VMware¶
About¶
Workspace ONE Unified Endpoint Management (UEM) provides several modes to manage devices with varying levels of control for the administrator and privacy for the user.
Product Details¶
Vendor URL: VMware Workspace One
Product Type: Endpoint Management
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Configuring syslog in VMware Workspace ONE UEM
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 99.95%
Data Label: VMWARE_WORKSPACE_ONE
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Application | principal.application |
| configid | additional.fields[configid] |
| Event | metadata.product_event_type |
| EventCategory | metadata.product_event_type |
| EventModule | metadata.product_event_type |
| Id | metadata.product_log_id |
| method | network.http.method |
| User | principal.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| principal.hostname | STATUS_UPDATE |
| All others | GENERIC_EVENT |
Log Sample¶
<13> May 21 13:53:26 WorkspaceTS1337 EventType=Device Event=InstallProfileRequested User=exampleUser EventSource=Server EventModule=Dashboard EventCategory=Command EventData=Profile=Android Default Settings Event Timestamp: May 21, 2025 13:53:26
Sample Parsing¶
metadata.event_type: STATUS_UPDATE
metadata.vendor_name: "VMware"
metadata.product_name: "VMWARE_WORKSPACE_ONE"
metadata.product_event_type: "InstallProfileRequested"
metadata.description: "Command - Dashboard"
principal.hostname: "WorkspaceTS1337"
principal.user.userid: "exampleUser"
principal.asset.hostname: "WorkspaceTS1337"
principal.asset.category: "Server"
Parser Alerting¶
This product currently does not have any Parser-based Alerting