vCenter Log Insight : Use case for vShield Manager and Edge Firewalls

If you don’t know, yet VMware have announced the Beta of vCenter Log Insight. I have been waiting for this product for a while now and was glad that it was released for public beta. You can find the Public beta here.

My use case for vCenter Log is to collect all my Firewall Logs. The way I have done this is to deploy the vCenter Log appliance and then setup vShield Manager to log all syslog events to vCenter Log. Then also for each Edge Firewall I have configured to send Log information about rules being Accepted/Denied to vCenter Log.

Here is some screenshots from my Edge Device configuration to setup syslog in my lab :

As you can see I have configured my Edge device to send all syslog data to my vCenter Log server (UDP:192.168.0.131).

The same can be done with vCloud Director. This will enable each Edge Firewall that is created to setup syslog automatically so you don’t have to edit this setting for each Edge Firewall.

Now that we have setup the Edge device to send all syslog data to the vCenter Log Server we need to setup the rules to be forward to the syslog server. Below is an example of a Firewall rule that is configured to send Log information to the vCenter Log server. Each time this rule is “hit” it will log to the syslog server.

Now lets look at the information in vCenter Log Insight. Using the Interactive Analytic’s I did a search for my Edge device IP(192.168.0.140). Here I can see all the events on the rule I enabled the syslog on. My first tests I disabled icmp and then enabled it.

I did another Search for only dropped packets. I added another test field that contains “drop*”. This was the result:

 

  1. JohnMurrayUK

    Does that mean that all your edge firewalls have a leg in your vcenter subnet so they can access 192.168.0.131?

  2. nice work 🙂
    is there a way to monitor IPSec VPN logs?

Leave a Reply