Problem with ESXI 8 decoder
103 views
Skip to first unread message
Nguyen Cung (nguyencunq)
Apr 17, 2024, 5:51:07 AMApr 17
to Wazuh | Mailing List
Hi,
Can anyone help me with my decoder, I collect log from Vmware esxi and follow this blog : Monitoring VMware ESXi with Wazuh I copy decoder and rule form this blog to my wazuh manager but it seem not working. I realize that log in this blog start with "vmware-esxi:" and the decode is <prematch>^vmware-esxi: </prematch>. But my log is not have "vmware-esxi:". It like "2024-04-17T02:24:28.056Z host01 Hostd[2099203]: [Originator@6876 sub=Vimsvc.ha-eventmgr opID=c856dbbf-d496 sid=525db58f] Event 19932 : User dc...@127.0.0.1 logged in as VMware-client/6.5.0".
Md. Nazmur Sakib
Apr 17, 2024, 6:05:01 AMApr 17
to Wazuh | Mailing List
Hi
Nguyen Cung,
Thank you for reaching out to us.
Can you check if you have used the out format ( <out_format>vmware-esxi: $(log)</out_format> ) in the ossec configuration?
The out_format is responsible for adding the vmware-esxi: at the starting of the log.
I hope this information helps. Let me know the update on the issue.
If this doesn't solve your issue, enable the archive log and share the output of this command.
I hope this information helps. Let me know the update on the issue.
Thank you for reaching out to us.
Can you check if you have used the out format ( <out_format>vmware-esxi: $(log)</out_format> ) in the ossec configuration?
<localfile>
<log_format>syslog</log_format>
<location>/var/log/vmware-esxi.log</location>
<out_format>vmware-esxi: $(log)</out_format>
</localfile>
The out_format is responsible for adding the vmware-esxi: at the starting of the log.
I hope this information helps. Let me know the update on the issue.
If this doesn't solve your issue, enable the archive log and share the output of this command.
cat /var/ossec/logs/archives/archives.log | grep " VMware " Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation:Wazuh Documentation | logall
This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.log file.
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumptionI hope this information helps. Let me know the update on the issue.
Md. Nazmur Sakib
Apr 22, 2024, 4:58:32 AMApr 22
to Wazuh | Mailing List
Hi Nguyen Cung,
Looking forward to your update on the issue.
Looking forward to your update on the issue.
Nguyen Cung (nguyencunq)
May 2, 2024, 4:16:22 AMMay 2
to Wazuh | Mailing List
Hi
Md. Nazmur Sakib,
Sorry for answer late. I fixed this issue, just my mistake not to read this blog carefully.
I build a Centos 7 for esxi log collector, install wazuh agent, focus this setting and this problem solved.
Thanks.
Sorry for answer late. I fixed this issue, just my mistake not to read this blog carefully.
I build a Centos 7 for esxi log collector, install wazuh agent, focus this setting and this problem solved.
Thanks.
Jethro Mic
May 28, 2024, 12:13:31 PMMay 28
to Wazuh | Mailing List
Hello,
same problem in my test environnement: Wazuh 4.7.4 OVA, Ubuntu 22.04 with WA 4.7.4 and ESXI 6.5
Jethro Mic
May 28, 2024, 12:24:22 PMMay 28
to Wazuh | Mailing List
Only my command are logged corretly :
Reply all
Reply to author
Forward
0 new messages