VMware ESXi

When you configure your VMware ESXi to send log data to USM Appliance, you can use the VMware ESXi plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.

Plugin Information
Device Details
Vendor VMware ESXi
Device Type Hypervisor
Connection Type Syslog
Data Source Name vmware-esxi
Data Source ID 1686

Integrating VMware ESXi

Before you configure the VMware ESXi integration, you must have the IP Address of the USM Appliance Sensor.

To configure VMware ESXi to send Syslog messages to USM Appliance

  1. Open an ESXi Shell console session where the esxcli command is available, such as vCLI, or on the ESXi host directly.

  2. Display the existing five configuration options on the host by running the command:

    esxcli system syslog config get

  3. Set a new host configuration, specifying options to change by entering:

    esxcli system syslog config set --logdir= /path/to/vmfs/directory/ --loghost= RemoteHostname --logdir-unique=true|false --default-rotate= NNN --default-size= NNN

    Minimally, you need to enable syslog to USM FQDN/IP:514 (USM Appliance IP address and port number 514). Also, depending on your current firewall configuration, you might also need to use the esxcli command to manually open the firewall rule set to allow syslog traffic through the firewall. Note that for UDF traffic, the firewall rule has no effect in ESXi 5.0 build 456551 and the UDP port 514 traffic flows regardless.

    To open outbound traffic through the ESXi Firewall, run the following commands:

    esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

    esxcli network firewall refresh

    Warning: Entering an incorrect logging path can cause the destination to become unmanageable!

    To configure remote syslog using TCP on port 601

    esxcli system syslog config set --loghost='tcp://<USMA_sensor_IP>:601'

    To configure remote syslog using UDP on port 514

    esxcli system syslog config set --loghost='udp://10.11.12.13:514'

    Note: If using syslog with UDP, you must download a patch on the ESXi host . For more information, see VMware ESXi 5.0, Patch ESXi-5.0.0-20120704001-standard (2019113).

  4. After making configuration changes, load the new configuration:

    esxcli system syslog reload

    Note: You may also use this command to restart the syslog service if the service is stopped.

  5. Test whether or not the port is reachable from the ESXi host:

    nc -z <RemoteHost_IP_address> 514

    Example

    nc -z 10.11.12.13 514

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

https://kb.vmware.com/s/article/2003322

For troubleshooting, refer to the vendor documentation:

http://www.pearsonitcertification.com/articles/article.aspx?p=2241144