The missing query
Log Insight provides content packs that come chocked full of queries, alarms, and dashboards for users of specific products. They cover networking, security, storage, hardware, servers and more. A recent update to the NSX for vSphere content back saw TCP Protocol removed. I use TCP protocol heavily in my “segmentation approach” when learning applications. As a result I needed it back. This is where custom queries are useful.
The query missing was searching the dfwpkt log file for the INET protocol (L3 DFW) and then what protocol is used. This is handy in determining what type of rule to build such as UDP or TCP services.
- Name: vmw_nsx_firewall_protocol
- pre-context: (IN|OUT) (\d+ )?
- post-context: \s
- custom-regex: (TCP6?|UDP6?|PROTO6?\d+)
- additional-context dfwpktlogs INET
These fields are create in a custom field. This is done by highlighting an the desired field on a given log (TCP in my case). Right click and select Extract Field.
This results in my queries and dashboards working as desired again.
Now I can easily see what is talking to and from my apps when segmenting them. Happy days.
NOTE: This was removed in the NSX Content Pack 3.4 due to it being a resource expensive query. This expensive regex slowed down a query and a any dashboard it referenced and was removed.