When you configure VMware ESXi to send log data to USM Anywhere, you can use the VMware Esxi plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:
Integrating VMware ESXi
Before you configure the VMware ESXi integration, you must have the IP Address of the USM Anywhere Sensor.
To configure VMware ESXi to send Syslog messages to USM Anywhere
Open an ESXi Shell console session where the esxcli command is available, such as vCLI, or on the ESXi host directly.
Display the existing five configuration options on the host by running the command:
esxcli system syslog config get
Set a new host configuration, specifying options to change by entering:
esxcli system syslog config set --logdir= /path/to/vmfs/directory/ --loghost= RemoteHostname --logdir-unique=true|false --default-rotate= NNN --default-size= NNN
Minimally, you need to enable syslog to USM FQDN/IP:514 (USM Anywhere IP address and port number 514). Also, depending on your current firewall configuration, you might also need to use the
esxclicommand to manually open the firewall rule set to allow syslog traffic through the firewall. Note that for UDF traffic, the firewall rule has no effect in ESXi 5.0 build 456551 and the UDP port 514 traffic flows regardless.
To open outbound traffic through the ESXi Firewall, run the following commands:
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh
Warning: Entering an incorrect logging path can cause the destination to become unmanageable!
To configure remote syslog using TCP on port 601
esxcli system syslog config set --loghost='tcp://<USMA_sensor_IP>:601'
To configure remote syslog using UDP on port 514
esxcli system syslog config set --loghost='udp://10.11.12.13:514'
Note: If using syslog with UDP, you must download a patch on the ESXi host . For more information, see VMware ESXi 5.0, Patch ESXi-5.0.0-20120704001-standard (2019113).
After making configuration changes, load the new configuration:
esxcli system syslog reload
Note: You may also use this command to restart the syslog service if the service is stopped.
Test whether or not the port is reachable from the ESXi host:
nc -z <RemoteHost_IP_address> 514
nc -z 10.11.12.13 514
For plugin enablement information, see Adding AlienApps to an Asset.
Available Plugin Fields
The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.
Additional Resources and Troubleshooting
For troubleshooting, refer to the vendor documentation: