Where are Distributed Firewall logs containing access decisions stored?

Distributed Firewall logs containing access decisions are stored on the hypervisor transport node. Each hypervisor transport node is responsible for implementing the policies defined by the Distributed Firewall and is where the firewall does its packet processing. Since the access decisions are based on the traffic flowing through the workloads that reside on these hypervisor transport nodes, it is logical for the logs to be stored there as well. This allows for detailed visibility and auditing of the traffic being filtered by the Distributed Firewall software.

By retaining the logs locally on the transport node, NSX can efficiently capture real-time information about traffic actions within a VM’s context without introducing significant latency. This approach also alleviates potential bottlenecks that could occur if all access logs had to be centralized elsewhere, ensuring that security decisions are enforced and logged in a timely manner.