VMware NetFlow and EventLog configuration
VMware is a ubiquitous name in the virtualization world. It includes ESXi, VMware Workstation, Tanzu and many other products. These products are the first thing that comes up when people talk about virtual machines and other items dependent on them. In this post, we focus on ESXi, VMware's bare-metal hypervisor, and vCenter, VMware's multi-system management software.
VMware allows only setting NetFlow monitoring on distributed switches, not regular vSwitches. VMware vSphere Distributed Switch (VDS) is a centralized interface in the VMware cluster from which you can configure, monitor and administer virtual machine access switching for the entire data center. To configure NetFlow on a distributed switch, go to Configure tab, select the option NetFlow, and click on the edit button on the right side of the page.
This will lead to a new screen where you can configure everything about the NetFlow exporter. When the sampling rate is 0, you will send all NetFlow packets, which can be a strain on your interfaces. Therefore, we would recommend a sampling rate of 50-4096, depending on your traffic volume (more volume means a higher ratio). Next, choose for which Distributed Port Group and Uplink you want to enable NetFlow. There is also an override option, to turn off Netflow collecting on specific ports.
Now you should see NetFlow data in your NetFlow collector and analyzer software. To get your interfaces resolved by name, you need to enable SNMP with the following commands:
esxcli system snmp set -e=true
esxcli system snmp set --communities NVsnmp,public
Syslog exporting is rather simple, as you only need the following CLI commands:
esxcli system syslog config set --loghost=172.16.0.92:514
esxcli system syslog reload
where 172.16.0.92 is the syslog collector's IP address, listening on port number 514.
Afterward, all you need to add are firewall rules and reload. Promptly you should receive syslog messages:
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh