box.vmware
Check the reference vendor documentation here.
Introduction
The logs generated by the VMware vSphere virtualization platform are assigned tags that begin with box.vmware
. You can configure a VMware server to report the logs to a remote syslog and since these logs cannot be tagged at the source, it is necessary to forward them to a Devo Relay that will tag the events and send them to the Devo Cloud.
Tag structure
The full tag must have 3 levels. The first two are fixed as box.vmware
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
VMware vSphere |
|
|
|
| |
|
| |
|
|
For more information, read more About Devo tags.
Configure the Devo Relay rules
You need to create rules on the Devo Relay that will apply the correct tag to the events.Â
Rule for ESX/ESXi events
This rule applies the box.vmware.esx
tag to all events received on port 13005 of the Devo Relay. The tag will be applied as a prefix meaning that the final tag will be box.vmware.esx.<sourceTag>
.
Rule for vCenter events
This rule applies the box.vmware.vcenter
 tag to all events received on port 13006 of the Devo Relay. The tag will be applied as a prefix meaning that the final tag will be box.vmware.vcenter.<sourceTag>
.Â
Configuring VMware ESXi (version 5)
To send log events from ESXi to the Devo Relay, you need to set the Syslog.global.logHost parameter found in Configuration → Software → Advanced Settings, Syslog global settings as indicated below. Use the IP address of the relay and the port you will send to.
Configuring VMware ESX
Edit the /etc/syslog.conf
file on the VMware ESX server to specify the Devo Relay as the remote syslog server:
*.* @1.2.3.4:13005
Then, open the port in the ESX firewall:
~ # esxcfg-firewall -o 13005,tcp,out,logtrust && esxcfg-firewall -l
Finally, restart the syslog server:
~ # service syslog restart
Configuring VMware vCenter
Follow the vendor instructions for setting up a remote syslog server for the vCenter Server Appliance.
Relay rules
Logs must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
Note that the rules below are not complementary, so you must add them with different source ports.
Rule for events with "header + proc_name[proc_id] message"
Source port - Any available port
Source data -
(\w+):\s\w+\s(\w+\[\d+\])?\s(.*)
Target tag -
box.vmware.esx.\\D2
Target message -
D3
Stop processing - ✓
Rule for events with "proc_name[proc_id]: message"
Source port - Any available port
Source data -
(\w+\[\d+\])?:\s(.*)
Target tag -
box.vmware.esx.\\D1
Target message -
D2
Stop processing - ✓
Rule for events with "proc_name: message"
Source port - Any available port
Source data -
(\w+)?:\s(.*)
Target tag -
box.vmware.esx.\\D1
Target message -
D2
Stop processing - ✓
Rule for events of Firewall Packet Logs
Source port - Any available port
Source message -
FIREWALL-PKTLOG:
Target tag -
box.vmware.firewall_packet
Sent without syslog tag - ✓
Stop processing - ✓
Table structure
These are the fields displayed in this table:
box.vmware.esx
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
machine |
| Â | Â |
facility |
| Â | Â |
level |
| vlevel | Â |
process_name |
| Â | Â |
process_id |
| Â | Â |
message |
| Â | Â |
type |
| Â | Â |
action |
| Â | Â |
user |
| Â | Â |
srcUser |
| Â | Â |
srcIp |
| Â | Â |
srcPort |
| Â | Â |
logname |
| Â | Â |
msg |
| Â | Â |
obj |
| Â | Â |
uid |
| Â | Â |
euid |
| Â | Â |
tty |
| Â | Â |
ruser |
| Â | Â |
rhost |
| Â | Â |
pwd |
| Â | Â |
cmd |
| Â | Â |
attempt |
| Â | Â |
device |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| message | ✓ |
box.vmware.firewall
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
machine |
| Â |
stamp |
| Â |
logprefix |
| Â |
ifaceIn |
| Â |
ifaceOut |
| Â |
srcMac |
| Â |
dstMac |
| Â |
etherType |
| Â |
srcIp |
| Â |
dstIp |
| Â |
len |
| Â |
tos |
| Â |
prec |
| Â |
ttl |
| Â |
id |
| Â |
dfFlag |
| Â |
proto |
| Â |
spt |
| Â |
dpt |
| Â |
window |
| Â |
res |
| Â |
urgp |
| Â |
cwrFlag |
| Â |
eceFlag |
| Â |
synFlag |
| Â |
protoLen |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
box.vmware.firewall_packet
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
machine |
| Â |
log_prefix |
| Â |
filter_hash |
| Â |
af_value |
| Â |
reason |
| Â |
action |
| Â |
rule_id |
| Â |
direction |
| Â |
packet_length |
| Â |
protocol |
| Â |
source_ip |
| Â |
source_ipv4 |
| Â |
source_port |
| Â |
destination_ip |
| Â |
destination_ipv4 |
| Â |
destination_port |
| Â |
tcp_flags |
| Â |
packets_in |
| Â |
packets_out |
| Â |
bytes_in |
| Â |
bytes_out |
| Â |
domain |
| Â |
uuid |
| Â |
hostchain |
|  ✓ |
tag |
|  ✓ |
rawMessage |
|  ✓ |
box.vmware.vcenter
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | Â | Â |
hostchain |
| Â | Â | Â |
machine_name |
| hostchain | Â | |
facility |
| Â | Â | Â |
level |
| Â | vlevel | Â |
logType |
| Â | Â | Â |
serverdate_str |
| Â | Â | Â |
message |
| Â | Â | Â |
serverdate |
| serverdate_str serverdate_fmt | Â | |
tag_info |
| Â | Â | Â |
event_message |
| Â | Â | Â |
event_id |
| Â | Â | Â |
event_time |
| Â | Â | Â |
user |
| Â | Â | Â |
event_severity |
| Â | Â | Â |
event_host |
| Â | Â | Â |
event_msg |
| Â | Â | Â |
event_domain |
| Â | Â | Â |
event_user |
| Â | Â | Â |
event_ip |
| Â | Â | Â |
event_process_id |
| Â | Â | Â |
event_action |
| Â | Â | Â |
event_thread |
| Â | Â | Â |
event_status_code |
| Â | Â | Â |
event_path |
| Â | Â | Â |
event_protocol |
| Â | Â | Â |
hostname |
| Â | Â | Â |
tag |
|  |  | ✓ |
rawMessage |
|  | message | ✓ |