I'm looking to configure my loginsight cluster to forward ONLY the security-related events from vSphere to a remote destination. This should include ESXi and vCenter events. I'm not entirely sure what all to configure in the event forwarder and I'm wondering if there's a whitepaper or some suggestions here as to what's considered a security event?
There are obvious ones that I could simply grab an eventtype from a dashboard (failed attempts, etc..). Anyone have any thoughts on this? It'd be nice if I just had a button that said "Security Events" and it only forward the security logs and not all the rest.
The list of what qualifies as Security-related events would have to come from the originating software and either manually entered or packaged along with software-specific content packs - the latter is obviously a better user experience.
The idea of tagging events as "Security" can be generalized and is something we're looking at. You can do something like this today with Extracted Fields (post-ingest, not usable for forwarding) or with the Agent Tags (ingest-time, source-centric), but there's room for future enhancement.
We generally track feature requests on http://loginsight.vmware.com and I see you already posted it as http://loginsight.vmware.com/a/dtd/Forwarding-Security-Only-Events/130453-24427 so I'll go ahead and resolve this.
The list of what qualifies as Security-related events would have to come from the originating software and either manually entered or packaged along with software-specific content packs - the latter is obviously a better user experience.
The idea of tagging events as "Security" can be generalized and is something we're looking at. You can do something like this today with Extracted Fields (post-ingest, not usable for forwarding) or with the Agent Tags (ingest-time, source-centric), but there's room for future enhancement.
We generally track feature requests on http://loginsight.vmware.com and I see you already posted it as http://loginsight.vmware.com/a/dtd/Forwarding-Security-Only-Events/130453-24427 so I'll go ahead and resolve this.