Recently, a customer asked me if it’s possible to monitor or retrospectively see which user performed specific actions in NSX using the tools available in the VMware Cloud Foundation (VCF) stack — essentially, a typical user actions audit for NSX.
Although we don’t have an exact match in the current Aria Operations for Logs NSX Content Pack, it’s relatively straightforward to create a custom dashboard that allows you to quickly and clearly see what users are doing in NSX.
In this post, I’ll outline a few ideas on how to start implementing such a requirement. This is intended more as inspiration rather than a complete solution, which doesn’t mean it can’t be used immediately.
Scenario Description
To keep things concise, I’ll first describe the brief scenario we’ll be working with. I want a simple and quick overview of which users have logged into my NSX Manager and who has performed specific actions related to segment configuration, rules, etc.
In this setup, I’m using NSX version 4.2.1.0.0.24304122 and VMware Aria Operations for Logs version 8.18.3-24515748.
Pre-Requisites
Of course, the first requirement is that NSX sends logs to the Aria Operations for Logs instance; you can find the relevant configuration details here:
To make it easier to create the necessary queries for the NSX User Audit Dashboard later on, I configured three custom Extracted Fields. The following image shows these fields. At the end of this post, I will provide a link to my Git repository where all components will be available.

After importing the myNSXExtractedFields v1.0.vlcp
file, you should verify that the new Extracted Fields are working as expected by checking both a successful and a failed login in NSX. The following image shows the import option in Operations for Logs.

The next two screenshots display two log messages from NSX, one for a successful login and one for a failed login, with the new Extracted Fields in action.


Proposed Solution
Now that we’re equipped, we can get started and create queries that will serve as the foundation for our dashboard. I won’t describe each individual query here; these, along with the complete dashboard, can be downloaded from my Git repository and imported into Operations for Logs.
Querying for failed login attempts is very straightforward. The fields available in the NSX Content Pack are logically AND-linked, and we obtain the required information. The next image shows a corresponding log message.

The query that will show us who changed what and when regarding the DFW rules is a bit more complex; the following image shows the expanded list of AND-linked fields.

With all the queries I created in this very simple form, the dashboard looks like it does in the next screenshot.

As I mentioned at the beginning, this is intended to serve as an idea for further expanding and improving the dashboard.
An here is my repo containing the Operations for Logs content described in this post:
https://github.com/tkopton/aria-operations-content/tree/main/NSXUserAudit
Stay safe.
Thomas