Recently, we have been getting a lot of interest on how to identify critical vCenter and ESX events from Aria Logs to forward to other log aggregators. Aria Logs makes use of extracted fields, which are fields created from regular expressions, to create all of the useful dashboards and alerts we see in the Aria Logs user interface. Unfortunately, these fields cannot be used to identify important events that some customers might need to forward off to a 3rd party logging system.
Luckily, there is a static field that we can use to grab all of the important security events that we would need to forward to a SIEM, the ‘appname’ field. This field, more or less, identifies which logfile the event is being pulled from. In the screenshot below, I searched for ‘appname contains shell’. This gives us the events from the ‘shell.log’ logfile in ESX, which records user console shell activity.
So, what logfiles do we need to collect from? If we look at the official documentation, for ESX we want to collect the events from ‘auth.log’, ‘hostd.log’, and ‘shell.log’. For vCenter, things aren’t as straightforward since it is an appliance, but most of the critical audit and authentication logs are contained under the ‘vcenter-server’ appname field.
The screenshot below is the forwarder query you would use to send the events to another logging destination in Aria Logs SaaS. For Aria Logs on-premesis its mostly the same, but you would have ‘matches’ instead of ‘contains’ as the operator.
With our forwarding rule in place, if I log into Splunk we can see events for me creating a virtual machine called ‘audit_test’ in vCenter…
…and then me enabling SSH on a host and trying to log in as root and failing authentication.
Now your security teams can create any reports or alerts necessary in Splunk. This might be obvious to some, but of course be aware that this will increase your Splunk ingestion numbers, so please plan accordingly before configuring this forwarding destination.
In summary, we at VMware believe in the motto “Better Together” when it comes to Aria Operations for Logs and our 3rd party friends out there in the log management space. VMware Aria Operations for Logs is a powerful, cost-effective tool for operational troubleshooting and root-cause analysis of breakages in your VMware environment, but if your security teams use another log aggregator for security event management, we’re happy to show you how to forward those critical security events to their destination of choice.