VMvare ESXi Question
76 views
Skip to first unread message
Kobrik Kobrikovic
Jun 19, 2024, 4:17:17 AM6/19/24
to Wazuh | Mailing List
Hello,
I have successfully managed to get VMware ESXi up and running. It works great. Except one thing. The logs from ESXi are stored in /var/log/syslog , but also in /var/log/vmware-esxi.log. So they are sent by the agent as one as syslog and one as <out_format>vmware-esxi: $(log)</out_format>. This unnecessarily takes up space on the indexer server.
I tried omitting the agent in /var/ossec/etc/ossec.conf
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
or add
I have successfully managed to get VMware ESXi up and running. It works great. Except one thing. The logs from ESXi are stored in /var/log/syslog , but also in /var/log/vmware-esxi.log. So they are sent by the agent as one as syslog and one as <out_format>vmware-esxi: $(log)</out_format>. This unnecessarily takes up space on the indexer server.
I tried omitting the agent in /var/ossec/etc/ossec.conf
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
or add
<!-- Files/directories to ignore -->
<ignore>/var/log/syslog</ignore>
after saving and restarting the agent, the syslog is still sent along with <out_format>vmware-esxi: $(log)</out_format>
What am I doing wrong? Is there any way to limit this?
after saving and restarting the agent, the syslog is still sent along with <out_format>vmware-esxi: $(log)</out_format>
What am I doing wrong? Is there any way to limit this?
Othniel Ebolum
Jun 19, 2024, 9:27:45 AM6/19/24
to Wazuh | Mailing List
Hi Kobrik,
Thanks for contacting Wazuh,
Following the blog post Monitoring VMware Exsi with Wazuh the duplication issue you had was not gotten,
step 5
step 5
<localfile>
<log_format>syslog</log_format>
<location>/var/log/vmware-esxi.log</location>
<out_format>vmware-esxi: $(log)</out_format>
</localfile>
Can you confirm this configuration in your agent ossec.conf?
Best regards,
Best regards,
Kobrik Kobrikovic
Jun 20, 2024, 1:59:40 AM6/20/24
to Wazuh | Mailing List
Hello, thank you for your response. I confirm the step 5 setting in the ossec.conf agent.
Dne středa 19. června 2024 v 15:27:45 UTC+2 uživatel Othniel Ebolum napsal:
Kobrik Kobrikovic
Jul 29, 2024, 3:48:38 AM7/29/24
to Wazuh | Mailing List
Hello, I have used the method of sending logs to a file in /var/log/xxx.log via rsyslog in several cases. However, the logs are always saved both to the newly defined log file and to syslog at the same time.
I tried to solve this directly by configuring /etc/rsyslog.conf
# Filter messages by IP address 18.25.233.22 and save to /var/log/barracuda.log
if $fromhost-ip == '18.25.233.22' then /var/log/barracuda.log
& stop
# General configuration for other messages
if $fromhost-ip != '18.25.233.22' then /var/log/syslog
Even so, logs from the defined host are still stored in syslog.
Can someone please advise?
Translated with www.DeepL.com/Translator (free version)
Dne čtvrtek 20. června 2024 v 7:59:40 UTC+2 uživatel Kobrik Kobrikovic napsal:
Reply all
Reply to author
Forward
0 new messages