{"id":2138,"date":"2025-03-24T15:36:22","date_gmt":"2025-03-24T14:36:22","guid":{"rendered":"https:\/\/thomas-kopton.de\/vblog\/?p=2138"},"modified":"2025-03-24T15:36:24","modified_gmt":"2025-03-24T14:36:24","slug":"nsx-user-ops-audit-using-aria-operations-for-logs","status":"publish","type":"post","link":"https:\/\/thomas-kopton.de\/vblog\/?p=2138","title":{"rendered":"NSX User Ops Audit using Aria Operations for Logs"},"content":{"rendered":"\n

Recently, a customer asked me if it’s possible to monitor or retrospectively see which user performed specific actions<\/mark><\/strong> in NSX<\/mark><\/strong> using the tools available in the VMware Cloud Foundation<\/mark><\/strong> (VCF) stack \u2014 essentially, a typical user actions audit for NSX.<\/p>\n\n\n\n

Although we don’t have an exact match in the current Aria Operations for Logs<\/mark><\/strong> NSX Content Pack, it’s relatively straightforward to create a custom dashboard<\/strong> that allows you to quickly and clearly see what users are doing in NSX.<\/p>\n\n\n\n

In this post, I’ll outline a few ideas on how to start implementing such a requirement. This is intended more as inspiration rather than a complete solution, which doesn’t mean it can’t be used immediately.<\/p>\n\n\n\n

Scenario Description<\/h5>\n\n\n\n

To keep things concise, I’ll first describe the brief scenario we’ll be working with. I want a simple and quick overview of which users<\/strong> have logged<\/strong> into my NSX Manager and who has performed specific actions<\/strong> related to segment configuration, rules, etc.<\/p>\n\n\n\n

In this setup, I’m using NSX version 4.2.1.0.0.24304122 and VMware Aria Operations for Logs version 8.18.3-24515748.<\/p>\n\n\n\n

Pre-Requisites<\/h5>\n\n\n\n

Of course, the first requirement is that NSX sends logs to the Aria Operations for Logs instance; you can find the relevant configuration details here:<\/p>\n\n\n\n

https:\/\/techdocs.broadcom.com\/us\/en\/vmware-cis\/nsx\/vmware-nsx\/4-2\/administration-guide\/operations-and-management\/log-messages-and-error-codes\/configure-remote-logging.html<\/a><\/p>\n\n\n\n

To make it easier to create the necessary queries for the NSX User Audit Dashboard<\/strong> later on, I configured three custom Extracted Fields<\/strong>. The following image shows these fields. At the end of this post, I will provide a link to my Git repository where all components will be available.<\/p>\n\n\n\n

\"\"<\/a>
Figure 01: Custom Extracted Fields.<\/em><\/figcaption><\/figure>\n\n\n\n

After importing the myNSXExtractedFields v1.0.vlcp<\/code> file, you should verify that the new Extracted Fields are working as expected by checking both a successful and a failed login in NSX. The following image shows the import option in Operations for Logs.<\/p>\n\n\n\n

\"\"<\/a>
Figure 02: Importing custom content.<\/em><\/figcaption><\/figure>\n\n\n\n

The next two screenshots display two log messages from NSX, one for a successful login and one for a failed login, with the new Extracted Fields in action.<\/p>\n\n\n\n

\"\"<\/a>
Figure 03: NSX log message with the new Extracted Fields.<\/em><\/figcaption><\/figure>\n\n\n\n
\"\"<\/a>
Figure 04: NSX log message with the new Extracted Fields – failed login.<\/em><\/figcaption><\/figure>\n\n\n\n
Proposed Solution<\/strong><\/h5>\n\n\n\n

Now that we’re equipped, we can get started and create queries that will serve as the foundation for our dashboard. I won’t describe each individual query here; these, along with the complete dashboard, can be downloaded from my Git repository and imported into Operations for Logs.<\/p>\n\n\n\n

Querying for failed login attempts is very straightforward. The fields available in the NSX Content Pack are logically AND-linked, and we obtain the required information. The next image shows a corresponding log message.<\/p>\n\n\n\n

\"\"<\/a>
Figure 05: Query with simple logical expression.<\/em><\/figcaption><\/figure>\n\n\n\n

The query that will show us who changed what and when regarding the DFW rules is a bit more complex; the following image shows the expanded list of AND-linked fields.<\/p>\n\n\n\n

\"\"<\/a>
Figure 06: Query with more complex logical expression.<\/em><\/figcaption><\/figure>\n\n\n\n

With all the queries I created in this very simple form, the dashboard looks like it does in the next screenshot. <\/p>\n\n\n\n

\"\"<\/a>
Figure 07: NSX User Actions Audit dashboard.<\/em><\/figcaption><\/figure>\n\n\n\n

As I mentioned at the beginning, this is intended to serve as an idea for further expanding and improving the dashboard.<\/p>\n\n\n\n

An here is my repo containing the Operations for Logs content described in this post:<\/p>\n\n\n\n

https:\/\/github.com\/tkopton\/aria-operations-content\/tree\/main\/NSXUserAudit
<\/a><\/p>\n\n\n\n

Stay<\/mark><\/strong> safe<\/mark><\/strong>.<\/p>\n\n\n\n

Thomas<\/p>\n\n\n\n

https:\/\/twitter.com\/ThomasKopton<\/a><\/p>\n\n\n\n

https:\/\/www.linkedin.com\/in\/thomas-kopton-618944106<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Recently, a customer asked me if it’s possible to monitor or retrospectively see which user performed specific actions in NSX using the tools available in the VMware Cloud Foundation (VCF) stack \u2014 essentially, a typical user actions audit for NSX. Although we don’t have an exact match in the current Aria Operations for Logs NSX …<\/p>\n","protected":false},"author":1,"featured_media":2166,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[78,22],"tags":[80,92,91,25,7],"class_list":["post-2138","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aria-operations-for-logs","category-vrealize-log-insight","tag-aria-operations-for-logs","tag-nsx","tag-vcf-operations-for-logs","tag-vrealize-log-insight","tag-vrli"],"yoast_head":"\nNSX User Ops Audit using Aria Operations for Logs - TOMsOps<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/thomas-kopton.de\/vblog\/?p=2138\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"NSX User Ops Audit using Aria Operations for Logs - TOMsOps\" \/>\n<meta property=\"og:description\" content=\"Recently, a customer asked me if it’s possible to monitor or retrospectively see which user performed specific actions in NSX using the tools available in the VMware Cloud Foundation (VCF) stack \u2014 essentially, a typical user actions audit for NSX. Although we don’t have an exact match in the current Aria Operations for Logs NSX ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/thomas-kopton.de\/vblog\/?p=2138\" \/>\n<meta property=\"og:site_name\" content=\"TOMsOps\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-24T14:36:22+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-03-24T14:36:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/thomas-kopton.de\/vblog\/wp-content\/uploads\/2025\/03\/image-7.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2826\" \/>\n\t<meta property=\"og:image:height\" content=\"1538\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Thomas Kopton\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Thomas Kopton\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/?p=2138#article\",\"isPartOf\":{\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/?p=2138\"},\"author\":{\"name\":\"Thomas Kopton\",\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/#\/schema\/person\/892d6b96c66b1dd4b75c6e32fdbfea82\"},\"headline\":\"NSX User Ops Audit using Aria Operations for Logs\",\"datePublished\":\"2025-03-24T14:36:22+00:00\",\"dateModified\":\"2025-03-24T14:36:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/?p=2138\"},\"wordCount\":586,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/?p=2138#primaryimage\"},\"thumbnailUrl\":\"https:\/\/thomas-kopton.de\/vblog\/wp-content\/uploads\/2025\/03\/image-7.png\",\"keywords\":[\"Aria Operations for Logs\",\"NSX\",\"VCF Operations for Logs\",\"vRealize log insight\",\"vRLI\"],\"articleSection\":[\"Aria Operations for Logs\",\"vRealize Log Insight\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/thomas-kopton.de\/vblog\/?p=2138#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/?p=2138\",\"url\":\"https:\/\/thomas-kopton.de\/vblog\/?p=2138\",\"name\":\"NSX User Ops Audit using Aria Operations for Logs - TOMsOps\",\"isPartOf\":{\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/?p=2138#primaryimage\"},\"image\":{\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/?p=2138#primaryimage\"},\"thumbnailUrl\":\"https:\/\/thomas-kopton.de\/vblog\/wp-content\/uploads\/2025\/03\/image-7.png\",\"datePublished\":\"2025-03-24T14:36:22+00:00\",\"dateModified\":\"2025-03-24T14:36:24+00:00\",\"author\":{\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/#\/schema\/person\/892d6b96c66b1dd4b75c6e32fdbfea82\"},\"breadcrumb\":{\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/?p=2138#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/thomas-kopton.de\/vblog\/?p=2138\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/?p=2138#primaryimage\",\"url\":\"https:\/\/thomas-kopton.de\/vblog\/wp-content\/uploads\/2025\/03\/image-7.png\",\"contentUrl\":\"https:\/\/thomas-kopton.de\/vblog\/wp-content\/uploads\/2025\/03\/image-7.png\",\"width\":2826,\"height\":1538},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/?p=2138#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/thomas-kopton.de\/vblog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"NSX User Ops Audit using Aria Operations for Logs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/#website\",\"url\":\"https:\/\/thomas-kopton.de\/vblog\/\",\"name\":\"TOMsOps\",\"description\":\"Just another VMware Cloud Management Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/thomas-kopton.de\/vblog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/#\/schema\/person\/892d6b96c66b1dd4b75c6e32fdbfea82\",\"name\":\"Thomas Kopton\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/thomas-kopton.de\/vblog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e746aafbd3733172ceb4d600ba1feda61bc87cd3b70f5a9dfb581907cc7973b1?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e746aafbd3733172ceb4d600ba1feda61bc87cd3b70f5a9dfb581907cc7973b1?s=96&d=mm&r=g\",\"caption\":\"Thomas Kopton\"},\"url\":\"https:\/\/thomas-kopton.de\/vblog\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"NSX User Ops Audit using Aria Operations for Logs - TOMsOps","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/thomas-kopton.de\/vblog\/?p=2138","og_locale":"en_US","og_type":"article","og_title":"NSX User Ops Audit using Aria Operations for Logs - TOMsOps","og_description":"Recently, a customer asked me if it’s possible to monitor or retrospectively see which user performed specific actions in NSX using the tools available in the VMware Cloud Foundation (VCF) stack \u2014 essentially, a typical user actions audit for NSX. Although we don’t have an exact match in the current Aria Operations for Logs NSX ...","og_url":"https:\/\/thomas-kopton.de\/vblog\/?p=2138","og_site_name":"TOMsOps","article_published_time":"2025-03-24T14:36:22+00:00","article_modified_time":"2025-03-24T14:36:24+00:00","og_image":[{"width":2826,"height":1538,"url":"https:\/\/thomas-kopton.de\/vblog\/wp-content\/uploads\/2025\/03\/image-7.png","type":"image\/png"}],"author":"Thomas Kopton","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Thomas Kopton","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/thomas-kopton.de\/vblog\/?p=2138#article","isPartOf":{"@id":"https:\/\/thomas-kopton.de\/vblog\/?p=2138"},"author":{"name":"Thomas Kopton","@id":"https:\/\/thomas-kopton.de\/vblog\/#\/schema\/person\/892d6b96c66b1dd4b75c6e32fdbfea82"},"headline":"NSX User Ops Audit using Aria Operations for Logs","datePublished":"2025-03-24T14:36:22+00:00","dateModified":"2025-03-24T14:36:24+00:00","mainEntityOfPage":{"@id":"https:\/\/thomas-kopton.de\/vblog\/?p=2138"},"wordCount":586,"commentCount":0,"image":{"@id":"https:\/\/thomas-kopton.de\/vblog\/?p=2138#primaryimage"},"thumbnailUrl":"https:\/\/thomas-kopton.de\/vblog\/wp-content\/uploads\/2025\/03\/image-7.png","keywords":["Aria Operations for Logs","NSX","VCF Operations for Logs","vRealize log insight","vRLI"],"articleSection":["Aria Operations for Logs","vRealize Log Insight"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/thomas-kopton.de\/vblog\/?p=2138#respond"]}]},{"@type":"WebPage","@id":"https:\/\/thomas-kopton.de\/vblog\/?p=2138","url":"https:\/\/thomas-kopton.de\/vblog\/?p=2138","name":"NSX User Ops Audit using Aria Operations for Logs - TOMsOps","isPartOf":{"@id":"https:\/\/thomas-kopton.de\/vblog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/thomas-kopton.de\/vblog\/?p=2138#primaryimage"},"image":{"@id":"https:\/\/thomas-kopton.de\/vblog\/?p=2138#primaryimage"},"thumbnailUrl":"https:\/\/thomas-kopton.de\/vblog\/wp-content\/uploads\/2025\/03\/image-7.png","datePublished":"2025-03-24T14:36:22+00:00","dateModified":"2025-03-24T14:36:24+00:00","author":{"@id":"https:\/\/thomas-kopton.de\/vblog\/#\/schema\/person\/892d6b96c66b1dd4b75c6e32fdbfea82"},"breadcrumb":{"@id":"https:\/\/thomas-kopton.de\/vblog\/?p=2138#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/thomas-kopton.de\/vblog\/?p=2138"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/thomas-kopton.de\/vblog\/?p=2138#primaryimage","url":"https:\/\/thomas-kopton.de\/vblog\/wp-content\/uploads\/2025\/03\/image-7.png","contentUrl":"https:\/\/thomas-kopton.de\/vblog\/wp-content\/uploads\/2025\/03\/image-7.png","width":2826,"height":1538},{"@type":"BreadcrumbList","@id":"https:\/\/thomas-kopton.de\/vblog\/?p=2138#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/thomas-kopton.de\/vblog"},{"@type":"ListItem","position":2,"name":"NSX User Ops Audit using Aria Operations for Logs"}]},{"@type":"WebSite","@id":"https:\/\/thomas-kopton.de\/vblog\/#website","url":"https:\/\/thomas-kopton.de\/vblog\/","name":"TOMsOps","description":"Just another VMware Cloud Management Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/thomas-kopton.de\/vblog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/thomas-kopton.de\/vblog\/#\/schema\/person\/892d6b96c66b1dd4b75c6e32fdbfea82","name":"Thomas Kopton","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/thomas-kopton.de\/vblog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e746aafbd3733172ceb4d600ba1feda61bc87cd3b70f5a9dfb581907cc7973b1?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e746aafbd3733172ceb4d600ba1feda61bc87cd3b70f5a9dfb581907cc7973b1?s=96&d=mm&r=g","caption":"Thomas Kopton"},"url":"https:\/\/thomas-kopton.de\/vblog\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/thomas-kopton.de\/vblog\/index.php?rest_route=\/wp\/v2\/posts\/2138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thomas-kopton.de\/vblog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thomas-kopton.de\/vblog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thomas-kopton.de\/vblog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thomas-kopton.de\/vblog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2138"}],"version-history":[{"count":23,"href":"https:\/\/thomas-kopton.de\/vblog\/index.php?rest_route=\/wp\/v2\/posts\/2138\/revisions"}],"predecessor-version":[{"id":2169,"href":"https:\/\/thomas-kopton.de\/vblog\/index.php?rest_route=\/wp\/v2\/posts\/2138\/revisions\/2169"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thomas-kopton.de\/vblog\/index.php?rest_route=\/wp\/v2\/media\/2166"}],"wp:attachment":[{"href":"https:\/\/thomas-kopton.de\/vblog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thomas-kopton.de\/vblog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thomas-kopton.de\/vblog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}