VMWare - VCSA to Wazuh Syslog
1,414 views
Skip to first unread message
Security One
Nov 3, 2022, 6:46:59 PM11/3/22
to Wazuh mailing list
Hello - Would like some assistance creating decoders and rules for VMWare. We are integrating via the VCSA server. Logs are there in the archives.log file and only a couple of logs are being detected by the pre-decoders, but most of the attached logs are not seen in the Wazuh dashboard. Attached the logs being seen on the archives.log file. Thanks in advance.
Abdullah Al Rafi Fahim
Nov 4, 2022, 4:23:03 AM11/4/22
to Wazuh mailing list
Hello,
Thank you for using Wazuh!
In Wazuh, we have some pre-built stock decoders and rules for VMWare logs.
Decoders: 0360-vmware_decoders.xml
Rules: 0235-vmware_rules.xml
However, as your logs are coming properly to the archives.log of the manager, you can verify using wazuh-logtest if the logs are being decoded and triggering alerts or not. You can learn more about wazuh-logtest here: https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/how-it-works.html
In the archives.log, the "timestamp hostname path log" format. For example:
Thank you for using Wazuh!
In Wazuh, we have some pre-built stock decoders and rules for VMWare logs.
Decoders: 0360-vmware_decoders.xml
Rules: 0235-vmware_rules.xml
However, as your logs are coming properly to the archives.log of the manager, you can verify using wazuh-logtest if the logs are being decoded and triggering alerts or not. You can learn more about wazuh-logtest here: https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/how-it-works.html
In the archives.log, the "timestamp hostname path log" format. For example:
If the archives.log entry is:
2022 Nov 03 21:01:12 my-wazuh-server-01->1.2.3.4 1 2022-11-03T21:01:12.770471+00:00 my-vcenter-server-01 sps - - - 2022-11-03T21:01:12.770Z [pool-24-thread-1] INFO opId=sps-Main-495054-122 com.vmware.vslm.globalcache.GlobalCatalogCache - Total number of changes for sync-id: h0B49OZR2L is: 0
Your actual log to test in wazuh-logtest should be:
2022-11-03T21:01:12.770471+00:00 my-vcenter-server-01 sps - - - 2022-11-03T21:01:12.770Z [pool-24-thread-1] INFO opId=sps-Main-495054-122 com.vmware.vslm.globalcache.GlobalCatalogCache - Total number of changes for sync-id: h0B49OZR2L is: 0
If these logs are not being decoded or not triggering any rules, you need to create custom decoders and rules for them to generate alerts. You can review the following documents to learn more about custom rules and decoders.
- Creating decoders and rules from scratch · Wazuh · The Open Source Security Platform
- Custom rules and decoders - Ruleset · Wazuh documentation
- Rules Syntax - Ruleset XML syntax · Wazuh documentation
- Decoders Syntax - Ruleset XML syntax · Wazuh documentation
- Regular Expression Syntax - Ruleset XML syntax · Wazuh documentation
I hope it helps. Please let us know how it goes.
Security One
Nov 4, 2022, 12:55:31 PM11/4/22
to Wazuh mailing list
Yes, the decoders aren't matching
Franck Ehret
Nov 7, 2024, 8:41:07 AM11/7/24
to Wazuh | Mailing List
Hi there,
I was wondering if anybody was able to get vCenter (VCSA) logs parsed in Wazuh.
Decoders seems to be meant for the hypervisor (ESXi), but not for VCSA.
@Wazuh, any chance to get new decoders? :-)
Thanks in advance & kind regards
Franck
Reply all
Reply to author
Forward
0 new messages