VMware¶
About¶
Gain centralized visibility, simplified and efficient management at scale, and extensibility across the hybrid cloud—all from a single console. VMware vCenter Server is advanced server management software that provides a centralized platform for controlling your VMware vSphere environments, allowing you to automate and deliver a virtual infrastructure across the hybrid cloud with confidence.
Product Details¶
Vendor URL: VMware vCenter
Product Type: Hypervisor
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Forward vCenter Server Appliance Log Files to Remote Syslog Server
Parser Details¶
Log Format: Syslog (although JSON may be supported)
Expected Normalization Rate: Near 100%
Data Label: VMWARE_VCENTER
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Hard-Coded: MACHINE | extensions.auth.type |
| iporhost | intermediary |
| rproxy_message | metadata.description |
| Hard-Coded | metadata.event_type |
| task_service, subtype | metadata.product_event_type |
| event_id | metadata.product_log_id |
| Hard-Coded | metadata.product_name |
| Hard-Coded | metadata.vendor_name |
| Hard-Coded | network.application_protocol |
| direction, Hard-Coded | network.direction |
| answers | network.dns.answers |
| questions | network.dns.questions |
| dns_response | network.dns.response |
| protocol | network.ip_protocol |
| received_bytes | network.received_bytes |
| sent_bytes | network.sent_bytes |
| administrative_domain | principal.administrative_domain |
| program, sub, service, principal_username, application | principal.application |
| iporhost | principal.hostname |
| srcip, principal_ip | principal.ip |
| src_port | principal.port |
| ident | principal.process.parent_pid |
| op_id, p_eventid | principal.process.product_specific_process_id |
| principal_username | principal.user.userid |
| security_result | security_result |
| principal_file_path | src.file.full_path |
| principal_hostname | src.hostname |
| administrative_domain | target.administrative_domain |
| principal_username, target_username | target.application |
| path, target_filename, src_file_path | target.file.full_path |
| _env_vm_name, vm_name, location | target.group.group_display_name |
| target_host, target_hostname, iporhost, | target.hostname |
| target_ip | target.ip |
| target_mac_address | target.mac |
| target_port | target.port |
| command_line | target.process.command_line |
| parent_pid | target.process.parent_pid |
| parent_pid, op_id | target.process.parent_process.pid |
| pid | target.process.pid |
| task_name | target.process.product_specific_process_id |
| vm_name, adapter, asset_name | target.resource.name |
| Hard-Coded | target.resource.resource_type |
| Hard-Coded | target.resource.type |
| username, user, target_user, principal_username | target.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| target.port | FILE_COPY |
| principal.administrative_domain,principal.application,target.process.command_line | FILE_SYNC |
| network.direction,network.dns.questions | NETWORK_CONNECTION |
| metadata.product_log_id | NETWORK_DNS |
| metadata.product_event_type,target.process.pid,target.process.product_specific_process_id,target.user.userid | PROCESS_LAUNCH |
| target.resource.name | PROCESS_TERMINATION |
| target.file.full_path,target.hostname | SETTING_MODIFICATION |
| principal.hostname,principal.port | STATUS_UNCATEGORIZED |
| network.received_bytes,network.sent_bytes,principal.process.parent_pid,src.file.full_path,src.hostname,target.process.parent_pid | USER_LOGIN |
| network.ip_protocol,principal.process.product_specific_process_id,target.process.parent_process.pid | USER_LOGOUT |
| target.ip,target.group.group_display_name | USER_RESOURCE_CREATION |
Log Sample¶
<14>1 2021-08-18T17:35:48.710185+00:00 DOMAIN1 vpxd 4039 - - Event [76643313] [1-1] [2021-08-18T17:35:48.709831Z] [vim.event.UserLoginSessionEvent] [info] [DOMAIN\ServiceScanner] [] [76643313] [User DOMAIN\ServiceScanner@10.10.1.2 logged in as User-HttpClient/3.1]
Sample Parsing¶
metadata.product_log_id: "76643313"
metadata.event_timestamp.seconds: 1629308148
metadata.event_timestamp.nanos: 710185000
metadata.event_type: USER_LOGIN
metadata.vendor_name: "VMWARE"
metadata.product_name: "VCENTER"
metadata.product_event_type: "UserLoginSessionEvent"
metadata.description: "User DOMAIN\\ServiceScanner@10.10.1.2 logged in"
principal.ip: "10.10.1.2"
target.user.userid: "ServiceScanner"
target.administrative_domain: "DOMAIN"
target.application: "User-HttpClient/3.1"
security_result.action: ALLOW
extensions.auth.type: MACHINE
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon