The missing query

Log Insight provides content packs that come chocked full of queries, alarms, and dashboards for users of specific products. They cover networking, security, storage, hardware, servers and more. A recent update to the NSX for vSphere content back saw TCP Protocol removed. I use TCP protocol heavily in my “segmentation approach” when learning applications. As a result I needed it back. This is where custom queries are useful.

Custom queries

The query missing was searching the dfwpkt log file for the INET protocol (L3 DFW) and then what protocol is used. This is handy in determining what type of rule to build such as UDP or TCP services.

  • Name: vmw_nsx_firewall_protocol
  • pre-context: (IN|OUT) (\d+ )?
  • post-context: \s
  • custom-regex: (TCP6?|UDP6?|PROTO6?\d+)
  • additional-context dfwpktlogs INET

These fields are create in a custom field. This is done by highlighting an the desired field on a given log (TCP in my case). Right click and select Extract Field.

screenshot-2016-09-16-17-14-06

This results in my queries and dashboards working as desired again.

screenshot-2016-09-16-17-24-52

Now I can easily see what is talking to and from my apps when segmenting them. Happy days.

NOTE: This was removed in the NSX Content Pack 3.4 due to it being a resource expensive query. This expensive regex slowed down a query and a any dashboard it referenced and was removed.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*