Top VMs with most Connections for NSX Distributed Firewall (10121 / 20121)
Description
This Module handles Distributed Firewall data. It provides top N (by the number of connections) consumers (users) by ESXi Host by Protocol (Destination Port) over a time interval T. Distributed Firewall customers may turn on highest reporting level, and still receive consolidated data (several syslog messages) every T seconds.
This information is provided per ESXi Host (NetFlow exporter).
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 10 sec, max = 600 sec, default = 30 sec |
| Application protocol (l4_dst_port) list | List of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports. | e.g. 80, 443 |
| N – number of reported VMs | Top N (number of reported destinations) | min = 0, max = 100000, default = 50 (0 indicates all VMs are reported) |
| Enable (1) or disable (0) reporting by destination port | If set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0) | default = 0 |
| Enable (1) or disable (0) reporting VM moRef | If set to 1, enable reporting VM MoRef. If set to 0, src_vm_id field will be omitted | default = 0 |
| Enable (1) or disable (0) reporting VM UUID | If set to 1, enable reporting VM UUID. If set to 0, src_vm_uuid field will be omitted | default = 0 |
| Enable (1) or disable (0) reporting VM vCenter UUID | If set to 1, enable reporting VM vCenter UUID. If set to 0, src_vm_vc_id field will be omitted | default = 0 |
| Enable (1) or disable (0) reporting VM vNIC key | If set to 1, enable reporting VM vNIC key. If set to 0, src_vm_vnic_key field will be omitted | default = 0 |
| Enable (1) or disable (0) reporting Distributed Switch port group name | If set to 1, enable reporting Distributed Switch port group name. If set to 0, src_pg_name field will be omitted | default = 0 |
| List of vCenter VMs | List of records {ESXi VM MAC address, VM IPv4 address, VM IPv6 address, VDS Port ID, vNIC key, Port Group name, VM name, VM MoRef, VM instance UUID, vCenter UUID} | This watch list is populated by External Data Feeder for NFO Agent by connecting to one or several vCenters |
Inputs
IPFIX from NSX Distributed Firewall.
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | “nfc_id=20121” |
| exp_ip | NetFlow exporter IPv4 address | <IPv4_address> |
| src_ip | Source VM IPv4 address | <IPv4_address> |
| src_ip6 | Source VM IPv6 address | <IPv6_address> |
| [src_host] | Source host name | <string>, included when FQDN is on |
| [src_vm_name] | Source VM name | <string>, included when source IP is a known VM |
| [src_vm_id] | Source VM MoRef | <string>, included when source IP is a known VM and ‘reporting VM MoRef’ parameter is enabled |
| [src_vm_uuid] | Source VM UUID | <string>, included when source IP is a known VM and ‘reporting VM UUID’ parameter is enabled |
| [src_vm_vc_id] | Source VM vCenter UUID | <string>, included when source IP is a known VM and ‘reporting VM vCenter UUID’ parameter is enabled |
| [src_vm_vnic_key] | Source VM vNIC key | <number>, included when source IP is a known VM and ‘reporting VM vNIC key’ parameter is enabled |
| [src_pg_name] | Source VM Port Group name | <string>, included when source IP is a known VM and ‘reporting Distributed Switch port group name’ parameter is enabled |
| dest_port | Destination port number (e.g. 80 for http) | <number> |
| created_count | Created flows count | <number> |
| t_int | Observation time interval, msec | <number> |