VMware NSX¶
About¶
VMware NSX is a network virtualization and security platform that enables the virtual cloud network, a software-defined approach to networking that extends across data centers, clouds and application frameworks.
Product Details¶
Vendor URL: VMware NSX - VMware Virtualization Solution
Product Type: Security Platform
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Configure Remote Logging - VMware Docs
Log Guide: Firewall Logs - VMware Docs
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90%
Data Label: VMWARE_NSX
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | security_result.action_details |
| ALLOW,BLOCK,FAIL | security_result.action |
| AUTHTYPE_UNSPECIFIED | extensions.auth.type |
| bytes_in | network.received_bytes |
| bytes_out | network.sent_bytes |
| CRITICAL,HIGH,MEDIUM,LOW,INFORMATIONAL | security_result.severity |
| description | metadata.description |
| direction | network.direction |
| event_type | metadata.event_type |
| Existing_portgroupId | additional.fields |
| intermediary_data | intermediary.hostname |
| intermediary_data | intermediary.ip |
| New_portgroupId | additional.fields |
| observer | observer.hostname |
| observer | observer.ip |
| observer_domain | observer.administrative_domain |
| packet_length | additional.fields |
| packets_in | additional.fields |
| packets_out | additional.fields |
| principal | principal.hostname |
| principal | principal.ip |
| principal_domain | principal.administrative_domain |
| principal_pid | principal.process.parent_process.pid |
| principal_port | principal.port |
| principal_user | principal.user.userid |
| product | metadata.product_name |
| product_event | metadata.product_event_type |
| product_log_id | metadata.product_log_id |
| protocol | network.ip_protocol |
| rule_id | security_result.rule_id |
| rule_name | security_result.rule_name |
| session_id | network.session_id |
| severity | security_result.severity_details |
| start_time | additional.fields |
| target | target.hostname |
| target | target.ip |
| target_domain | target.administrative_domain |
| target_file | target.file.full_path |
| target_pid | target.process.parent_process.pid |
| target_port | target.port |
| target_user | target.user.userid |
| tcp_flag | additional.fields |
| vendor | metadata.vendor_name |
| version | metadata.product_version |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| logon | USER_LOGIN | ||
| start | PROCESS_LAUNCH | ||
| principal,target | NETWORK_CONNECTION | ||
| Default | GENERIC_EVENT |
Log Sample¶
<13>1 2022-05-02T12:03:28.395Z observer_hostname.companyname.com dfwpktlogs - - - INET match PASS company_nsx/1010 IN 78 UDP 10.0.0.132/137->10.0.0.255/137 tag.NSX_Rulename
Sample Parsing¶
metadata.event_timestamp = "2022-05-02T12:03:28Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "VMware"
metadata.product_name = "NSX"
metadata.product_version = "dfwpktlogs"
metadata.product_event_type = "INET match"
metadata.description = "Packet matches a rule"
additional.packet_length = "78"
principal.ip = "10.0.0.132"
principal.port = 137
principal.asset.ip = "10.0.0.132"
target.ip = "10.0.0.255"
target.port = 137
target.asset.ip = "10.0.0.255"
intermediary.hostname = "company_nsx"
observer.hostname = "observer_hostname"
observer.domain.name = "companyname.com"
security_result.rule_name = "NSX_Rulename"
security_result.summary = "MATCH"
security_result.action = "ALLOW"
security_result.rule_id = "1010"
security_result.action_details = "PASS"
network.ip_protocol = "UDP"
network.direction = "INBOUND"
Parser Alerting¶
This product currently does not have any Parser-based Alerting.