VMware Horizon¶
About¶
VMware Horizon enables a digital workspace with the efficient delivery of virtual desktops and applications that equips workers anywhere, anytime, and on any device. With deep integration into the VMware technology ecosystem, the platform offers an agile cloud-ready foundation, modern best-in-class management, and end to end security
Product Details¶
Vendor URL: VMware Horizon
Product Type: VDI Software
Product Tier: Tier III
Integration Method: Syslog
Integration URL: VMware Horizon
Parser Details¶
Log Format: Syslog (although JSON may be supported)
Expected Normalization Rate: near 100%
Data Label: VMWARE_HORIZON
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| GENERIC_EVENT | metadata.event_type |
| VMWARE | metadata.vendor_name |
| HORIZON | metadata.product_name |
| EventType | metadata.product_event_type |
| event_message, 'TRUNCATED_LOG' | metadata.description |
| INFORMATIONAL, UNKNOWN_SEVERITY | security_result.severity |
| Severity | security_result.severity_details |
| iporhost | intermediary.hostname |
| UserDisplayName | principal.user.user_display_name |
| ForwardedClientIpAddress | principal.ip |
| asset:DesktopId | target.asset_id |
| SessionType | target.resource.name |
| MachineDnsName | target.hostname |
| ClientIpAddress | target.ip |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all event types | GENERIC_EVENT |
Log Sample¶
<166>1 2022-02-25T15:09:30.049-07:00 hostname.domain.net View - 1007 [View@6876 Severity="INFO" Module="Agent" EventType="AGENT_CONNECTED" UserSID="S-1-5-21-1229272821-REDACTED-REDACTED-173708" UserDisplayName="DOMAIN\user" DesktopId="GENERIC_HOSTNAME01" DesktopDisplayName="GENERIC_HOSTNAME01" PoolId="redacted pool information" MachineId="4ac691c2-abcd-4e92-b0c5-redacted1234" MachineName="GENERIC_HOSTNAME01" MachineDnsName="hostname.domain.net" SessionType="DESKTOP"] User DOMAIN\user has logged in to a new session on machine GENERIC_HOSTNAME01
Sample Parsing¶
metadata.event_type: GENERIC_EVENT
metadata.vendor_name: "VMWARE"
metadata.product_name: "HORIZON"
metadata.product_event_type: "AGENT_CONNECTED"
metadata.description: "User DOMAIN\user has logged in to a new session on machine GENERIC_HOSTNAME01"
intermediary.hostname: "hostname.domain.net"
principal.user.user_display_name: "DOMAIN\user"
target.asset_id: "asset:GENERIC_HOSTNAME01"
target.resource.name: "DESKTOP"
target.hostname: "hostname.domain.net"
security_result.severity: INFORMATIONAL
security_result.severity_details: "INFO"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon