Creating a Dashboard in vRealize Log Insight specifically to monitor the NSX Edge Firewall

Introduction

I just received a request to help out with creating a vRealize Log Insight dashboard that shows statistics/logs about the Firewall Rules inside a specific NSX Edge.

My environment

I have an NSX Manager with one edge. The Edge name is ESG-01 but NSX uses the internal name "edge-1". The NSX name is the one we are going to use to get the information we require and plot that on a dashboard.

I have a standard installation of vRealize Log Insight that collects the log messages of my VMware lab environment and also from my NSX components. I have also installed the "VMware - NSX-vSphere" content pack for proper log digestion.

The charts on the dashboard

My goal is to create five charts on one single dashboard:

  • Edge-01 - ALL FW Related
    • Everything that is firewall related for the "edge-1" ESG
  • Edge-01 - Tag 131073
    • All information of the firewall rule with the tag "131073"
  • Edge-01 - Tag 131074
    • All information of the firewall rule with the tag "131074"
  • Edge-01 - ACCEPT
    • All ACCEPT hits for the "edge-1" ESG
  • Edge-01 - DENY
    • All ACCEPT hits for the "edge-1" ESG

Creating the dashboard with the charts

The NSX Edge settings

First of all, make sure your edge has it's logging configured to the vRealize Log Insight server.

Vrli-nsx-98776-01.png

Then make sure your ESG Firewall is enabled and that logging is enabled on the firewall rules and that rule tagging is displayed.

Vrli-nsx-98776-02.png

When this is all good you are ready to create the new Dashboard with the charts.

Creating the Dashboard

Click on "Interactive Analytics" and then click on "add Query to Dashboard"

Vrli-nsx-98776-03.png

Vrli-nsx-98776-04.png

Give your new dashboard a name and click SAVE and then CANCEL. We are only creating the new dashboard for now and not adding anything to it yet.

Vrli-nsx-98776-05.png

Edge-01 - ALL FW Related

We should still be in "Interactive Analytics" mode and if not make sure you go there by clicking the button again. So for the first chart, we filter on "edge-1" and then add in the query of: text - contains - "firewall"

Once we have done that we need to click on "search" and then "Add a current query to Dashboard"

Vrli-nsx-98776-06.png

Give it a name and add it to the newly created dashboard.

Vrli-nsx-98776-07.png

Edge-01 - Tag 131073

Now clear the previous query again and create a new one for the tagged rule with the tag "131073". Give it a name again and add it to the newly created dashboard just like the previous step.

Vrli-nsx-98776-08.png

Edge-01 - Tag 131074

Now clear the previous query again and create a new one for the tagged rule with the tag "131073". Give it a name again and add it to the newly created dashboard just like the previous step.

Vrli-nsx-98776-09.png

Edge-01 - ACCEPT

Now clear the previous query again and create a new one for rules that are ACCEPTED. Give it a name again and add it to the newly created dashboard just like the previous step.

Vrli-nsx-98776-10.png

Edge-01 - DENY

Now clear the previous query again and create a new one for rules that are DENIED. Give it a name again and add it to the newly created dashboard just like the previous step.

Vrli-nsx-98776-11.png

The full dashboard

Because I only have two "default" rules I initially only encountered the ACCEPTED rules because of the explicit accept rule. To test the deny rule just change the explicit accept to deny and do some ping tests and set up some TCP connections like SSH for example through the ESG and check again to test the "deny" rule.

Here is the result of the full dashboard. Make sure you set the time to "Last 24 hours" just to make sure you see some data.

Vrli-nsx-98776-12.png