Recently, one of my customer asked if they can enable Access Log for the load balancer created in NSX-T for his Enterprise PKS clusters. By default we will not be able to edit or modify any settings on the LB/virtual server from the NSX-T GUI, if it’s created by ncp. In this blog post, we will see how to enable Access Logging on the NSX-T load balancers and virtual servers created by Enterprise PKS.
Note: Be cautious when following this article. If incorrectly applied, it may break the load balancer
In the above image, you can see a loadbalancer that is created by ncp in Enterprise PKS. As you see, the Access Log option is disabled and also the edit button is greyed off. We will not be able to make any modifications from here.
This is the same in case of virtual servers also as you see in the above image.
Enable Access_log on LB:
Now, lets see how we can make use of NSX-T API to get the Access Log enabled.
Firstly, make a note of the load balancer ID from the NSX-T manager GUI. From the Figure 1 above, we can see that the LB ID is 1156303f-68b9-42ac-b282-5234fe0b4a77.
You can run the below API to export the LB config.json file.
curl -X GET -H Content-Type:application/json -H X-Allow-Overwrite:True -ku USERNAME:'PASSWORD' https://<NSX-MANAGER-FQDN/IP>/api/v1/loadbalancer/services/<LB_ID> > lb-config.json
Username and password is of the NSX-T manager in the above command.
In figure 3, you can see the lb-config.json file we exported. The access_log option is disabled on the LB and hence its false. Now, manually edit the lb-config.json file and update the access_log_enabled to true. Make sure you use all lowercase when updating the entries as below.
"access_log_enabled" : true,
Once you edit the json file, run the below API to apply the settings back on the load balancer.
curl -X PUT -H Content-Type:application/json -H X-Allow-Overwrite:True -ku USERNAME:'PASSWORD' https://<NSX-MANAGER-FQDN/IP>/api/v1/loadbalancer/services/<LB_ID> -d @lb-config.json
Now you can see that the Access Log status is changed to enabled as in the above screenshot.
Enable Access Log on Virtual Server
Similarly, we can enable the Access Log on the virtual server using the below commands.
curl -X GET -H Content-Type:application/json -H X-Allow-Overwrite:True -ku USERNAME:'PASSWORD' https://<NSX-MANAGER-FQDN/IP>/api/v1/loadbalancer/virtual-servers/VIRTUAL_SERVER_ID > vs-config.json
The virtual server config.json file exported will look like the above. Make sure to update the access_log_enabled to true and save the file.
Once done, run the below command to apply the settings back to the virtual server.
curl -X PUT -H Content-Type:application/json -H X-Allow-Overwrite:True -ku USERNAME:'PASSWORD' https://<NSX-MANAGER-FQDN/IP>/api/v1/loadbalancer/virtual-servers/<VIRTUAL_SERVER_ID> -d @vs-config.json
Now we can see that the access log is enabled for the virtual server. Once this is done, and if syslog is configured for the NSX-T, the access log will be by default pushed to the syslog server.
I hope this helps someone to enable the Access Log on LB and virtual servers created by Enterprise PKS.
Kontainers 
Leave a Reply