box.vmware

[ 1 Introduction ] [ 2 Tag structure ] [ 3 Configure the Devo Relay rules ] [ 4 Configuring VMware ESXi (version 5) ] [ 5 Configuring VMware ESX ] [ 6 Configuring VMware vCenter ] [ 7 Relay rules ] [ 8 Table structure ]

Check the reference vendor documentation here.

Introduction

The logs generated by the VMware vSphere virtualization platform are assigned tags that begin with box.vmware. You can configure a VMware server to report the logs to a remote syslog and since these logs cannot be tagged at the source, it is necessary to forward them to a Devo Relay that will tag the events and send them to the Devo Cloud.

Tag structure

The full tag must have 3 levels. The first two are fixed as box.vmware. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
VMware vSphere	`box.vmware.esx`	`box.vmware.esx`
	`box.vmware.firewall`	`box.vmware.firewall`
	`box.vmware.firewall_packet`	`box.vmware.firewall_packet`
	`box.vmware.vcenter`	`box.vmware.vcenter`

For more information, read more About Devo tags.

Configure the Devo Relay rules

You need to create rules on the Devo Relay that will apply the correct tag to the events.

Rule for ESX/ESXi events

This rule applies the box.vmware.esx tag to all events received on port 13005 of the Devo Relay. The tag will be applied as a prefix meaning that the final tag will be box.vmware.esx.<sourceTag>.

Rule for vCenter events

This rule applies the box.vmware.vcenter tag to all events received on port 13006 of the Devo Relay. The tag will be applied as a prefix meaning that the final tag will be box.vmware.vcenter.<sourceTag>.

Configuring VMware ESXi (version 5)

To send log events from ESXi to the Devo Relay, you need to set the Syslog.global.logHost parameter found in Configuration → Software → Advanced Settings, Syslog global settings as indicated below. Use the IP address of the relay and the port you will send to.

Configuring VMware ESX

Edit the /etc/syslog.conf file on the VMware ESX server to specify the Devo Relay as the remote syslog server:

*.* @1.2.3.4:13005

Then, open the port in the ESX firewall:

~ # esxcfg-firewall -o 13005,tcp,out,logtrust && esxcfg-firewall -l

Finally, restart the syslog server:

~ # service syslog restart

Configuring VMware vCenter

Follow the vendor instructions for setting up a remote syslog server for the vCenter Server Appliance.

Relay rules

Logs must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

Note that the rules below are not complementary, so you must add them with different source ports.

Rule for events with `"header + proc_name[proc_id] message"`

Source port - Any available port
Source data - (\w+):\s\w+\s(\w+\[\d+\])?\s(.*)
Target tag - box.vmware.esx.\\D2
Target message - D3
Stop processing - ✓

Rule for events with `"proc_name[proc_id]: message"`

Source port - Any available port
Source data - (\w+\[\d+\])?:\s(.*)
Target tag - box.vmware.esx.\\D1
Target message - D2
Stop processing - ✓

Rule for events with `"proc_name: message"`

Source port - Any available port
Source data - (\w+)?:\s(.*)
Target tag - box.vmware.esx.\\D1
Target message - D2
Stop processing - ✓

Rule for events of `Firewall Packet Logs`

Source port - Any available port
Source message - FIREWALL-PKTLOG:
Target tag - box.vmware.firewall_packet
Sent without syslog tag - ✓
Stop processing - ✓

Table structure

These are the fields displayed in this table:

box.vmware.esx
box.vmware.firewall
box.vmware.firewall_packet
box.vmware.vcenter

box.vmware.esx

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`
facility	`str`
level	`str`	vlevel
process_name	`str`
process_id	`str`
message	`str`
type	`str`
action	`str`
user	`str`
srcUser	`str`
srcIp	`ip4`
srcPort	`int4`
logname	`str`
msg	`str`
obj	`str`
uid	`str`
euid	`str`
tty	`str`
ruser	`str`
rhost	`ip4`
pwd	`str`
cmd	`str`
attempt	`int4`
device	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`	message	✓

box.vmware.firewall

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
machine	`str`
stamp	`float8`
logprefix	`str`
ifaceIn	`str`
ifaceOut	`str`
srcMac	`str`
dstMac	`str`
etherType	`str`
srcIp	`ip4`
dstIp	`ip4`
len	`int4`
tos	`int4`
prec	`int4`
ttl	`int4`
id	`int8`
dfFlag	`bool`
proto	`str`
spt	`int4`
dpt	`int4`
window	`int4`
res	`int4`
urgp	`int4`
cwrFlag	`bool`
eceFlag	`bool`
synFlag	`bool`
protoLen	`int4`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

box.vmware.firewall_packet

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
machine	`str`
log_prefix	`str`
filter_hash	`str`
af_value	`str`
reason	`str`
action	`str`
rule_id	`str`
direction	`str`
packet_length	`int4`
protocol	`str`
source_ip	`str`
source_ipv4	`ip4`
source_port	`str`
destination_ip	`str`
destination_ipv4	`ip4`
destination_port	`str`
tcp_flags	`str`
packets_in	`int4`
packets_out	`int4`
bytes_in	`int8`
bytes_out	`int8`
domain	`str`
uuid	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

box.vmware.vcenter

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`
hostchain	`str`
machine_name	`str`	hostchain
facility	`str`
level	`str`	vlevel
logType	`str`
serverdate_str	`str`
message	`str`
serverdate	`timestamp`	serverdate_str serverdate_fmt
tag_info	`str`
event_message	`str`
event_id	`str`
event_time	`str`
user	`str`
event_severity	`str`
event_host	`str`
event_msg	`str`
event_domain	`str`
event_user	`str`
event_ip	`str`
event_process_id	`str`
event_action	`str`
event_thread	`str`
event_status_code	`str`
event_path	`str`
event_protocol	`str`
hostname	`str`
tag	`str`		✓
rawMessage	`str`	message	✓