Search the VMware Knowledge Base (KB)
View by Article ID

Obtaining logs and information needed for VMware vShield products (2012760)

  • 4 Ratings

Purpose

It is sometimes necessary to collect logs and information in your vCloud/vShield environment in order to troubleshoot issues, and escalate support requests through VMware Technical Support. 
 
This article provides information on gathering the correct information, and what data to look for when troubleshooting.

Resolution

vShield Manager

 

To obtain vShield Manager logs through the web interface of vShield Manager, select Settings & Reports and click on the Configuration tab, and select Support and click on Initiate.
 
You must also gather information by using the show running-config command from the vShield Manager appliance, as shown in the screenshot below:
 
 

Note: You must include the version information by using show version when gathering data for an escalation.

 


vShield App Zones

 

When collecting data for vShield App Zones, include all the information from the vShield Manager section. Collect the vApp logs from the vShield Manager Web User Interface, as seen below: 

 
 
You must also gather information from the debug packet capture interface u0/d0/p0 host_ipaddr, and include firewall screenshots from the vShield Manager L2/L3 and L4 Rules tabs, as seen below: 
 
 
In the vShield Web user interface, check the Log checkbox for the rules you want to log:
 
 
For rules being blocked/allowed, click the Flow Monitoring tab under Datacenters, then click Show Report. This reveals which rules are being blocked and allowed:
Finally, run show version on the vApp appliance as shown here to get version information:
 

 

 

vShield Endpoint

 

Consider these points when providing log and data information for vShield Endpoint to VMware Technical Support:

 

·      Is vShield Endpoint deployed with a Trendmicro Deep Security solution or what Anti-Virus solution has been implemented?

·      It is necessary to include all information from the vShield Manager section when diagnosing any issues with vShield Endpoint.

·      Which version of the vShield Endpoint Thin Agent has been installed? That is, what is the driver version that has been installed in the guest operating system itself?  To find out this information:

1.  Open Windows Explorer, and navigate to the c:\windows\system32\drivers folder.

2.  Right click the vsepflt.sys file, and select Properties.

3.  Click the Version tab.

4.  Write down all information, or make a screen shot by pressing Alt-PrtScr.

·      Are other vShield products deployed on the same host (vShield Edge, vShield Zones, or vShield App, etc.)?

·      If a Blue Screen (BSOD) has occurred in a virtual machine, what operating system versions are being used?  Are they being used as workstations or servers?

·      It will also be helpful to have access to the dump file of a virtual machine that has Blue Screened. For more information on retrieving dump files in Microsoft operating systems see Crashing a virtual machine on ESX/ESXi to collect diagnostic information (2005715).

·      Collect these logs:

o  The vmware.log file or all virtual machines. This is contained in each directory of the virtual machine.

o  Configuration files of all virtual machines, that is the .vmx file.  Also, in the directory of each virtual machine.

o  Syslog information from all Trendmicro SVMs. 

·      The build version of the LKM installed may also be necessary. To get this information, select the host in question. You need to note the build number that is displayed on the Summary tab. For example:
 

 
·         Finally, if you have a Trendmicro Deep Security appliance, the version information is necessary. To get this information, log in to Trendmicro Deep Security Manager, and select the DSVA to view the appliance version number. For example:

 
 
Note: vShield Endpoint Thin agent logging is done inside the protected virtual machines. Two registry values are read at boot time from the Windows registry. They are polled again periodically. The two registry values, log_dest and log_level, are located in:
  • HKLM\System\CurrentControlSet\Services\vsepflt\Parameters\log_dest
  • HKLM\System\CurrentControlSet\Services\vsepflt\Parameters\log_level
Both are DWORD bit masks that can be any combination of these values: 
 

DWORD

Value

Description

log_dest

0x1

WINDBLOG

log_dest

0x2

VMWARE_LOG. Log file is stored in the root directory of the VM

log_level

0x1

AUDIT

log_level

0x2

ERROR

log_level

0x4

WARN

log_level

0x8

INFO

log_level

0x10

DEBUG


  
vShield Edge

 

For vShield Edge, this information is needed:

 

·        Include all the information the vShield Manager section.

·        Collect vShield Edge log files under the Web User Interface under Secured Port Groups. Also gather information under the vShield Edge tab. For example:

 

 

 

·         Collect information for the debug package display interface extif, and initif.

·         If you are using a VPN gather log information and screenshots from that appliance (Cisco, Checkpoint, etc.)

·         Finally, check phases/Diffie-Hellman groups for physical FW.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 4 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 4 Ratings
Actions
KB: