vRealize Log Insight makes it easy to collect events from vCenter and ESX, and we even have a robust set of content packs for vSphere, but some customers require their audit events to go to 3rd SIEM part due to information security requirements. In this use case, we can forward our audit logs via vRLI event forwarding to a SIEM. Let’s see how to do it here.
Finding Audit and Authentication Dashboards in Log Insight
If we look at our out-of-the-box dashboards in Log Insight, most of the work of developing queries to pass events to our SIEM is already done!
Under the vSphere content pack, expand to find Audit and Authentication.
Under authentication, we have dashboards with typical events that we would forward to a SIEM. (Failed Logins, Successful Logins, Admin Logins)
Find queries from which dashboards are created
If we click on the top left icon (looks like a bar chart with an arrow) in the top right icon cluster of any widget, it will take us to the interactive analytics page. This is where we can see the query used to gather these events. In this case, we click on the interactive analysis button for the ‘vCenter Server logins by type’ dashboard.
In Interactive Analysis, we can see the query used to retrieve all vCenter authentication events.
Now all we have to do is go to the event forwarding section of Log Insight and create a new forwarding rule to send these types of events to our SIEM. Specific details on event forwarding functionality are not covered here, but are covered in our official documentation.
Creation of a forwarding rule to our SIEM
We can use the ‘vc_event_type’ field, which should match the same event types as in the query above. Once we’ve specified our SIEM hostname and transport protocol, if your destination is configured correctly, we should start seeing events.
Now that the forwarding rule has been created, we can search our SIEM for our vCenter authentication event. I ran a query for ‘BadUsernameSessionEvent’, and the event appeared in our SIEM.
Creating a forwarding rule via text matching
Although the example above is relatively simple, creating event forwarding rules is not always so simple. Field ‘vc_event_type’ is a “static field” that comes directly from our vCenter logs, so we can use it as a forwarding field. Some fields, known as “extracted fields”, are fields that are added to an event in Log Insight via regex after ingestion. Most content packs use extracted fields to create the useful dashboards and widgets we rely on, but you can’t create forwarding rules based on extracted fields, so we have to be a little smarter.
Let’s go back to our vCenter authentication events dashboard and open the interactive analysis for “ESX Connections by Type”. Remember that you only need to click on the bar chart icon with the circled arrow in the image below to access Interactive Analysis for a widget.
Oh oh, it looks like ‘vmw_esxi_auth_type’ is an extracted field. It is created after ingestion using regex. If you click on the little pencil on the right near “Manage Fields” and find the field, you can see the regex pattern used to create it.
The regex pattern under the field name defines how the field is created and what it is extracted from.
So now if we’re going to create a forwarding rule based on this field, we can’t because it doesn’t appear in our list of fields to choose from under the filter section.
Now what we can do is filter based on text match. Let’s go back to the interactive analytics query for the ‘ESXi Logins by Type’ dashboard.
If we sort events by “event type”, we can search for text patterns in our events to create filters. It seems that all events captured by this query come from the ESXi log ‘hostd’ on the host and contain the words ‘logged as’ in the message body.
Next, let’s check the “Failed Login Attempts by Source and ESXi Host” dashboard and drill down into the interactive analysis.
This widget doesn’t shy away from using text matching, so we can use the text “password rejected by user” for our forwarding rule.
Now that we have text patterns to match, let’s create a new forwarding rule for our ESXi connections. Our filters will be ‘appname matches hostd’, since the hostd log is where our ESX login events come from, and the text fields ‘*logged in as*’ and ‘*password rejected for user*’ . Don’t forget the wildcard asterisks or the filter won’t work. We can test this filter to make sure it returns events by clicking “Run in Explore Logs Page”. If nothing is returned, further adjustments may be required.
I added an additional tag called ‘type=esxlogins’, so we can easily find the event when it arrives at our SIEM. Once we’re done, we save the forwarding rule and we can check our SIEM.
After the events are forwarded, if we search for “type=esxlogs” in our SIEM, our ESX login events should appear.
Armed with the information we just practiced, you can pass virtually any authentication (or any other) event to a SIEM from vRealize Log Insight, as long as there is a static field to filter or you can get the matching text pattern to match correctly for the events you need to pass. Please try this and let me know if you have any questions or comments. Thanks for reading!