VMWare NSX Parsing

groth · September 23, 2022, 8:16pm

I'm currently working on a Logstash pipeline for VMWare NSX firewall logs coming in over syslog forwarding. Some of the ICMP logs have a couple numbers between the protocol name and the source and destination IPs that VMWare's documentation doesn't reference that I can see. My organization's VMWare guy has been less than helpful to say the least.

Example:

<6>1 2022-09-01T16:28:16.920Z redacted_esx_server_name FIREWALL_PKTLOG - - - INET match PASS 4133 IN 80 ICMP 11 0 10.128.251.19->10.20.128.109

4133 is the rule id and 80 is the packet length. Would anyone know what the 11 and 0 are?

I'd like to be able to make an intelligent decision on whether to map them to fields or not rather than just dropping them.

leandrojmp · September 23, 2022, 8:57pm

This means ICMP Type 11 Code 0 [reference].

And from VMWare documentation

For non-TCP connections (UDP, ICMP or other protocols), the reason for terminating a connection is only TIMEOUT.

I would say that you probably can ignore those fields.

groth · September 23, 2022, 9:18pm

Thank you. Not all of the NSX logs that are being sent to me had them (... ICMP source_ip...) so I didn't want to make any assumptions.

system · October 21, 2022, 9:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.