VMware Cloud Community
OsburnM
Hot Shot
Hot Shot
‎07-13-2015 01:03 PM
Jump to solution

Forwarding only Security Events - Is a List Available?

I'm looking to configure my loginsight cluster to forward ONLY the security-related events from vSphere to a remote destination.  This should include ESXi and vCenter events.  I'm not entirely sure what all to configure in the event forwarder and I'm wondering if there's a whitepaper or some suggestions here as to what's considered a security event?

There are obvious ones that I could simply grab an eventtype from a dashboard (failed attempts, etc..).  Anyone have any thoughts on this?  It'd be nice if I just had a button that said "Security Events" and it only forward the security logs and not all the rest.

0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal
‎07-14-2015 11:01 AM
Jump to solution

The list of what qualifies as Security-related events would have to come from the originating software and either manually entered or packaged along with software-specific content packs - the latter is obviously a better user experience.

The idea of tagging events as "Security" can be generalized and is something we're looking at. You can do something like this today with Extracted Fields (post-ingest, not usable for forwarding) or with the Agent Tags (ingest-time, source-centric), but there's room for future enhancement.

We generally track feature requests on http://loginsight.vmware.com and I see you already posted it as http://loginsight.vmware.com/a/dtd/Forwarding-Security-Only-Events/130453-24427 so I'll go ahead and resolve this.

View solution in original post

0 Kudos
1 Reply
admin
Immortal
Immortal
‎07-14-2015 11:01 AM
Jump to solution

The list of what qualifies as Security-related events would have to come from the originating software and either manually entered or packaged along with software-specific content packs - the latter is obviously a better user experience.

The idea of tagging events as "Security" can be generalized and is something we're looking at. You can do something like this today with Extracted Fields (post-ingest, not usable for forwarding) or with the Agent Tags (ingest-time, source-centric), but there's room for future enhancement.

We generally track feature requests on http://loginsight.vmware.com and I see you already posted it as http://loginsight.vmware.com/a/dtd/Forwarding-Security-Only-Events/130453-24427 so I'll go ahead and resolve this.

0 Kudos