Andreas Peetz wrote:

Come on, guys ...

Syslog-support is built into ESX and ESXi.

See here:

http://kb.vmware.com/kb/1005030     Logging ESX host events to a remote syslog server

http://kb.vmware.com/kb/1016621     Enabling Syslog on ESXi

- Andreas

Well, what sort of event content are you getting?  You won't have proper user attribution and security relevant auditing that way.

--Michael (www.catbird.com)

Hello,

WIth Syslog from ESX/ESXi and vCenter logfiles the best you can hope for with respect to user correlation for Forensics is timestamp analysis to know that user A did action A and not Action B, but there is always a doubt if two users do the same thing at the same exact second. Which one wins? THe logfiles may not help in this case. Unless you have some other correlation event or a vCenter taskid type construct. From a Forensics perspective the later is very important but not there yet so we have to 'correlate' data.

But if you want 'security' events out of ESX/ESXi by looking at the logfiles you want some form of SIEM that actually understands ESX or ESXi. At the moment that is RSA Envision, Splunk has some, as do some of the other SIEM's out there, but none are as advanced as RSA Envision. Which also understands data from HyTrust.

Yes syslog is supported but that is not 'Events' there is too much data in syslog to parse all at once without some additional help from a SIEM or other product.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

Note that, unlike ESX and ESXi, vCenter does not have a Syslog daemon and so events must be pulled from it through the Web Services SDK API.  As previously mentioned, several security/SIEM tools have already built this capability.

I'd like to add a comment on an additional eventing capability and benefit that you get from attaching to the vCenter API.  Through the vCenter API you can get standard vCenter Events, but also standard vCenter Alarms.  In addition, assuming that your security/SIEM tool asks for them, any custom Alarms that you create in vCenter are also picked up through the API when they fire.  I know that RSA enVision, with which I am most familiar, does pick up these custom alarms, at least.

Granted, the vCenter Alarm system itself could do with some enhancements to allow for more granular object/property triggers (e.g., around changes to VM configurations--moving a vNIC to another port group, for example).  However, it is still pretty powerful and easily configured in the vCenter GUI.

Hello,

There are several syslog tools to sent logs to syslog servers also available for Windows. The vCenter, Update Manager, and other tool logfiles are extremely important. Tie this information to what you get out of the SDK and you will get a more complete picture.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

Where would I find documentation on what each of the ESX/ESXi syslog events means ???

Hello,

Welcome to the forums.

There is no tool or reference that I know that has the complete list of all the messages in what is received from syslog. There are companies that sell SIEMs that can determine some of this for you. THere are consultants that also know for what to look for, but there is no comprehensive guide. Some of this is very Linux like and Linux knowledge goes a long ways.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

Are "what does this event mean"-type messages acceptable on this forum (or should they be in another forum ??? Sorry for the thread hijack, OP ... 

Hello,

That really depends if it is a security question or a general question. Security questions go here, general questions go into other forums.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

I'm a security guy, not a VMWare admin, and I'm using RSA enVision to collect ESX/ESXi events via vCenter, utilizing enVision's vCenter collector.  I'm told that not all logs/events generated by ESX/ESXi hosts are sent to vCenter, and that syslog must be used to send them to enVision.  This negates use of enVision's supported collection service, parser, reporting, and query features.  Can the vCenter API be used to configure these logs/events to be sent to vCenter to be picked up by enVison?  My understanding is these are events not picked up by the VPX agent.

Hello,

Not yet. Ultimately you want to get the logs from these sources, and use envision to correlate the events:

-- Each ESX/ESXi host (/var/log/{secure, messages, vmk*, weasel.log, tallylog, faillog, lastlog}, /var/log/vmware/*.log, ipmi/0/*ls, /var/log/vmware/vpx/*.log, /var/log/vmware/webAccess/*.log

-- Each vCenter Server (C:\ProgramData\VMware\VMware *\Logs\** where ** is anything that is a text file)

-- vMA's logfiles (/var/log/{secure, messages, tallylog, boot.log, rpmpkgs, }, /var/log/vmware/vma/*.log

-- Logfiles from any virtualized security appliances

-- Logfiles from other management tools such as vCOps, vKernel, Embotics, HyTrust, etc.

Then also grab data from vCenter as to tasks and alarms using the SOAP APIs.

Once you have all these logs, and data delivered to you can then use your SIEM to correlate events. It is possible to send logs from windows to syslog as well as those not already in syslog from ESX/ESXi/Linux using tools like logtail or via other mechanism such as vifs -get, and vSphere SOAP APIs.

THere are many things to get at this moment. The issue is you need to ensure your timeservers across your nodes, tools, and SIEM are all in sink as currently you have to use Time to correlate all events. There is no way to track from the client to vCenter and what actually happens on the host as vCenter does not currently use a task id or some other identifier when it talks to the host.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf