NSX Log Analytics Log Insight Microsegmentation vRealize vRealize Automation

Exposing NSX Distributed Firewall logs to vRealize Automation end users through vRealize Log Insight

A customer asked me this week “what is the best way to allow the end users of a vRealize Automation-based private cloud to view the NSX Distributed Firewall Logs?” The users needed to be limited to only the Distributed Firewall logs, and ideally they would be taken directly to a view with the data relating the particular vRealize Automation deployment they were interested in.

Fortunately, I have vRealize Automation and NSX configured to forward their logs to vRealize Log Insight. With vRealize Log Insight we have the ability to limit the scope of a user’s visibility of log data through a “Data Set” construct. We can also integrate vRealize Log Insight with the VMware Identity Manager instance embedded in the vRealize Automation appliance for single sign-on, so vRealize Automation users can be allowed access to the Data Set without re-authenticating.

In the following example, each vRealize Automation deployment is configured with a Distributed Firewall section, and a “Default Deny” rule is applied to the deployment using a Security Group. Initially that rule is configured to allow all traffic, and the idea is that the end user can view the Distributed Firewall logs and see what traffic is being logged by the default rule. From these logs, they can use the “firewall-as-a-service” actions to implement micro-segmentation.

Configure NSX Distributed Firewall Logging

To identify the specific deployment in the Distributed Firewall logs, the vRealize Automation deployment ID is added to the Tag field and logging is enabled. The Tag field is only 30 characters so the deployment ID guid is cut short by 6 characters, but the likelihood of two truncated guids matching in the short term use here is negligible.

Configure VMware Identity Manager for vRealize Log Insight authentication

Next I create a local user in my vRealize Automation tenant to be used by vRealize Log Insight for VMware Identity Manager authentication. This is done by logging in as the default system administrator account, selecting the tenant and then the Local users tab.

The VMware Identity Manager user is added to the Tenant administrators, which is required for VMware Identity Manager authentication, by going to the Administrators tab and searching for the newly created user.

At this point it’s also worth noting that I have a test user “vrauser” that is configured as an end user of my vRealize Automation platform. “vrauser” is a member of the “vRA Lab BG Users” group, which is used to assign rights within vRealize Automation. This group is sync’d by VMware Identity Manager and is what I’ll be using to grant privileges in Log Insight.

Configure VMware Identity Manager integration with vRealize Log Insight

Configuring Log Insight to authenticate using the vRealize Automation Identity Manager instance is fairly straight forward. Log on as an administrator and go to the Administration console from the menu in the top right. Under Configuration, select Authentication and toggle the Enable Single Sign-on switch under VMware Identity Manager.

Enter the details of the vRealize Automation instance, making sure the Tenant, Username and Password match the ones created earlier. Test the connection to make sure communication will work and ensure the “Allow Active Directory users login” switch is on. Click “Save” to enable the authentication.

Configure vRealize Log Insight access

Configuring limited access for the vRealize Automation users involves three steps, creating a new Data Set to limit what can be seen, creating a new Role to assign permissions to view the Data Set, and finally applying the Role to the vRealize Automation users.

To create a new Data Set, log onto the vRealize Log Insight console as an administrator and select the Access Control page under Management. Select the Data Sets tab and click “NEW DATA SET”

In my case, I want to restrict the Data Set to the NSX Distributed Firewall Logs, so that makes a nice descriptive name. Adding a filter allows me to limit the data to where the “appname” contains “dfwpktlogs”. You can create more complex filters by adding more conditions.

One important thing to note is that the check box “This data set restricts other data sets” effectively switches between an “AND” and an “OR” for the Data Set when they’re applied to a Role. If it’s checked then data must match all the filters in all the Data Sets, if unchecked the data can match any of the filters in any of the Data Sets. In this case I am only using one, so it doesn’t make any difference.

To apply the Data Set a new Role is created by cloning the existing “User”, which has read only access to Interactive Analytics and Dashboards. The newly created Data Set is checked to restrict this Role to only that data.

Finally, create a new Directory Group under the Users and Groups tab, and assign the “NSX Distributed Firewall Logs View Only” Role to the group from VMware Identity Manager – in my case I’m using the “vRA Lab BG Users” group, which contains my test end user.

Testing vRealize Log Insight Restricted Access

Now when I access vRealize Log Insight, I can see the option to log in via VMware Identity Manager, and, if we click “LOGIN VIA SSO” it will take me to the vRealize Automation login – and I can use my “vrauser” test user to authenticate:

Et voila! The “vrauser” is able to see the NSX Distributed Firewall Logs (and only the NSX Distributed Firewall Logs), and the deployment ID guid is visible.

Extracting the Deployment ID

Now that the correct information is visible to the correct user, there’s tweak I can make to help the end users out. I can extract the deployment ID field from the Distributed Firewall Logs so that it’s easy to search for. To do this I select the guid from one of the records, and select Extract field from the pop up menu. This opens the green form on the right hand side to define a new field.

  • Field name: this is the name of the extracted field, “vra_deploy_guid”
  • Available for: select “All Users”
  • Extracted value: select “Any character”, which will insert the regular expression “\S+” to match any character
  • Pre and post context: these define what we expect to be before, and after the value to extract. Before the guid we expect a space, and it should be the last space in the string. For this we us the regex “\s(?=\S*$)”. After the guid is the end of the line, so we can match that with a “$” anchor.
  • Additional context: here we can define additional conditions that the field should match – clearly we don’t want to match any string after a space for ANY log, just the Distributed Firewall ones, so again I filter on “appname” containing “dfwpktlogs”.

Now the vra_deploy_guid field is extracted for the log entries:

And Finally…

For one last flourish of usability, I created a vRealize Automation resource action to present a link to the end user that opens the Log Insight Interactive Analytics showing the last 5 minutes of logs for the application – the video below shows the user opening the resource action, clicking on the link and opening the Log Insight page – enjoy!

About the Author

Sam is a Senior Consultant in the EMEA NSX PSO Practice, and is based in the UK. Sam specialises in NSX and Cloud automation and holds multiple high-level qualifications including VCDX7-CMA (#204) and VCIX-NV. Sam also blogs on www.definit.co.uk and you can follow him on Twitter @sammcgeown.


Leave a Reply

Your email address will not be published. Required fields are marked *