VMware Cloud Community
HywelBurris
Enthusiast
Enthusiast
‎10-08-2016 10:41 AM

Filtering forwarded events

Hi,

Trying to help the SIEM team out by limiting the amount of logs being sent from the ESXi servers. We only really require security events to be sent to SIEM but I think there are two options here which may work:-

  • Only send security events
    • There isn't a great deal on info on the net about this, has anyone done this before and have a filter which I could copy?
  • filter out the high volume messages.
    • I have started adding opID's to filter out but whilst the quantity of messages will reduce it doesn't really help out the SIEM team as they will still need the above security event information.

Any help would get greatly appreciated.

Reply
0 Kudos
2 Replies
MichaelRyom
Hot Shot
Hot Shot
‎10-10-2016 02:06 PM

I think you first need to define what a security event is to you. Is it only login events ? or does it include what's been done inside ESXi console. Is it limited to ESXi only or to VMs also need to login event and what kind ?

Blogging at https://MichaelRyom.dk
Reply
0 Kudos
Dec1603
Contributor
Contributor
‎01-12-2017 06:24 AM

Hi,

I need to do the same, did you ever get it set up ?

Dec

Reply
0 Kudos