/
Configure VMWare ESXi Log Ingestion

Configure VMWare ESXi Log Ingestion

Owned by Deepanshu Marwah
27 April 2023
3 min read

This tutorial will show you how to onboard an ESXi host into Azure Sentinel via the Log Analytics Agent.

Pre-requisite

  1. Log Analytics Agent

    1. If you do not have one, you can follow these steps to create one:

      1. Log Analytics Agent for Windows

      2. Log Analytics Agent for Linux

  2. Configure Azure log collector for syslog

    1. You can follow the link “Collect Syslog data sources with Log Analytics agent” if you haven’t configured it yet.

Scope and Limitation

  1. This tutorial is base on ESXi 7 and above

  2. This tutorial would show you the basic setup but if you have a hardened syslog setup you may also need to set the other fields in your ESXi settings using the following keywords: “syslog.global”

    1. You can refer to “Configure Syslog on ESXi Hosts” for more information

Onboarding your ESXi

You have to do this for each of your ESXi host

  1. Login to you ESXi server

  2. Go to “Host”

  3. Go to “Manage”

  4. Select “System” Tab

  5. Select “Advance Settings”

  6. Search for “syslog.global.logHost“

  7. Click on edit option

     

  8. Add in your log analytics agent setup details with the following details

    1. udp or tcp

    2. ip or hostname

    3. port

    4. example: udp://192.168.246.3:514

       

  9. Click “Save”

  10. You can verify if the setup is working by going to your Sentinel log query and see if your ESXi hostname is in there under the Computer fields

    1. Syslog | distinct Computer

Note: If you have VSphere setup, you should be able to see all your ESXi host from there without logging in to each server one by one.

Troubleshooting

  1. Make sure your Agent is listening to the port (Note: Depending on your setup, the sample below is listening to udp and tcp but normally syslog listens to udp only)

    netstat -taupn | grep syslog tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 4483/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 4483/rsyslogd

  2. Test if the port is open (you can do this on both local and remote)

    1. UDP: nc -z -v -u [ip address] [port]

    2. TCP: nc -z -v [ip address] [port]

    3. Succesful connection should look something like

      nc -z -v -u 127.0.0.1 514 localhost [127.0.0.1] 514 (syslog) open

  3. Test if you can send a message (you can do this on both local and remote)

    1. UDP: nc -w1 -u [ip address] [port] <<< "testUDP" 

    2. TCP: nc -w1 -u [ip address] [port] <<< "testTCP" 

    3. If everything is successful you should immediately see the Computer name: testUDP or testTCP in the Sentinel log or you can use this query:

      1. Syslog | where Computer == "testUDP" or Computer == "testTCP"

Appendix

  1. Enable SSH access on the ESXi host for troubleshooting connections

    1. Login to ESXi server

    2. Click the host

    3. Click on Actions

    4. Click on Services

    5. Enable SSH