Scenario: We want to have NSX-T 2.4 Managers/Controllers and Edges send logs to a central logging server (such as vRealize Log Insight). This is particularly important for the firewall logs, since we do want to be able to use them for troubleshooting and security operations. The distributed firewall logs are sent from each ESXi host, but the edge firewall logs (T0/T1) are sent from each Edge appliance, so that’s where we need to set the proper syslog settings for NSX-T.

Problem: The NSX-T 2.4 documentation page (link) specifies example appliance syslog settings that only sends a limited amount of logs, which makes troubleshooting and operations difficult. Example below.

set logging-server 192.168.110.60 proto udp level info facility syslog messageid SYSTEM,FABRIC 
set logging-server 192.168.110.60 proto udp level info facility auth,user

Solution: Use the example for proper syslog settings for NSX-T from the VMware Validated Designs (VVD) 5.1 (link) instead. Example below. Repeat for each NSX-T Manager/Controller and Edge. Now you should have plenty of logs sent to your syslog destination. Also, do consider switching from unencrypted UDP transport to something more secure, to prevent tampering and strengthen security.

set logging-server 192.168.31.10 proto udp level info

Enjoy your logs, and do make sure you install the NSX-T content pack in vRealize Log Insight!