Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

VMware ESX and ESXi

 

The EMC VMware DSM for JSA collects ESX and ESXi server events by using the VMware protocol or syslog. The EMC VMware DSM supports events from VMware ESX or ESXi 3.x, 4.x, or 5.x servers.

To collect VMware ESX or ESXi events, you can select one of the following event collection methods:

Configuring Syslog on VMWare ESX and ESXi Servers

To collect syslog events for VMWare, you must configure the server to forward events by using syslogd from your ESXi server to JSA.

  1. Log in to your VMWare vSphere Client.
  2. Select the host that manages your VMWare inventory.
  3. Click the Configuration tab.
  4. From the Software pane, click Advanced Settings.
  5. In the navigation menu, click Syslog.
  6. Configure values for the following parameters:

    Table 1: VMWare Syslog Protocol Parameters

    Parameter

    ESX version

    Description

    Syslog.Local.DatastorePath

    ESX or ESXi 3.5.x or 4.x

    Type the directory path for the local syslog messages on your ESXi server.

    The default directory path is [] /scratch/log/messages.

    Syslog.Remote.Hostname

    ESX or ESXi 3.5.x or 4.x

    Type the IP address or host name of JSA.

    Syslog.Remote.Port

    ESX or ESXi 3.5.x or 4.x

    Type the port number the ESXi server uses to forward syslog data.

    The default is port 514.

    Syslog.global.logHost

    ESXi v5.x

    Type the URL and port number that the ESXi server uses to forward syslog data.

    Examples:

    udp://<JSA IP address>:514

    tcp://<JSA IP address>:514

  7. Click OK to save the configuration.

    The default firewall configuration on VMWare ESXi v5.x and VMware ESXi v6.x servers disable outgoing connections by default. Outgoing syslog connections that are disabled restrict the internal syslog forwarder from sending security and access events to JSA

    By default, the syslog firewall configuration for VMWare products allow only outgoing syslog communications. To prevent security risks, do not edit the default syslog firewall rule to enable incoming syslog connections.

Enabling Syslog Firewall Settings on VSphere Clients

To forward syslog events from ESXi v5.x or or ESXi v6.x server, you must edit your security policy to enable outgoing syslog connections for events.

  1. Log in to your ESXi v5.x or ESXi v6.x server from a vSphere client.
  2. From the Inventory list, select your ESXi Server.
  3. Click the Manage tab and select Security Profile.
  4. In the Firewall section, click Properties.
  5. In the Firewall Properties window, select the syslog check box.
  6. Click OK.

Enabling Syslog Firewall Settings on VSphere Clients by Using the Esxcli Command

To forward syslog events from ESXi v5.x or ESXi v6.x servers, as an alternative, you can configure ESXi Firewall Exception by using the esxcli command.

Note

To forward syslog logs, you might need to manually open the Firewall rule set. This firewall rule does not effect ESXi 5.0 build 456551. The UDP port 514 traffic flows.

To open outbound traffic through the ESXi Firewall on UDP port 514 and on TCP ports 514 and 1514, run the following commands:

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

esxcli network firewall refresh

Configuring a Syslog Log Source for VMware ESX or ESXi

JSA automatically discovers and creates a log source for syslog events from VMWare. The following configuration steps are optional.

  1. Click the Admin tab.
  2. Click the Log Sources icon.
  3. Click Add.
  4. In the Log Source Name field, type a name for your log source.
  5. From the Log Source Type list, select EMC VMWare.
  6. Using the Protocol Configuration list, select Syslog.
  7. Configure the following values:

    Table 2: Syslog Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your EMC VMWare server.

    Enabled

    Select this check box to enable the log source. By default, the check box is selected.

    Credibility

    From the list, select the credibility of the log source. The range is 0 - 10.

    The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

    Target Event Collector

    From the list, select the Target Event Collector to use as the target for the log source.

    Coalescing Events

    Select this check box to enable the log source to coalesce (bundle) events.

    By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

    Incoming Event Payload

    From the list, select the incoming payload encoder for parsing and storing the logs.

    Store Event Payload

    Select this check box to enable the log source to store event payload information.

    By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

  8. Click Save.
  9. On the Admin tab, click Deploy Changes.

Configuring the VMWare Protocol for ESX or ESXi Servers

You can configure the VMWare protocol to read events from your VMWare ESXi server. The VMware protocol uses HTTPS to poll for ESX and ESXi servers for events.

Before you configure your log source to use the VMWare protocol, it is suggested that you create a unique user to poll for events. This user can be created as a member of the root or administrative group, but you must provide the user with an assigned role of read-only permission. This ensures that JSA can collect the maximum number of events and retain a level of security for your virtual servers. For more information about user roles, see your VMWare documentation.

To integrate EMC VMWare with JSA, you must complete the following tasks:

  1. Create an ESX account for JSA.

  2. Configure account permissions for the JSA user.

  3. Configure the VMWare protocol in JSA.

Creating a user who is not part of the root or an administrative group might lead to some events not being collected by JSA. It is suggested that you create your JSA user to include administrative privileges, but assign this custom user a read-only role.

Creating an Account for JSA in ESX

You can create a JSA user account for EMC VMWare to allow the protocol to properly poll for events.

  1. Log in to your ESX host by using the vSphere Client.
  2. Click the Local Users & Groups tab.
  3. Click Users.
  4. Right-click and select Add.
  5. Configure the following parameters:
    1. Login Type a login name for the new user.

    2. UID Optional. Type a user ID.

    3. User NameType a user name for the account.

    4. Password Type a password for the account.

    5. Confirm Password Type the password again as confirmation.

    6. Group From the Group list, select root

  6. Click Add.
  7. Click OK.

Configuring Read-only Account Permissions

For security reasons, configure your JSA user account as a member of your root or admin group, but select an assigned role of read-only permissions.

Read-only permission allows the JSA user account to view and collect events by using the VMWare protocol.

  1. Click the Permissions tab.
  2. Right-click and select Add Permissions.
  3. On the Users and Groups window, click Add.
  4. Select your JSA user and click Add.
  5. Click OK.
  6. From the Assigned Role list, select Read-only.
  7. Click OK.

Configuring a Log Source for the VMWare Protocol

You can configure a log source with the VMWare protocol to poll for EMC VMWare events.

  1. Click the Admin tab.
  2. Click the Log Sources icon.
  3. Click Add.
  4. In the Log Source Name field, type a name for your log source.
  5. From the Log Source Type list, select EMC VMWare.
  6. Using the Protocol Configuration list, select EMCVMWare.
  7. Configure the following values:

    Table 3: VMWare Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source. This value must match the value that is configured in the ESX IP field.

    ESX IP

    Type the IP address of the VMWare ESX or ESXi server.

    For example, 1.1.1.1.

    The VMware protocol prepends the IP address of your VMware ESX or ESXi server with HTTPS before the protocol requests event data.

    User Name

    Type the user name that is required to access the VMWare server.

    Password

    Type the password that is required to access the VMWare server.

  8. Click Save.
  9. On the Admin tab, click Deploy Changes.