VMware VCloud Director
You can use the VMware vCloud Director DSM and the vCloud protocol for JSA to poll the vCloud REST API for events.
JSA supports polling for VMware vCloud Director events from vCloud Directory 5.1 appliances. Events that are collected by using the vCloud REST API are assembled as Log Extended Event Format (LEEF) events.
To integrate vCloud events with JSA, you must complete the following tasks:
On your vCloud appliance, configure a public address for the vCloud REST API.
On your JSA appliance, configure a log source to poll for vCloud events.
Ensure that no firewall rules block communication between your vCloud appliance and the JSA console or the managed host that is responsible for polling the vCloud REST API.
Configuring the VCloud REST API Public Address
JSA collects security data from the vCloud API by polling the REST API of the vCloud appliance for events. Before JSA can collect any data, you must configure the public REST API base URL.
- Log in to your vCloud appliance as an administrator.
- Click the Administration tab.
- From the Administration menu, select System Settings >Public Addresses.
- In the VCD public REST API base URL field,
type an IP address or host name.
The address that you specify becomes a publically available address outside of the firewall or NAT on your vCloud appliance. For example,
- Click Apply.
The public API URL is created on the vCloud appliance.
You can now configure a log source in JSA.
Configuring a VCloud Log Source in JSA
To collect vCloud events, you must configure a log source in JSA with the location and credentials that are required to poll the vCloud API.
- Log in to JSA.
- Click the Admin tab.
- In the navigation menu, click Data Sources.
- Click the Log Sources icon.
- Click Add.
- In the Log Source Name field, type a name for your log source.
- In the Log Source Description field, type a description for your log source.
- From the Log Source Type list, select VMware vCloud Director.
- From the Protocol Configuration list, select VMware vCloud Director.
- Configure the following values:
Table 1: VMware VCloud Director Log Source Parameters
Log Source Identifier
Type the IP address, host name, or name that identifies the vCloud appliance events to JSA.
Type the URL configured on your vCloud appliance to access the REST API.
The URL you type must match the address that you configured in the VCD public REST API base URL field on your vCloud Server.
Type the user name that is required to remotely access the vCloud Server.
For example, console/user@organization.
If you want to configure a read-only account to use with JSA, you can create a vCloud user in your organization who has the Console Access Only permission.
Type the password that is required to remotely access the vCloud Server.
Confirm the password that is required to remotely access the vCloud Server.
Type a polling interval, which is the amount of time between queries to the vCloud Server for new events.
The default polling interval is 10 seconds.
Select this check box to enable the log source. By default, the check box is selected.
From the list, select the credibility of the log source. The range is 0 - 10.
The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.
Target Event Collector
From the list, select the Target Event Collector to use as the target for the log source.
Select this check box to enable the log source to coalesce (bundle) events.
By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.
Incoming Event Payload
From the list, select the incoming payload encoder for parsing and storing the logs.
Store Event Payload
Select this check box to enable the log source to store event payload information.
By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.
- Click Save.
- On the Admin tab, click Deploy Changes.
vCloud events that are forwarded to JSA are displayed on the Log Activity tab of JSA.