashboard.

An here is my repo containing the Operations for Logs content described in this post:

https://github.com/tkopton/aria-operations-content/tree/main/NSXUserAudit

Stay safe.

Thomas

https://twitter.com/ThomasKopton

https://www.linkedin.com/in/thomas-kopton-618944106

Leave a Reply

Your email address will not be published. Required fields are marked *