A common question about vRealize Log Insight security events is “My security team wants important security events from our vCenter Server environment going to Splunk, and they want us to figure out what to send them. Where do we start?” Luckily, vRealize Log Insight already has plenty of great queries built in that collect security and auditing events. Here’s how you can send events from vRealize Log Insight to Splunk for your security team.
Where do you find relevant events to forward?
This is an easy one. vRealize Log Insight already has a few great default security dashboards under the “VMware – vSphere” content pack.
Click on “Security – Authentication” for a dashboard of great information to get you started with event forwarding to Splunk.
How do you forward events?
From the dashboard, click on the Interactive Analytics button on the top right on the “vCenter Server administrator logins.”
Here you’ll see the successful logins from vCenter Server users over the past 24 hours. You can forward these to Splunk by creating a forwarding rule using the filters above. Navigate to “Administration ->Event Forwarding” and create a new destination.
Make sure you choose the syslog protocol, and feel free to add any tags. I added one custom tag so the security admins know it’s a vCenter Server login. Then match the filters as they were in the interactive analytics. The filters use regex, so make sure to add * characters so it knows to grab everything before and after the matching words.
How do you know you forwarded the events correctly?
Run the event in interactive analysis to make sure it’s showing the same data as the dashboard widget where you originally copied it from.
If the data is correct, save the event forwarding rule. You should start to see the Events Forwarded count grow for your forwarding rule under the “Event Forwarding” section. Make sure Splunk is set up to receive events from vRealize Log Insight either over TCP or UDP 514. Your Splunk admin should know how to set this up.
Now, check Splunk. Run a search in Splunk for your vRealize Log Insight instance or the custom tag you added (“securityevent=vCenterLogin”) and you should see the events in Splunk.
TAMs can answer these questions and more
Now your security team can create reports and monitor logins for vCenter Server. Repeat this process for any of the other queries you want to forward to Splunk, from that vCenter Server Security/Authentication dashboard, or create your own queries to forward data if you feel comfortable enough.
As a VMware Technical Account Manager, my role is to help VMware customers optimize their use of VMware’s technology. If you’d like to learn how your organization could benefit from the expertise of a TAM like myself, contact your VMware Sales Representative or visit the VMware Technical Account Management Services homepage.