This content Pack is only intended for Security Monitoring.
If you noticed some data about security that is not parsed, you can open an issue and I will update the Content Pack.
Tested with VMWARE vSphere 8.0.2 and ESXI 8.0.0 and Graylog 5.2.0.
The Content Pack should be compatible with all Graylog 5.X version.
Note this was built without extractors, only pipeline rules.
-
1 Input (Syslog/TCP/1515 for VCSA)
-
1 Streams (VCSA)
-
Pipeline Rule w/ Stages (Extract key/values pipeline function)
-
Dashboards (24h) (VCSA ComponentS) + VCenter (SSO Activities / VM Activities)
-
1 Input (Syslog/TCP/1514 for ESXI)
-
1 Stream (ESXI)
-
Pipeline Rule w/ Stages (Extract key/values pipeline function)
-
Dashboards (24h) (ESXI Components) + ESXI (SSO Activities / VM Activities)
- Graylog 5.0+
- VCENTER Appliance and ESXI integrated with VCENTER
- VCSA configured to send logs
- ESXI configured to send log
- Open port 1514+1515 for TCP on the graylog host and/or docker compose file
- Download this CSV file (RFC_log_level.csv) for Lookup Table and place it on your graylog servers (if different than /srv , edit the Data adapter from System > Lookup Table > Data Adapter to change the path)
- Before installing the content pack you need to replace all source-entries in json file with the names, using wildcards, of the esxi servers.
- VMWARE-VCenter-Content-Pack-Security-Events.json: replace
source:vcsa
withsource:your_vcsa_dns_name
(check the raw logs of the VCSA input if you are not sure) - ESXI-Content-Pack-Security-Events.json:
- replace
source:esxi*.lab.lan
withsource:your_esxis_hostname*.domain_name
- replace
esxi[0-9]\\.lab\\.lan
withesxi[0-9]\\.your\\.domain
where esxi[0-9] is the name of the one I have (exsi1, esxi2 etc), adapt according to your conf
- replace
- VMWARE-VCenter-Content-Pack-Security-Events.json: replace
Go to System > Content Pack > Upload (Drag and drop file or Select) Then click install,
I recommend you to create a specific Indice for VCSA and one for ESXI, and apply the VCSA/ESXI Stream to it.
- Access management interface: https://your_vcsa_ipaddress:5480/
Go to Syslog > Edit
- Access ESXI Web:
https://your_esxi_ip/ui/#/host/manage/system/advanced-settings
Select your esxi > Manage > System > Advanced Settings > On the top right, filter with syslog > Click on the line Syslog.global.logHost and Edit it:
tcp://192.168.1.51:1514?formatter=RFC_5424
YOU NEED TO CHOSE RFC_5424, not the default one.
- VCenter Dashboard
- ESXI Dashboards
I did not find how to parse VCenter splitted message in two parts, see this thread: https://community.graylog.org/t/pipeline-rules-for-messages-splitted-in-2-or-more-parts/30511/5