VMware NSX Edge syslog configuration automatically reverts back

Author: Jitse Hijlkema

During the building of a new SDDC solution based on VMware CPOD I experienced some strange behavior at syslog configuration on all the NSX Edges in the resource cluster; syslog configuration changes we made were automatically reverted back…

After deployment of new NSX edge (independently if deployment initiated by NSX Manager or vCD) the NSX edges were automatically configured with a syslog server which we are using at our management cluster.
This syslog server is not reachable at our resource cluster and that’s the reason for changing this for the NSX edges on the resource cluster.

It is easy to change this syslog configuration at the webpage ‘VMware vCenter > Networking & Security > NSX Edges‘ page, but after a few minutes the settings was reverted back without reason (at that point…, read on).

Even when we instruct vCloud Director to resynchronize the syslog server settings to the ‘Edge Gateways’ it manages, the change is applied but after a few minutes it also reverts back.

It took some while before we found the responsible machine which reverts the syslog configuration.

On the NSX Manager of the resource cluster we looked through some logfiles and this one was very useful ‘/usr/appmgmt-webserver/logs/localhost_access_log.xxxx-xx-xx.txt’.
The following entries were logged at that logfile:

[code]<output omitted>
1.2.3.4 – – [xx/xx/xxxx:11:22:45 +0100] “GET /api/4.0/edges/edge-11/syslog/config HTTP/1.1” 200 206 31
1.2.3.4 – – [xx/xx/xxxx:11:22:45 +0100] “DELETE /api/4.0/edges/edge-11/syslog/config HTTP/1.1” 204 – 753
1.2.3.4 – – [xx/xx/xxxx:11:22:46 +0100] “PUT /api/4.0/edges/edge-11/syslog/config HTTP/1.1” 204 – 1102
<output omitted>[/code]

We can see a HTTP request from some external machine retrieving syslog configuration by REST API of each NSX edge and next a DELETE (remove syslog config) action followed up with a PUT (set syslog config) request.
After checking our IP scheme we found the responsible machine… ‘VMware vRealize Operations Manager’ (master node)!

After disabling ‘Log Insight Integration’ on the resource ‘Adapter instance’ of the ‘Management Pack for NSX-vSphere’, the automatic syslog configuration reverting finally stopped. 🙂