VMware ESXi servers decoders
8 views
Skip to first unread message
Gerald muchuku
7:11 AM (15 hours ago) 7:11 AM
to Wazuh | Mailing List
Hi there,
I have been working on monitoring VMware ESXi servers using Wazuh. I have configured syslog on the VMware servers and rsylog on the wazuh manager.
The logs from VMware servers are successfully reaching the Wazuh manager. Here is an example of the logs I am getting:
I have been working on monitoring VMware ESXi servers using Wazuh. I have configured syslog on the VMware servers and rsylog on the wazuh manager.
The logs from VMware servers are successfully reaching the Wazuh manager. Here is an example of the logs I am getting:
2025-12-22T06:59:59Z DRHost240 osfsd: 2025-12-22T06:59:59.207Z 2099879:VmklinkMPI-LIB : Vmklink send sent total: 186 bytes of 186 needed
2025-12-22T06:59:59Z DRHost240 osfsd: 2025-12-22T06:59:59.207Z 2099879:VmklinkMPI-LIB : Sent request ID 16d3ad size 165
2025-12-22T06:59:59Z DRHost240 osfsd: 2025-12-22T06:59:59.207Z 2099879:VmklinkMPI-LIB : { : ID: 0x16d3ad, bufLen: 165 }
2025-12-22T06:59:59Z DRHost240 osfsd: 2025-12-22T06:59:59.207Z 2099879:OSFSVmklinkResourceAvailableCBHandler:519: resource available callback received
2025-12-22T07:00:01.190Z PRIHost241 localcli[13377290]: Log for VMware ESXi version=7.0.3 build=build-22348816 option=Release
2025-12-22T07:00:01.190Z PRIHost241 localcli[13377290]: Using VMware ESXi syslog APIs
2012-04-10T19:53:52.782Z DRHost241 Vpxa: error vpxa[2100017] [Originator@6876 sub=Heartbeat opID=SWI-41a7] Agent can't send heartbeats: Host is down
2025-12-22T07:00:01.517Z PRIHost241 localcli[13377290]: VsanIscsiTargetImpl: Calling VitVmkCtlFini()
2025-12-22T07:00:01.517Z PRIHost241 localcli[13377290]: VsanUtil: ClearClusterLeaveCallback: Cleared callback
2025-12-22T07:00:01.517Z PRIHost241 localcli[13377290]: VsanUtil: ClearVmkNicChangeCallback: Cleared callback
2025-12-22T07:00:01.517Z PRIHost241 localcli[13377290]: VsanUtil: ClearVsanSystemRefreshCallback: Cleared callback
2025-12-22T07:00:01.517Z PRIHost241 localcli[13377290]: VsanUtil: ClearVsanHostEnterMaintenanceModeCallback: Cleared callback
2025-12-22T03:49:14.810Z PRIHost244 vmkwarning: cpu0:13093368)WARNING: Hbr: 387: Failed to connect to 192.168.10.51 (groupID=H4-5481f464-74ca-46a2-9081-6be56191f645): Host is down
2025-12-22T03:49:14.810Z PRIHost244 vmkwarning: cpu0:13093368)WARNING: Hbr: 5093: Failed to establish connection to [192.168.10.51]:44046 (groupID=H4-5481f464-74ca-46a2-9081-6be56191f645): Host is down
2025-12-22T03:49:14.884Z PRIHost244 Hostd: info hostd[2100437] [Originator@6876 sub=Default] IPMI SEL sync took 0 seconds 0 sel records, last 218
2025-12-22T03:49:14.896Z PRIHost244 Hostd: warning hostd[2100437] [Originator@6876 sub=Default] load_v6_addresses: Ignore BMC V6 IP addr 56, not active, state=1
2025-12-22T07:00:01.740Z PRIHost241 vsanObserver.sh[13377347]: [13377234] Calc for ramdisk mounted on /vsantraces, freeMB:36
2025-12-22T07:00:01.803Z PRIHost241 vsanObserver.sh[13377364]: [13377234] CalcFreeSpace: 36, Max size: 10
2025-12-22T07:00:01.846Z PRIHost241 vsanObserver.sh[13377372]: [13377234] Check and delete old trace files
2025-12-22T07:00:01.876Z PRIHost241 vsanObserver.sh.rm[13377377]: Removed 0 old trace files
2025-12-22T07:00:01.891Z PRIHost241 vsanObserver.sh[13377379]: [13377234] Delete old trace files done
2012-04-10T19:53:53.473Z DRHost241 Rhttpproxy: warning rhttpproxy[2099586] [Originator@6876 sub=Default] SSL Handshake failed for stream <SSL(<io_obj p:0x000000cdc1248410, h:15, <TCP '192.168.120.241 : 443'>, <TCP '192.168.150.58 : 60671'>>)>: N7Vmacore3Ssl12SSLExceptionE( SSL Exception: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher)
2012-04-10T19:53:53.473Z DRHost241 Rhttpproxy: --> [context]zKq7AVICAgAAAMKpfAAMcmh0dHBwcm94eQAAfJk1bGlidm1hY29yZS5zbwAAAMAbAGCwFwBJFSgAu5YmAB+YJgCFsygAJTAoAAM0KAA7DzYBa4AAbGlicHRocmVhZC5zby4wAALtmg5saWJjLnNvLjYA[/context]
2012-04-10T19:53:53.482Z DRHost241 Rhttpproxy: verbose rhttpproxy[2099587] [Originator@6876 sub=Proxy Req 86779] New proxy client <SSL(<io_obj p:0x000000ce03803e30, h:15, <TCP '192.168.120.241 : 443'>, <TCP '192.168.150.58 : 60672'>>)>
2012-04-10T19:53:53.482Z DRHost241 Rhttpproxy: verbose rhttpproxy[2099578] [Originator@6876 sub=Proxy Req 86779] The client closed the stream, not unexpectedly.
2012-04-10T19:53:53.483Z DRHost241 Rhttpproxy: warning rhttpproxy[2099584] [Originator@6876 sub=Default] SSL Handshake failed for stream <SSL(<io_obj p:0x000000ce0391bf50, h:15, <TCP '192.168.120.241 : 443'>, <TCP '192.168.150.58 : 60673'>>)>: N7Vmacore3Ssl12SSLExceptionE( SSL Exception: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol)
2012-04-10T19:53:53.483Z DRHost241 Rhttpproxy: --> [context]zKq7AVICAgAAAMKpfAAMcmh0dHBwcm94eQAAfJk1bGlidm1hY29yZS5zbwAAAMAbAGCwFwBJFSgAu5YmAB+YJgCFsygAJTAoAAM0KAA7DzYBa4AAbGlicHRocmVhZC5zby4wAALtmg5saWJjLnNvLjYA[/context]
2012-04-10T19:53:53.486Z DRHost241 Rhttpproxy: warning rhttpproxy[2306575] [Originator@6876 sub=Default] SSL Handshake failed for stream <SSL(<io_obj p:0x000000ce03906970, h:15, <TCP '192.168.120.241 : 443'>, <TCP '192.168.150.58 : 60674'>>)>: N7Vmacore3Ssl12SSLExceptionE( SSL Exception: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol)
2012-04-10T19:53:53.486Z DRHost241 Rhttpproxy: --> [context]zKq7AVICAgAAAMKpfAAMcmh0dHBwcm94eQAAfJk1bGlidm1hY29yZS5zbwAAAMAbAGCwFwBJFSgAu5YmAB+YJgCFsygAJTAoAAM0KAA7DzYBa4AAbGlicHRocmVhZC5zby4wAALtmg5saWJjLnNvLjYA[/context]
2012-04-10T19:53:53.489Z DRHost241 Rhttpproxy: warning rhttpproxy[2099588] [Originator@6876 sub=Default] SSL Handshake failed for stream <SSL(<io_obj p:0x000000cdc126abb0, h:15, <TCP '192.168.120.241 : 443'>, <TCP '192.168.150.58 : 60675'>>)>: N7Vmacore3Ssl12SSLExceptionE( SSL Exception: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol)
2012-04-10T19:53:53.489Z DRHost241 Rhttpproxy: --> [context]zKq7AVICAgAAAMKpfAAMcmh0dHBwcm94eQAAfJk1bGlidm1hY29yZS5zbwAAAMAbAGCwFwBJFSgAu5YmAB+YJgCFsygAJTAoAAM0KAA7DzYBa4AAbGlicHRocmVhZC5zby4wAALtmg5saWJjLnNvLjYA[/context]
2025-12-22T07:00:00Z DRHost240 crond[2100017]: USER root pid 16952792 cmd /usr/lib/vmware/vmksummary/log-heartbeat.py
2025-12-22T07:00:00Z DRHost240crond[2100017]: USER root pid 16952793 cmd /bin/hostd-probe.sh ++group=host/vim/vmvisor/hostd-probe/stats/sh
2025-12-22T07:00:00Z DRHost240 crond[2100017]: USER root pid 16952794 cmd /usr/lib/vmware/vsan/bin/vsanObserver.sh ++group=host/vim/vmvisor/vsanobserver
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: - time the service was last started, Section for VMware ESX, pid=16952805, version=6.7.0, build=15160138, option=Release
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=Default] Initialized channel manager
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=Default] Current working directory: /var/log/vmware
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=FairScheduler] Priority level 4 is now active.
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=FairScheduler] Priority level 8 is now active.
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=FairScheduler] Priority level 16 is now active.
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=Default] Syscommand enabled: true
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=Default] ReaperManager Initialized
2025-12-22T07:00:00.209Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=Default] Current process ID: 169528
2025-12-22T06:59:59Z DRHost240 osfsd: 2025-12-22T06:59:59.207Z 2099879:VmklinkMPI-LIB : Sent request ID 16d3ad size 165
2025-12-22T06:59:59Z DRHost240 osfsd: 2025-12-22T06:59:59.207Z 2099879:VmklinkMPI-LIB : { : ID: 0x16d3ad, bufLen: 165 }
2025-12-22T06:59:59Z DRHost240 osfsd: 2025-12-22T06:59:59.207Z 2099879:OSFSVmklinkResourceAvailableCBHandler:519: resource available callback received
2025-12-22T07:00:01.190Z PRIHost241 localcli[13377290]: Log for VMware ESXi version=7.0.3 build=build-22348816 option=Release
2025-12-22T07:00:01.190Z PRIHost241 localcli[13377290]: Using VMware ESXi syslog APIs
2012-04-10T19:53:52.782Z DRHost241 Vpxa: error vpxa[2100017] [Originator@6876 sub=Heartbeat opID=SWI-41a7] Agent can't send heartbeats: Host is down
2025-12-22T07:00:01.517Z PRIHost241 localcli[13377290]: VsanIscsiTargetImpl: Calling VitVmkCtlFini()
2025-12-22T07:00:01.517Z PRIHost241 localcli[13377290]: VsanUtil: ClearClusterLeaveCallback: Cleared callback
2025-12-22T07:00:01.517Z PRIHost241 localcli[13377290]: VsanUtil: ClearVmkNicChangeCallback: Cleared callback
2025-12-22T07:00:01.517Z PRIHost241 localcli[13377290]: VsanUtil: ClearVsanSystemRefreshCallback: Cleared callback
2025-12-22T07:00:01.517Z PRIHost241 localcli[13377290]: VsanUtil: ClearVsanHostEnterMaintenanceModeCallback: Cleared callback
2025-12-22T03:49:14.810Z PRIHost244 vmkwarning: cpu0:13093368)WARNING: Hbr: 387: Failed to connect to 192.168.10.51 (groupID=H4-5481f464-74ca-46a2-9081-6be56191f645): Host is down
2025-12-22T03:49:14.810Z PRIHost244 vmkwarning: cpu0:13093368)WARNING: Hbr: 5093: Failed to establish connection to [192.168.10.51]:44046 (groupID=H4-5481f464-74ca-46a2-9081-6be56191f645): Host is down
2025-12-22T03:49:14.884Z PRIHost244 Hostd: info hostd[2100437] [Originator@6876 sub=Default] IPMI SEL sync took 0 seconds 0 sel records, last 218
2025-12-22T03:49:14.896Z PRIHost244 Hostd: warning hostd[2100437] [Originator@6876 sub=Default] load_v6_addresses: Ignore BMC V6 IP addr 56, not active, state=1
2025-12-22T07:00:01.740Z PRIHost241 vsanObserver.sh[13377347]: [13377234] Calc for ramdisk mounted on /vsantraces, freeMB:36
2025-12-22T07:00:01.803Z PRIHost241 vsanObserver.sh[13377364]: [13377234] CalcFreeSpace: 36, Max size: 10
2025-12-22T07:00:01.846Z PRIHost241 vsanObserver.sh[13377372]: [13377234] Check and delete old trace files
2025-12-22T07:00:01.876Z PRIHost241 vsanObserver.sh.rm[13377377]: Removed 0 old trace files
2025-12-22T07:00:01.891Z PRIHost241 vsanObserver.sh[13377379]: [13377234] Delete old trace files done
2012-04-10T19:53:53.473Z DRHost241 Rhttpproxy: warning rhttpproxy[2099586] [Originator@6876 sub=Default] SSL Handshake failed for stream <SSL(<io_obj p:0x000000cdc1248410, h:15, <TCP '192.168.120.241 : 443'>, <TCP '192.168.150.58 : 60671'>>)>: N7Vmacore3Ssl12SSLExceptionE( SSL Exception: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher)
2012-04-10T19:53:53.473Z DRHost241 Rhttpproxy: --> [context]zKq7AVICAgAAAMKpfAAMcmh0dHBwcm94eQAAfJk1bGlidm1hY29yZS5zbwAAAMAbAGCwFwBJFSgAu5YmAB+YJgCFsygAJTAoAAM0KAA7DzYBa4AAbGlicHRocmVhZC5zby4wAALtmg5saWJjLnNvLjYA[/context]
2012-04-10T19:53:53.482Z DRHost241 Rhttpproxy: verbose rhttpproxy[2099587] [Originator@6876 sub=Proxy Req 86779] New proxy client <SSL(<io_obj p:0x000000ce03803e30, h:15, <TCP '192.168.120.241 : 443'>, <TCP '192.168.150.58 : 60672'>>)>
2012-04-10T19:53:53.482Z DRHost241 Rhttpproxy: verbose rhttpproxy[2099578] [Originator@6876 sub=Proxy Req 86779] The client closed the stream, not unexpectedly.
2012-04-10T19:53:53.483Z DRHost241 Rhttpproxy: warning rhttpproxy[2099584] [Originator@6876 sub=Default] SSL Handshake failed for stream <SSL(<io_obj p:0x000000ce0391bf50, h:15, <TCP '192.168.120.241 : 443'>, <TCP '192.168.150.58 : 60673'>>)>: N7Vmacore3Ssl12SSLExceptionE( SSL Exception: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol)
2012-04-10T19:53:53.483Z DRHost241 Rhttpproxy: --> [context]zKq7AVICAgAAAMKpfAAMcmh0dHBwcm94eQAAfJk1bGlidm1hY29yZS5zbwAAAMAbAGCwFwBJFSgAu5YmAB+YJgCFsygAJTAoAAM0KAA7DzYBa4AAbGlicHRocmVhZC5zby4wAALtmg5saWJjLnNvLjYA[/context]
2012-04-10T19:53:53.486Z DRHost241 Rhttpproxy: warning rhttpproxy[2306575] [Originator@6876 sub=Default] SSL Handshake failed for stream <SSL(<io_obj p:0x000000ce03906970, h:15, <TCP '192.168.120.241 : 443'>, <TCP '192.168.150.58 : 60674'>>)>: N7Vmacore3Ssl12SSLExceptionE( SSL Exception: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol)
2012-04-10T19:53:53.486Z DRHost241 Rhttpproxy: --> [context]zKq7AVICAgAAAMKpfAAMcmh0dHBwcm94eQAAfJk1bGlidm1hY29yZS5zbwAAAMAbAGCwFwBJFSgAu5YmAB+YJgCFsygAJTAoAAM0KAA7DzYBa4AAbGlicHRocmVhZC5zby4wAALtmg5saWJjLnNvLjYA[/context]
2012-04-10T19:53:53.489Z DRHost241 Rhttpproxy: warning rhttpproxy[2099588] [Originator@6876 sub=Default] SSL Handshake failed for stream <SSL(<io_obj p:0x000000cdc126abb0, h:15, <TCP '192.168.120.241 : 443'>, <TCP '192.168.150.58 : 60675'>>)>: N7Vmacore3Ssl12SSLExceptionE( SSL Exception: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol)
2012-04-10T19:53:53.489Z DRHost241 Rhttpproxy: --> [context]zKq7AVICAgAAAMKpfAAMcmh0dHBwcm94eQAAfJk1bGlidm1hY29yZS5zbwAAAMAbAGCwFwBJFSgAu5YmAB+YJgCFsygAJTAoAAM0KAA7DzYBa4AAbGlicHRocmVhZC5zby4wAALtmg5saWJjLnNvLjYA[/context]
2025-12-22T07:00:00Z DRHost240 crond[2100017]: USER root pid 16952792 cmd /usr/lib/vmware/vmksummary/log-heartbeat.py
2025-12-22T07:00:00Z DRHost240crond[2100017]: USER root pid 16952793 cmd /bin/hostd-probe.sh ++group=host/vim/vmvisor/hostd-probe/stats/sh
2025-12-22T07:00:00Z DRHost240 crond[2100017]: USER root pid 16952794 cmd /usr/lib/vmware/vsan/bin/vsanObserver.sh ++group=host/vim/vmvisor/vsanobserver
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: - time the service was last started, Section for VMware ESX, pid=16952805, version=6.7.0, build=15160138, option=Release
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=Default] Initialized channel manager
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=Default] Current working directory: /var/log/vmware
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=FairScheduler] Priority level 4 is now active.
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=FairScheduler] Priority level 8 is now active.
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=FairScheduler] Priority level 16 is now active.
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=Default] Syscommand enabled: true
2025-12-22T07:00:00.208Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=Default] ReaperManager Initialized
2025-12-22T07:00:00.209Z DRHost240 hostd-probe: info hostd-probe[16952805] [Originator@6876 sub=Default] Current process ID: 169528
The following is the decoder that I am using:
<decoder name="vmware-Hostd">
<program_name>Hostd</program_name>
</decoder>
<decoder name="vmware-Hostd_child">
<parent>vmware-Hostd</parent>
<regex>^(\.+) (\.+)</regex>
<order>info, verbose, warning</order>
</decoder>
<decoder name="vmware-Hostd">
<program_name>Hostd</program_name>
</decoder>
<decoder name="vmware-Hostd_child">
<parent>vmware-Hostd</parent>
<regex>^(\.+) (\.+)</regex>
<order>info, verbose, warning</order>
</decoder>
1. Is this decoder effective or should I look for other decoders?
2. Are there existing Wazuh decoders and rules for VMware ESXi server logs? If yes, where can I get them?
Olamilekan Abdullateef Ajani
8:46 AM (13 hours ago) 8:46 AM
to Wazuh | Mailing List
Hello Gerald,
Your decoder will not be effective for all the logs you have shared. I also see a little decoder syntax in what you have shared between the regex and the order to extract the fields.
My advice would be to look at the logs and identify the important ones with interesting fields you intend to work with, and not all generic logs, to avoid noise. After identifying the important logs, you can refer to the information below about monitoring VMware ESXi with Wazuh, where you will find sample decoders and rules to see if any of your logs match.
You can also check out the documentation below on writing decoders and rules for reference:
That being said, if after going through the above, you require support on writing the decoders, please let me know with the selected logs and I will gladly assist.
Regards,
Reply all
Reply to author
Forward
0 new messages