We have recently been getting lots of interest on how to identify critical vCenter and ESX events from Aria Logs to forward to other log aggregators. Aria Logs makes use of extracted fields, which are fields created from regular expressions, to create all of the useful dashboards and alerts we see in the Aria Logs user interface. Unfortunately, these fields cannot be used to identify important events that some customers might need to forward off to a 3rd party logging system.
Since it can be a lot of manual work to create queries that will grab as much information as possible in as few forwarder destinations as possible (since we have limits on destinations), and not utilize any extracted fields, I have gone ahead and created a few queries that can be used in Aria Logs to forward critical auditing and authentication events that a security team would expect to see in a SIEM or other logging solution.
I’ve exported these queries into content packs compatible with either Aria Logs Saas or on-prem and uploaded them to our technical marketing Github page here:
Github – Aria Logs Forwarder Queries
Details are in the README file. Please make sure to read it before you download the content packs, as there are a few performance-related caveats to consider before using these queries.
Here is an example of some of the data the ESX auditing query pulls. It shows me creating a user on the ESX host and then removing it.
There is still a lot of improvement that can be made with these queries (I’m no regex guru…yet), but hopefully they help to alleviate any pressure your ops teams are getting from security on forwarding critical audit and authentication events to systems like Splunk or LogRhythm.
