Collect VMware ESXi logs
Supported in:
Overview
This parser extracts fields from VMware ESXi syslog and JSON formatted logs. It normalizes the variety of ESXi log formats into a common structure, then populates UDM fields based on extracted values, including handling specific cases for different ESXi services like crond, named, and sshd using include files.
Before you begin
- Ensure that you have a Google SecOps instance.
- Ensure that you have privileged access to VMWare ESX.
- Ensure that you have a Windows 2012 SP2 or later or Linux host with systemd.
- If running behind a proxy, ensure firewall ports are open.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer ID from the Organization Details section.
Install BindPlane Agent
- For Windows installation, run the following script:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet. - For Linux installation, run the following script:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh. - Additional installation options can be found in this installation guide.
Configure BindPlane Agent to ingest Syslog and send to Google SecOps
- Access the machine where BindPlane is installed.
Edit the
config.yamlfile as follows:receivers: tcplog: # Replace the below port <54525> and IP (0.0.0.0) with your specific values listen_address: "0.0.0.0:54525" exporters: chronicle/chronicle_w_labels: compression: gzip # Adjust the creds location below according the placement of the credentials file you downloaded creds: '{ json file for creds }' # Replace <customer_id> below with your actual ID that you copied customer_id: <customer_id> endpoint: malachiteingestion-pa.googleapis.com # You can apply ingestion labels below as preferred ingestion_labels: log_type: SYSLOG namespace: raw_log_field: body service: pipelines: logs/source0__chronicle_w_labels-0: receivers: - tcplog exporters: - chronicle/chronicle_w_labelsRestart BindPlane Agent to apply the changes using the following command:
sudo systemctl bindplane restart
Allow syslog ESXi firewall rule
- Go to Networking > Firewall rules.
- Find syslog in the Name column.
- Click Edit settings.
- Update the
tcporudpport you have configured in BindPlane. - Click Save.
- Keep the syslog line selected.
- Select Actions > Enable.
Export Syslog from VMware ESXi using vSphere Client
- Sign in to your ESXi host using vSphere Client.
- Go to Manage > System > Advanced Settings.
- Find the Syslog.global.logHost key in the list.
- Select the key and click Edit option.
- Enter
<protocol>://<destination_IP>:<port>- Replace
<protocol>withtcp(if you configured BindPlane to use UDP, then typeudp). - Replace
<destination_IP>with the IP address of your BindPlane Agent. - Replace
<port>with the port previously setup in BindPlane.
- Replace
- Click Save.
Optional: Export Syslog from VMware ESXi using SSH
- Connect to your ESXi host using SSH.
- Use the command
esxcli system syslog config set --loghost=<protocol>://<destination_IP>:<port>.- Replace
<protocol>withtcp(if you configured BindPlane to use UDP, then typeudp). - Replace
<destination_IP>with the IP address of your BindPlane Agent. - Replace
<port>with the port previously setup in BindPlane.
- Replace
- Restart the syslog service by entering the command
/etc/init.d/syslog restart.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
@fields.alias |
event.idm.read_only_udm.principal.cloud.project.alias |
Directly mapped from the JSON log's @fields.alias field. |
@fields.company_name |
event.idm.read_only_udm.principal.user.company_name |
Directly mapped from the JSON log's @fields.company_name field. |
@fields.facility |
event.idm.read_only_udm.principal.resource.type |
Directly mapped from the JSON log's @fields.facility field. |
@fields.host |
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname |
Directly mapped from the JSON log's @fields.host field. |
@fields.privatecloud_id |
event.idm.read_only_udm.principal.cloud.project.id |
Directly mapped from the JSON log's @fields.privatecloud_id field. |
@fields.privatecloud_name |
event.idm.read_only_udm.principal.cloud.project.name |
Directly mapped from the JSON log's @fields.privatecloud_name field. |
@fields.procid |
event.idm.read_only_udm.principal.process.pid |
Directly mapped from the JSON log's @fields.procid field. |
@fields.region_id |
event.idm.read_only_udm.principal.location.country_or_region |
Directly mapped from the JSON log's @fields.region_id field. |
@fields.severity |
event.idm.read_only_udm.security_result.severity |
Mapped from the JSON log's @fields.severity field. If the value is "info" or similar, it's mapped to "INFORMATIONAL". |
@timestamp |
event.idm.read_only_udm.metadata.event_timestamp |
Parsed and converted to a timestamp object from the log's @timestamp field using the date filter. |
adapter |
event.idm.read_only_udm.target.resource.name |
Directly mapped from the raw log's adapter field. |
action |
event.idm.read_only_udm.security_result.action |
Directly mapped from the raw log's action field. Values like "ALLOW" and "BLOCK" are used. |
action |
event.idm.read_only_udm.security_result.action_details |
Directly mapped from the raw log's action field. Values like "Redirect" are used. |
administrative_domain |
event.idm.read_only_udm.principal.administrative_domain |
Directly mapped from the raw log's administrative_domain field. |
agent.hostname |
event.idm.read_only_udm.intermediary.hostname |
Directly mapped from the JSON log's agent.hostname field. |
agent.id |
event.idm.read_only_udm.intermediary.asset.id |
Directly mapped from the JSON log's agent.id field. |
agent.name |
event.idm.read_only_udm.intermediary.asset.name |
Directly mapped from the JSON log's agent.name field. |
agent.type |
event.idm.read_only_udm.intermediary.asset.type |
Directly mapped from the JSON log's agent.type field. |
agent.version |
event.idm.read_only_udm.intermediary.asset.version |
Directly mapped from the JSON log's agent.version field. |
app_name |
event.idm.read_only_udm.principal.application |
Directly mapped from the raw log's app_name field. |
app_protocol |
event.idm.read_only_udm.network.application_protocol |
Directly mapped from the raw log's app_protocol field. If the value matches "http" (case-insensitive), it's mapped to "HTTP". |
application |
event.idm.read_only_udm.principal.application |
Directly mapped from the JSON log's program field. |
cmd |
event.idm.read_only_udm.target.process.command_line |
Directly mapped from the raw log's cmd field. |
collection_time |
event.idm.read_only_udm.metadata.event_timestamp |
The nanoseconds from the collection_time field are added to the seconds from the collection_time field to create the event_timestamp. |
data |
event.idm.read_only_udm.metadata.description |
The raw log message is parsed and relevant parts are extracted to populate the description field. |
descrip |
event.idm.read_only_udm.metadata.description |
Directly mapped from the raw log's descrip field. |
dns.answers.data |
event.idm.read_only_udm.network.dns.answers.data |
Directly mapped from the JSON log's dns.answers.data field. |
dns.answers.ttl |
event.idm.read_only_udm.network.dns.answers.ttl |
Directly mapped from the JSON log's dns.answers.ttl field. |
dns.answers.type |
event.idm.read_only_udm.network.dns.answers.type |
Directly mapped from the JSON log's dns.answers.type field. |
dns.questions.name |
event.idm.read_only_udm.network.dns.questions.name |
Directly mapped from the JSON log's dns.questions.name field. |
dns.questions.type |
event.idm.read_only_udm.network.dns.questions.type |
Directly mapped from the JSON log's dns.questions.type field. |
dns.response |
event.idm.read_only_udm.network.dns.response |
Directly mapped from the JSON log's dns.response field. |
ecs.version |
event.idm.read_only_udm.metadata.product_version |
Directly mapped from the JSON log's ecs.version field. |
event_message |
event.idm.read_only_udm.metadata.description |
Directly mapped from the JSON log's event_message field. |
event_metadata |
event.idm.read_only_udm.principal.process.product_specific_process_id |
The event_metadata field is parsed to extract the opID value, which is then prepended with "opID:" and mapped to the UDM. |
event_type |
event.idm.read_only_udm.metadata.event_type |
Directly mapped from the JSON log's event_type field. |
filepath |
event.idm.read_only_udm.target.file.full_path |
Directly mapped from the raw log's filepath field. |
fields.company_name |
event.idm.read_only_udm.principal.user.company_name |
Directly mapped from the JSON log's fields.company_name field. |
fields.facility |
event.idm.read_only_udm.principal.resource.type |
Directly mapped from the JSON log's fields.facility field. |
fields.host |
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname |
Directly mapped from the JSON log's fields.host field. |
fields.privatecloud_id |
event.idm.read_only_udm.principal.cloud.project.id |
Directly mapped from the JSON log's fields.privatecloud_id field. |
fields.privatecloud_name |
event.idm.read_only_udm.principal.cloud.project.name |
Directly mapped from the JSON log's fields.privatecloud_name field. |
fields.procid |
event.idm.read_only_udm.principal.process.pid |
Directly mapped from the JSON log's fields.procid field. |
fields.region_id |
event.idm.read_only_udm.principal.location.country_or_region |
Directly mapped from the JSON log's fields.region_id field. |
fields.severity |
event.idm.read_only_udm.security_result.severity |
Mapped from the JSON log's fields.severity field. If the value is "info" or similar, it's mapped to "INFORMATIONAL". |
host.architecture |
event.idm.read_only_udm.principal.asset.architecture |
Directly mapped from the JSON log's host.architecture field. |
host.containerized |
event.idm.read_only_udm.principal.asset.containerized |
Directly mapped from the JSON log's host.containerized field. |
host.hostname |
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname |
Directly mapped from the JSON log's host.hostname field. |
host.id |
event.idm.read_only_udm.principal.asset.id |
Directly mapped from the JSON log's host.id field. |
host.ip |
event.idm.read_only_udm.principal.ip, event.idm.read_only_udm.principal.asset.ip |
Directly mapped from the JSON log's host.ip field. |
host.mac |
event.idm.read_only_udm.principal.mac, event.idm.read_only_udm.principal.asset.mac |
Directly mapped from the JSON log's host.mac field. |
host.name |
event.idm.read_only_udm.principal.asset.name |
Directly mapped from the JSON log's host.name field. |
host.os.codename |
event.idm.read_only_udm.principal.asset.os.codename |
Directly mapped from the JSON log's host.os.codename field. |
host.os.family |
event.idm.read_only_udm.principal.asset.os.family |
Directly mapped from the JSON log's host.os.family field. |
host.os.kernel |
event.idm.read_only_udm.principal.asset.os.kernel |
Directly mapped from the JSON log's host.os.kernel field. |
host.os.name |
event.idm.read_only_udm.principal.asset.os.name |
Directly mapped from the JSON log's host.os.name field. |
host.os.platform |
event.idm.read_only_udm.principal.asset.os.platform |
Directly mapped from the JSON log's host.os.platform field. |
host.os.version |
event.idm.read_only_udm.principal.asset.os.version |
Directly mapped from the JSON log's host.os.version field. |
iporhost |
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname |
Directly mapped from the raw log's iporhost field. |
iporhost |
event.idm.read_only_udm.principal.ip |
Directly mapped from the raw log's iporhost field if it's an IP address. |
iporhost1 |
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname |
Directly mapped from the raw log's iporhost1 field. |
kv_data1 |
event.idm.read_only_udm.principal.process.product_specific_process_id |
The kv_data1 field is parsed to extract the opID or sub value, which is then prepended with "opID:" or "sub:" respectively and mapped to the UDM. |
kv_msg |
event.idm.read_only_udm.additional.fields |
The kv_msg field is parsed as key-value pairs and added to the additional_fields array in the UDM. |
kv_msg1 |
event.idm.read_only_udm.additional.fields |
The kv_msg1 field is parsed as key-value pairs and added to the additional_fields array in the UDM. |
lbdn |
event.idm.read_only_udm.target.hostname |
Directly mapped from the raw log's lbdn field. |
log.source.address |
event.idm.read_only_udm.observer.hostname |
Directly mapped from the JSON log's log.source.address field, taking only the hostname part. |
log_event.original |
event.idm.read_only_udm.metadata.description |
Directly mapped from the JSON log's event.original field. |
log_level |
event.idm.read_only_udm.security_result.severity_details |
Directly mapped from the JSON log's log_level field. |
logstash.collect.host |
event.idm.read_only_udm.observer.hostname |
Directly mapped from the JSON log's logstash.collect.host field. |
logstash.collect.timestamp |
event.idm.read_only_udm.metadata.ingested_timestamp |
Parsed and converted to a timestamp object from the log's logstash.collect.timestamp field using the date filter. |
logstash.ingest.host |
event.idm.read_only_udm.intermediary.hostname |
Directly mapped from the JSON log's logstash.ingest.host field. |
logstash.ingest.timestamp |
event.idm.read_only_udm.metadata.ingested_timestamp |
Parsed and converted to a timestamp object from the log's logstash.ingest.timestamp field using the date filter. |
logstash.process.host |
event.idm.read_only_udm.intermediary.hostname |
Directly mapped from the JSON log's logstash.process.host field. |
logstash.process.timestamp |
event.idm.read_only_udm.metadata.ingested_timestamp |
Parsed and converted to a timestamp object from the log's logstash.process.timestamp field using the date filter. |
log_type |
event.idm.read_only_udm.metadata.log_type |
Directly mapped from the raw log's log_type field. |
message |
event.idm.read_only_udm.metadata.description |
Directly mapped from the JSON log's message field. |
message_to_process |
event.idm.read_only_udm.metadata.description |
Directly mapped from the raw log's message_to_process field. |
metadata.event_type |
event.idm.read_only_udm.metadata.event_type |
Set to "GENERIC_EVENT" initially, then potentially overwritten based on the parsed service or other log content. Can be values like PROCESS_LAUNCH, NETWORK_CONNECTION, USER_LOGIN, etc. |
metadata.product_event_type |
event.idm.read_only_udm.metadata.product_event_type |
Directly mapped from the raw log's process_id or prod_event_type field. |
metadata.product_log_id |
event.idm.read_only_udm.metadata.product_log_id |
Directly mapped from the raw log's event_id field. |
metadata.product_name |
event.idm.read_only_udm.metadata.product_name |
Set to "ESX". |
metadata.product_version |
event.idm.read_only_udm.metadata.product_version |
Directly mapped from the JSON log's version field. |
metadata.vendor_name |
event.idm.read_only_udm.metadata.vendor_name |
Set to "VMWARE". |
msg |
event.idm.read_only_udm.metadata.description |
Directly mapped from the raw log's msg field. |
network.application_protocol |
event.idm.read_only_udm.network.application_protocol |
Set to "DNS" if the service is "named", "HTTPS" if the port is 443, or "HTTP" if the app_protocol matches "http". |
network.direction |
event.idm.read_only_udm.network.direction |
Determined from keywords in the raw log, such as "IN", "OUT", "->". Can be INBOUND or OUTBOUND. |
network.http.method |
event.idm.read_only_udm.network.http.method |
Directly mapped from the raw log's method field. |
network.http.parsed_user_agent |
event.idm.read_only_udm.network.http.parsed_user_agent |
Parsed from the useragent field using the convert filter. |
network.http.referral_url |
event.idm.read_only_udm.network.http.referral_url |
Directly mapped from the raw log's prin_url field. |
network.http.response_code |
event.idm.read_only_udm.network.http.response_code |
Directly mapped from the raw log's status_code field and converted to an integer. |
network.http.user_agent |
event.idm.read_only_udm.network.http.user_agent |
Directly mapped from the raw log's useragent field. |
network.ip_protocol |
event.idm.read_only_udm.network.ip_protocol |
Determined from keywords in the raw log, such as "TCP", "UDP". |
network.received_bytes |
event.idm.read_only_udm.network.received_bytes |
Directly mapped from the raw log's rec_bytes field and converted to an unsigned integer. |
network.sent_bytes |
event.idm.read_only_udm.network.sent_bytes |
Extracted from the raw log's message_to_process field. |
network.session_id |
event.idm.read_only_udm.network.session_id |
Directly mapped from the raw log's session field. |
pid |
event.idm.read_only_udm.target.process.parent_process.pid |
Directly mapped from the raw log's pid field. |
pid |
event.idm.read_only_udm.principal.process.pid |
Directly mapped from the JSON log's pid field. |
pid |
event.idm.read_only_udm.target.process.pid |
Directly mapped from the raw log's pid field. |
port |
event.idm.read_only_udm.target.port |
Directly mapped from the JSON log's port field. |
principal.application |
event.idm.read_only_udm.principal.application |
Directly mapped from the raw log's app_name or service field. |
principal.asset.hostname |
event.idm.read_only_udm.principal.asset.hostname |
Directly mapped from the raw log's principal_hostname or iporhost field. |
principal.asset.ip |
event.idm.read_only_udm.principal.asset.ip |
Directly mapped from the raw log's syslog_ip field. |
principal.hostname |
event.idm.read_only_udm.principal.hostname |
Directly mapped from the raw log's principal_hostname or iporhost field. |
principal.ip |
event.idm.read_only_udm.principal.ip |
Directly mapped from the raw log's iporhost or syslog_ip field. |
principal.port |
event.idm.read_only_udm.principal.port |
Directly mapped from the raw log's srcport field. |
principal.process.command_line |
event.idm.read_only_udm.principal.process.command_line |
Directly mapped from the raw log's cmd field. |
principal.process.parent_process.pid |
event.idm.read_only_udm.principal.process.parent_process.pid |
Directly mapped from the raw log's parent_pid field. |
principal.process.pid |
event.idm.read_only_udm.principal.process.pid |
Directly mapped from the raw log's process_id field. |
principal.process.product_specific_process_id |
event.idm.read_only_udm.principal.process.product_specific_process_id |
Extracted from the raw log's message_to_process field, usually prefixed with "opID:". |
principal.url |
event.idm.read_only_udm.principal.url |
Directly mapped from the raw log's prin_url field. |
principal.user.company_name |
event.idm.read_only_udm.principal.user.company_name |
Directly mapped from the JSON log's fields.company_name field. |
principal.user.userid |
event.idm.read_only_udm.principal.user.userid |
Directly mapped from the raw log's USER field. |
priority |
event.idm.read_only_udm.metadata.product_event_type |
Directly mapped from the raw log's priority field. |
program |
event.idm.read_only_udm.principal.application |
Directly mapped from the JSON log's program field. |
qname |
event.idm.read_only_udm.network.dns.questions.name |
Directly mapped from the raw log's qname field. |
response_data |
event.idm.read_only_udm.network.dns.answers.data |
Directly mapped from the raw log's response_data field. |
response_rtype |
event.idm.read_only_udm.network.dns.answers.type |
Directly mapped from the raw log's response_rtype field. The numeric DNS record type is extracted. |
response_ttl |
event.idm.read_only_udm.network.dns.answers.ttl |
Directly mapped from the raw log's response_ttl field. |
rtype |
event.idm.read_only_udm.network.dns.questions.type |
Directly mapped from the raw log's rtype field. The numeric DNS record type is extracted. |
security_result.action |
event.idm.read_only_udm.security_result.action |
Determined from keywords or status in the raw log. Can be ALLOW or BLOCK. |
security_result.action_details |
event.idm.read_only_udm.security_result.action_details |
Extracted from the raw log message, providing more context about the action taken. |
security_result.category |
event.idm.read_only_udm.security_result.category |
Set to POLICY_VIOLATION if the log indicates a firewall rule match. |
security_result.description |
event.idm.read_only_udm.security_result.description |
Extracted from the raw log message, providing more context about the security result. |
security_result.rule_id |
event.idm.read_only_udm.security_result.rule_id |
Directly mapped from the raw log's rule_id field. |
security_result.severity |
event.idm.read_only_udm.security_result.severity |
Determined from keywords in the raw log, such as "info", "warning", "error". Can be INFORMATIONAL, LOW, MEDIUM, or HIGH. |
security_result.severity_details |
event.idm.read_only_udm.security_result.severity_details |
Directly mapped from the raw log's severity or log.syslog.severity.name field. |
security_result.summary |
event.idm.read_only_udm.security_result.summary |
Extracted from the raw log message, providing a concise summary of the security result. |
service |
event.idm.read_only_udm.principal.application |
Directly mapped from the raw log's service field. |
source |
event.idm.read_only_udm.principal.hostname, event.idm.read_only_udm.principal.asset.hostname |
Directly mapped from the raw log's source field. |
src.file.full_path |
event.idm.read_only_udm.src.file.full_path |
Extracted from the raw log message. |
src.hostname |
event.idm.read_only_udm.src.hostname |
Directly mapped from the raw log's src.hostname field. |
src_ip |
event.idm.read_only_udm.principal.ip |
Directly mapped from the raw log's src_ip field. |
src_mac_address |
event.idm.read_only_udm.principal.mac |
Directly mapped from the raw log's src_mac_address field. |
srcport |
event.idm.read_only_udm.principal.port |
Directly mapped from the raw log's srcport field. |
srcip |
event.idm.read_only_udm.principal.ip |
Directly mapped from the raw log's srcip field. |
subtype |
event.idm.read_only_udm.metadata.event_type |
Directly mapped from the raw log's subtype field. |
tags |
event.idm.read_only_udm.metadata.tags |
Directly mapped from the JSON log's tags field. |
target.application |
event.idm.read_only_udm.target.application |
Directly mapped from the raw log's target_application field. |
target.file.full_path |
event.idm.read_only_udm.target.file.full_path |
Extracted from the raw log message. |
target.hostname |
event.idm.read_only_udm.target.hostname, event.idm.read_only_udm.target.asset.hostname |
Directly mapped from the raw log's target_hostname or iporhost field. |
target.ip |
event.idm.read_only_udm.target.ip |
Directly mapped from the raw log's target_ip field. |
target.mac |
event.idm.read_only_udm.target.mac |
Directly mapped from the raw log's target_mac_address field. |
target.port |
event.idm.read_only_udm.target.port |
Directly mapped from the raw log's target_port field. |
target.process.command_line |
event.idm.read_only_udm.target.process.command_line |
Directly mapped from the raw log's cmd field. |
target.process.parent_process.pid |
event.idm.read_only_udm.target.process.parent_process.pid |
Directly mapped from the raw log's parent_pid field. |
target.process.pid |
event.idm.read_only_udm.target.process.pid |
Directly mapped from the raw log's pid field. |
target.process.product_specific_process_id |
event.idm.read_only_udm.target.process.product_specific_process_id |
Extracted from the raw log's message_to_process field, usually prefixed with "opID:". |
target.resource.name |
event.idm.read_only_udm.target.resource.name |
Directly mapped from the raw log's adapter field. |
target.resource.resource_type |
event.idm.read_only_udm.target.resource.resource_type |
Set to VIRTUAL_MACHINE if the log indicates a VM operation. |
target.resource.type |
event.idm.read_only_udm.target.resource.type |
Set to SETTING if the log indicates a setting modification. |
target.user.userid |
event.idm.read_only_udm.target.user.userid |
Directly mapped from the raw log's target_username or user1 field. |
timestamp |
event.timestamp |
Parsed and converted to a timestamp object from the log's timestamp or data field using the date filter. |
type |
event.idm.read_only_udm.additional.fields |
The log's type field is added to the additional_fields array in the UDM with the key "LogType". |
user1 |
event.idm.read_only_udm.target.user.userid |
Directly mapped from the raw log's user1 field. |
useragent |
event.idm.read_only_udm.network.http.user_agent |
Directly mapped from the raw log's useragent field. |
vmw_cluster |
event.idm.read_only_udm.target.resource.name |
Directly mapped from the raw log's vmw_cluster field. |
vmw_datacenter |
event.idm.read_only_udm.target.resource.name |
Directly mapped from the raw log's vmw_datacenter field. |
vmw_host |
event.idm.read_only_udm.target.ip |
Directly mapped from the raw log's vmw_host field. |
vmw_object_id |
event.idm.read_only_udm.target.resource.id |
Directly mapped from the raw log's vmw_object_id field. |
vmw_product |
event.idm.read_only_udm.target.application |
Directly mapped from the raw log's vmw_product field. |
vmw_vcenter |
event.idm.read_only_udm.target.cloud.availability_zone |
Directly mapped from the raw log's vmw_vcenter field. |
vmw_vcenter_id |
event.idm.read_only_udm.target.cloud.availability_zone.id |
Directly mapped from the raw log's vmw_vcenter_id field. |
vmw_vr_ops_appname |
event.idm.read_only_udm.target.application |
Directly mapped from the raw log's vmw_vr_ops_appname field. |
vmw_vr_ops_clustername |
event.idm.read_only_udm.target.resource.name |
Directly mapped from the raw log's vmw_vr_ops_clustername field. |
vmw_vr_ops_clusterrole |
event.idm.read_only_udm.target.resource.type |
Directly mapped from the raw log's vmw_vr_ops_clusterrole field. |
Changes
2024-06-03
- Added support for a new pattern of JSON logs.
2024-05-09
- Added support for new pattern of "snmpd" and "Rhttpproxy" logs.
- Mapped "prod_event_type" to "metadata.product_event_type".
- Mapped "context" to "additional.fields".
2024-02-07
- Bug-Fix:
- Added new Grok patterns to support the SYSLOG logs which are getting dropped.
- Mapped "newVersion" and "filter" to "security_result.detection_fields".
- Mapped "description" to "security_result.description".
2023-10-10
- Modified the following JSON key names using the gsub function:
- "service" to "serv".
- "event" to "log_event".
- "@timestamp" to "timestamp".
- "@version" to "version".
- Added new Grok patterns to handle the JSON logs with new fields.
- Matched the "timestamp" to "RFC 3339" and "TIMESTAMP_ISO8601" formats.
- Mapped "host.hostname" to "principal.hostname".
- Mapped "host.ip" to "principal.ip".
- Mapped "type", "serv.type", "log.syslog.facility.code", "log.syslog.facility.name", "log.syslog.severity.code", "log.syslog.severity.name", and "log.syslog.priority" to "additional.fields".
- Mapped "process.name" to "service".
- Mapped "version" to "metadata.product_version".
- Mapped "severity" to "security_result.severity".
2023-09-25
- Added new Grok patterns to handle the new type of SYSLOG for VMware ESXi.
- Mapped "app_name" to "principal.application".
- Mapped "severity" to "security_result.severity".
2023-07-17
- Bug_fix - Mapped "username" to "target.user.userid".
- Mapped "pid" to "principal.process.pid".
- Mapped "description" to "metadata.description".
2023-06-12
- Bug_fix - Modified mapping of "session" for type "vmauthd". Mapped it to "network.session_id".
2022-09-01
- Bug_fix - Unmapped principal.namespace from its hardcoded value.
2022-08-24
- Enhancement - - Added new date type to parse dates of format "yyyy-MM-ddTHH:mm:s".
2022-08-03
- Enhancement - Added the grok patterns to handle the logs with service :- hostd, vmon andd vrops.
2022-07-26
- Enhancement -
- Where "service" is equal to "Rhttpproxy"
- Modified mapping for "principal.namespace" from "namespace" to "WALMART".
- Mapped "namespace" to "additional.fields".
- Where "service" is equal to "crond"
- Mapped "parent_pid" to "target.process.parent_process.pid".
2022-07-05
- Bugfix - Updated the parser to match the timestamp in "yyyy-MM-ddTHH:mm:ss.SSSS" format.
2022-06-13
- Enhancement - Modified/Added the grok patterns to handle the logs with service :- hostd, sendmail, sshd, sudo, vmcad, vmon, vpxd, vrops.
- Bugfix - Modified "metadata.event_type" for 'vmauthd' logs from "USER_LOGIN" to "GENERIC_EVENT".
2022-05-02
- Bugfix - As per the user requirement, target.hostname mapping changed to principal.ip for the logs which have service as "Hostd".
2022-04-13
- Enhancement-Parsed the logs having the following service names: hostd-probe, vmkernel, vmkwarning, Fdm, netcpa, root, hpHelper, snmpd, etc.
- Mapped logstash.ingest.timestamp to metadata.ingested_timestamp,
- logstash.ingest.host and logstash.process.host to intermediary.hostname,
- logstash.collect.host to observer.hostname.