VMware ESX and ESXi
The EMC VMware DSM for JSA collects ESX and ESXi server events by using the VMware protocol or syslog. The EMC VMware DSM supports events from VMware ESX or ESXi 3.x, 4.x, or 5.x servers.
To collect VMware ESX or ESXi events, you can select one of the following event collection methods:
Configuring Syslog on VMware ESX and ESXi Servers
To collect syslog events for VMware, you must configure the server to forward events by using syslogd from your ESXi server to JSA.
Log in to your VMware vSphere Client.
Select the host that manages your VMware inventory.
Click the Configuration tab.
From the Software pane, click Advanced Settings.
In the navigation menu, click Syslog.
Configure values for the following parameters:
Table 1: VMware Syslog Protocol Parameters Parameter
ESX version
Description
Syslog.Local.DatastorePath
ESX or ESXi 3.5.x or 4.x
Type the directory path for the local syslog messages on your ESXi server.
The default directory path is [] /scratch/log/messages.
Syslog.Remote.Hostname
ESX or ESXi 3.5.x or 4.x
Type the IP address or host name of JSA.
Syslog.Remote.Port
ESX or ESXi 3.5.x or 4.x
Type the port number the ESXi server uses to forward syslog data.
The default is port 514.
Syslog.global.logHost
ESXi v5.x
Type the URL and port number that the ESXi server uses to forward syslog data.
Examples:
udp://<JSA IP address>:514
tcp://<JSA IP address>:514
Click OK to save the configuration.
The default firewall configuration on VMware ESXi v5.x and VMware ESXi v6.x servers disable outgoing connections by default. Outgoing syslog connections that are disabled restrict the internal syslog forwarder from sending security and access events to JSA
By default, the syslog firewall configuration for VMware products allow only outgoing syslog communications. To prevent security risks, do not edit the default syslog firewall rule to enable incoming syslog connections.
Enabling Syslog Firewall Settings on VSphere Clients
To forward syslog events from ESXi v5.x or or ESXi v6.x server, you must edit your security policy to enable outgoing syslog connections for events.
Log in to your ESXi v5.x or ESXi v6.x server from a vSphere client.
From the Inventory list, select your ESXi Server.
Click the Manage tab and select Security Profile.
In the Firewall section, click Properties.
In the Firewall Properties window, select the syslog check box.
Click OK.
Enabling Syslog Firewall Settings on VSphere Clients by Using the Esxcli Command
To forward syslog events from ESXi v5.x or ESXi v6.x servers, as an alternative, you can configure ESXi Firewall Exception by using the esxcli command.
To forward syslog logs, you might need to manually open the Firewall rule set. This firewall rule does not effect ESXi 5.0 build 456551. The UDP port 514 traffic flows.
To open outbound traffic through the ESXi Firewall on UDP port 514 and on TCP ports 514 and 1514, run the following commands:
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh
Syslog Log Source Parameters for VMware ESX or ESXi
If JSA does not automatically detect the log source, add an EMC VMware log source on the JSA Console by using the Syslog protocol.
When using the Syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Syslog events from VMware ESX or ESXi:
Parameter |
Description |
---|---|
Log Source Name (Optional) |
Type a name for your log source. |
Log Source Type |
EMC VMware |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source as an identifier for events from your EMC VMware server. |
Enabled |
Select this check box to enable the log source. By default, the check box is selected. |
Credibility |
From the list, select the credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5. |
Target Event Collector |
From the list, select the Target Event Collector to use as the target for the log source. |
Coalescing Events |
Select this check box to enable the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source. |
Incoming Event Payload |
From the list, select the incoming payload encoder for parsing and storing the logs. |
Store Event Payload |
Select this check box to enable the log source to store event payload information. By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source. |
Configuring the VMWare Protocol for ESX or ESXi Servers
You can configure the VMware protocol to read events from your VMware ESXi server. The VMware protocol uses HTTPS to poll for ESX and ESXi servers for events.
Before you configure your log source to use the VMware protocol, it is suggested that you create a unique user to poll for events. This user can be created as a member of the root or administrative group, but you must provide the user with an assigned role of read-only permission. This ensures that JSA can collect the maximum number of events and retain a level of security for your virtual servers. For more information about user roles, see your VMware documentation.
To integrate EMC VMware with JSA, you must complete the following tasks:
Create an ESX account for JSA.
Configure account permissions for the JSA user.
Configure the VMware protocol in JSA.
Creating a user who is not part of the root or an administrative group might lead to some events not being collected by JSA. It is suggested that you create your JSA user to include administrative privileges, but assign this custom user a read-only role.
Creating an Account for JSA in ESX
You can create a JSA user account for EMC VMware to allow the protocol to properly poll for events.
Log in to your ESX host by using the vSphere Client.
Click the Local Users & Groups tab.
Click Users.
Right-click and select Add.
Configure the following parameters:
Login Type a login name for the new user.
UID Optional. Type a user ID.
User NameType a user name for the account.
Password Type a password for the account.
Confirm Password Type the password again as confirmation.
Group From the Group list, select root
Click Add.
Click OK.
Configuring Read-only Account Permissions
For security reasons, configure your JSA user account as a member of your root or admin group, but select an assigned role of read-only permissions.
Read-only permission allows the JSA user account to view and collect events by using the VMware protocol.
Click the Permissions tab.
Right-click and select Add Permissions.
On the Users and Groups window, click Add.
Select your JSA user and click Add.
Click OK.
From the Assigned Role list, select Read-only.
Click OK.
EMC VMware Log Source Parameters for VMware ESX or ESXi
If JSA does not automatically detect the log source, add an EMC VMware log source on the JSA Console by using the EMC VMware protocol.
When using the EMC VMware protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect EMC VMware events from VMware ESX or ESXi:
Parameter |
Description |
---|---|
Log Source Name (Optional) |
Type a name for your log source. |
Log Source Type |
EMC VMware |
Log Source Identifier |
Type the IP address or host name for the log source. This value must match the value that is configured in the ESX IP field. |
ESX IP |
Type the IP address of the VMware ESX or ESXi server. The VMware protocol prepends the IP address of your VMware ESX or ESXi server with HTTPS before the protocol requests event data. |
User Name |
Type the user name that is required to access the VMware server. |
Password |
Type the password that is required to access the VMware server. |
EMC VMWare sample event messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
EMC VMWare sample message when you use the Syslog protocol
Sample 1: The following sample event messages shows that an event is generated by the hostd process on an ESXi/ESX host to report that a user is logged out.
<166>2019-05-21T19:27:32.479Z emc.vmware.test Hostd: info hostd[111111] [Originator@1111 sub=Vimsvc.ha-eventmgr opID=1a111a11 user=root] Event 136 : User root@10.21.120.237 logged out (login time: Tuesday, 21 May, 2019 19:11:51, number of API invocations: 0, user agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 10.0.3729.131 Safari/537.36)
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
User |
Source IP |
10.21.120.237 |
Username |
root |
Identity IP |
10.21.120.237 |
Identity Username |
root |
Sample 2: The following sample event message shows that a virtual machine (VM) is powered off.
1111111111111 emc.vmware.test LEEF:1.0|EMC|VMWare|1|VmPoweredOffEvent|usrName=userName devTime=1369411554256 msg=example on 10.16.210.163 in company is powered off
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
VmPoweredOffEvent |
Source IP |
10.16.210.163 |
Username |
userName |
Sample 3: The following sample event message shows that a user login session is in progress.
Dec 23 14:43:56 172.16.210.175 LEEF:1.0|EMC|VMWare|1|UserLoginSessionEvent|usrName=root src=172.16.210.35 msg=User root@172.16.210.35 logged in
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
UserLoginSessionEvent |
Source |
172.16.210.35 |
Destination IP |
172.16.210.175 |
Username |
root |