Use vNIC filter_hash in Log Insight

My colleague Dale wrote about the addition of the Filter Hash property introduced in NSX 6.2.4. This helps identify the the filter used on the vNIC. His examples show the ability to use the CLI to determine it.

The filter hash provides a reference to a DFW filter placed upon a vNIC. In Dale’s article it can be easily show with come commands. If you are logging Distributed Firewall rules the output is included in it. You could use the Filter Hash as a way to determine a source of a rule. This could be useful when a Virtual Machine may have numerous IP addresses on a vNIC. This could be the case in terms of a loopback or a Virtual IP.

The following value highlighting the filter hash is as follows:

Field Name: vmw_nsx_firewall_filterhash
Extracted value: Integer -?\d+
Pre context: dfwpktlogs:
Post context: INET

messages-image3028970023

This will highlight the filter hash.  The hash can be used in dashboards below:

  • Unique number of hashs
  • Hash, src, dst and port
  • Hash

messages-image3944840920

Enjoy

Custom Regex queries for Log Insight

The missing query

Log Insight provides content packs that come chocked full of queries, alarms, and dashboards for users of specific products. They cover networking, security, storage, hardware, servers and more. A recent update to the NSX for vSphere content back saw TCP Protocol removed. I use TCP protocol heavily in my “segmentation approach” when learning applications. As a result I needed it back. This is where custom queries are useful.

Custom queries

The query missing was searching the dfwpkt log file for the INET protocol (L3 DFW) and then what protocol is used. This is handy in determining what type of rule to build such as UDP or TCP services.

  • Name: vmw_nsx_firewall_protocol
  • pre-context: (IN|OUT) (\d+ )?
  • post-context: \s
  • custom-regex: (TCP6?|UDP6?|PROTO6?\d+)
  • additional-context dfwpktlogs INET

These fields are create in a custom field. This is done by highlighting an the desired field on a given log (TCP in my case). Right click and select Extract Field.

screenshot-2016-09-16-17-14-06

This results in my queries and dashboards working as desired again.

screenshot-2016-09-16-17-24-52

Now I can easily see what is talking to and from my apps when segmenting them. Happy days.

NOTE: This was removed in the NSX Content Pack 3.4 due to it being a resource expensive query. This expensive regex slowed down a query and a any dashboard it referenced and was removed.