How to Add VMware Host

[siddha...@gmail.com]

Hello Team,

We are using wazuh 4.1 and OS ubuntu 20.04.

and trying to add VMware esxi host in wazuh to monitor that.

i was trying below link but not able to add the VMware host.

Monitoring Network Devices with OSSEC HIDS · Wazuh · The Open Source Security Platform

please suggest.

[Juan Emiliano Fontana]

Hi! hope you are doing fine today and thanks for using Wazuh! 

First of all, you need to configure Wazuh Manager to receive syslog messages, follow the section " Configure Wazuh manager to receive Syslog messages" from this blog to achieve this.  After configuring the <remote> section in the /var/ossec/etc/ossec.conf in the manager and restarting it (/var/ossec/bin/ossec-control restart), make sure the VMware ESXi server are sending syslog messages to the manager.  You can find information about syslog configuration for VMware ESXi in here.

To check if VMware logs are reaching the manager you can use tcpdump command (insert the right values for protocol, port and src):

• tcpdump -i any udp port 514 and src <ip of VMWare ESXi>
  

Then you can also activate <logall_json> (changing no with yes) in the ossec.conf in the manager (must restart the service to apply changes) to see in archives every log reaching the manager and also what it is doing with each log.  Once you have activated logall_json you can see new logs arriving at the manager with tail command:

• tail -f /var/ossec/logs/archives/archives.json

  Also you can grep there for a specific data like an IP address:

• grep '< ip of VMWare ESXi > /var/ossec/logs/archives/archives.json

Let us know how the results of this tests went.

Best regards!