VMware Cloud Community
OsburnM
Hot Shot
Hot Shot
Jump to solution

vCenter VCSA Syslog Console Commands to LogInsight

Greetings all--

I have vcsas & have LogInsight.  I have the vcsa's VAMI configured to send syslog to our LogInisght.  I've confirmed Im receiving vcenter-related events (ie, appname=vpxa, etc); however, I'm not seeing any of the vcsa appliance OS logs (like any bash/shell commands sent).  I see shell commands from our esx hosts-- just not the vcsas.

Anyone know what additional setup is required for the OS itself?  Do I need something special in the syslog config or liagent.conf?

Thanks in advance.

Reply
0 Kudos
1 Solution

Accepted Solutions
OsburnM
Hot Shot
Hot Shot
Jump to solution

Alright so I think I figured it out but I'll post here my solution for others and open it up to additional conversation.

In a lab vcenter (7.x vcsa) and lab loginsight (8.10) environment I did the following:

This is not an exact/details list of commands/steps-- just high level what I did...

Log Insight > Management > Agents >
Selected vSphere 7.0 - vCenter (Linux) agent template and copied it
Reproduced the File Log "audit" section from the legacy "Linux - systemd" template into this new template (ie, added the /root/ directory and .bash_history sections with tag 'audit' & tag value 'bash_history'
Downloaded Log Insight Agent Version 8.10.0 rpm
Copied RPM to VCSA /tmp directory (used winscp)
Installed liagent rpm file (rpm -i filename.rpm)


That was it. Now I have all the bash_history commands of the vcsa sending to loginsight. Happy days.

View solution in original post

Reply
0 Kudos
3 Replies
maksym007
Expert
Expert
Jump to solution

It should be possible actually. Never had occasion to test it. 

Reply
0 Kudos
OsburnM
Hot Shot
Hot Shot
Jump to solution

Alright so I think I figured it out but I'll post here my solution for others and open it up to additional conversation.

In a lab vcenter (7.x vcsa) and lab loginsight (8.10) environment I did the following:

This is not an exact/details list of commands/steps-- just high level what I did...

Log Insight > Management > Agents >
Selected vSphere 7.0 - vCenter (Linux) agent template and copied it
Reproduced the File Log "audit" section from the legacy "Linux - systemd" template into this new template (ie, added the /root/ directory and .bash_history sections with tag 'audit' & tag value 'bash_history'
Downloaded Log Insight Agent Version 8.10.0 rpm
Copied RPM to VCSA /tmp directory (used winscp)
Installed liagent rpm file (rpm -i filename.rpm)


That was it. Now I have all the bash_history commands of the vcsa sending to loginsight. Happy days.

Reply
0 Kudos
maksym007
Expert
Expert
Jump to solution

thx for hint. Will write it down to my onenote for future

Reply
0 Kudos