Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

VMware ESX and ESXi

The EMC VMware DSM for JSA collects ESX and ESXi server events by using the VMware protocol or syslog. The EMC VMware DSM supports events from VMware ESX or ESXi 3.x, 4.x, or 5.x servers.

To collect VMware ESX or ESXi events, you can select one of the following event collection methods:

Configuring Syslog on VMware ESX and ESXi Servers

To collect syslog events for VMware, you must configure the server to forward events by using syslogd from your ESXi server to JSA.

  1. Log in to your VMware vSphere Client.

  2. Select the host that manages your VMware inventory.

  3. Click the Configuration tab.

  4. From the Software pane, click Advanced Settings.

  5. In the navigation menu, click Syslog.

  6. Configure values for the following parameters:

    Table 1: VMware Syslog Protocol Parameters

    Parameter

    ESX version

    Description

    Syslog.Local.DatastorePath

    ESX or ESXi 3.5.x or 4.x

    Type the directory path for the local syslog messages on your ESXi server.

    The default directory path is [] /scratch/log/messages.

    Syslog.Remote.Hostname

    ESX or ESXi 3.5.x or 4.x

    Type the IP address or host name of JSA.

    Syslog.Remote.Port

    ESX or ESXi 3.5.x or 4.x

    Type the port number the ESXi server uses to forward syslog data.

    The default is port 514.

    Syslog.global.logHost

    ESXi v5.x

    Type the URL and port number that the ESXi server uses to forward syslog data.

    Examples:

    udp://<JSA IP address>:514

    tcp://<JSA IP address>:514

  7. Click OK to save the configuration.

    The default firewall configuration on VMware ESXi v5.x and VMware ESXi v6.x servers disable outgoing connections by default. Outgoing syslog connections that are disabled restrict the internal syslog forwarder from sending security and access events to JSA

    By default, the syslog firewall configuration for VMware products allow only outgoing syslog communications. To prevent security risks, do not edit the default syslog firewall rule to enable incoming syslog connections.

Enabling Syslog Firewall Settings on VSphere Clients

To forward syslog events from ESXi v5.x or or ESXi v6.x server, you must edit your security policy to enable outgoing syslog connections for events.

  1. Log in to your ESXi v5.x or ESXi v6.x server from a vSphere client.

  2. From the Inventory list, select your ESXi Server.

  3. Click the Manage tab and select Security Profile.

  4. In the Firewall section, click Properties.

  5. In the Firewall Properties window, select the syslog check box.

  6. Click OK.

Enabling Syslog Firewall Settings on VSphere Clients by Using the Esxcli Command

To forward syslog events from ESXi v5.x or ESXi v6.x servers, as an alternative, you can configure ESXi Firewall Exception by using the esxcli command.

Note:

To forward syslog logs, you might need to manually open the Firewall rule set. This firewall rule does not effect ESXi 5.0 build 456551. The UDP port 514 traffic flows.

To open outbound traffic through the ESXi Firewall on UDP port 514 and on TCP ports 514 and 1514, run the following commands:

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

esxcli network firewall refresh

Syslog Log Source Parameters for VMware ESX or ESXi

If JSA does not automatically detect the log source, add an EMC VMware log source on the JSA Console by using the Syslog protocol.

When using the Syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Syslog events from VMware ESX or ESXi:

Table 2: Syslog Log Source Parameters for the EMC VMware DSM

Parameter

Description

Log Source Name (Optional)

Type a name for your log source.

Log Source Type

EMC VMware

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your EMC VMware server.

Enabled

Select this check box to enable the log source. By default, the check box is selected.

Credibility

From the list, select the credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector

From the list, select the Target Event Collector to use as the target for the log source.

Coalescing Events

Select this check box to enable the log source to coalesce (bundle) events.

By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Incoming Event Payload

From the list, select the incoming payload encoder for parsing and storing the logs.

Store Event Payload

Select this check box to enable the log source to store event payload information.

By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Configuring the VMWare Protocol for ESX or ESXi Servers

You can configure the VMware protocol to read events from your VMware ESXi server. The VMware protocol uses HTTPS to poll for ESX and ESXi servers for events.

Before you configure your log source to use the VMware protocol, it is suggested that you create a unique user to poll for events. This user can be created as a member of the root or administrative group, but you must provide the user with an assigned role of read-only permission. This ensures that JSA can collect the maximum number of events and retain a level of security for your virtual servers. For more information about user roles, see your VMware documentation.

To integrate EMC VMware with JSA, you must complete the following tasks:

  1. Create an ESX account for JSA.

  2. Configure account permissions for the JSA user.

  3. Configure the VMware protocol in JSA.

Creating a user who is not part of the root or an administrative group might lead to some events not being collected by JSA. It is suggested that you create your JSA user to include administrative privileges, but assign this custom user a read-only role.

Creating an Account for JSA in ESX

You can create a JSA user account for EMC VMware to allow the protocol to properly poll for events.

  1. Log in to your ESX host by using the vSphere Client.

  2. Click the Local Users & Groups tab.

  3. Click Users.

  4. Right-click and select Add.

  5. Configure the following parameters:

    1. Login Type a login name for the new user.

    2. UID Optional. Type a user ID.

    3. User NameType a user name for the account.

    4. Password Type a password for the account.

    5. Confirm Password Type the password again as confirmation.

    6. Group From the Group list, select root

  6. Click Add.

  7. Click OK.

Configuring Read-only Account Permissions

For security reasons, configure your JSA user account as a member of your root or admin group, but select an assigned role of read-only permissions.

Read-only permission allows the JSA user account to view and collect events by using the VMware protocol.

  1. Click the Permissions tab.

  2. Right-click and select Add Permissions.

  3. On the Users and Groups window, click Add.

  4. Select your JSA user and click Add.

  5. Click OK.

  6. From the Assigned Role list, select Read-only.

  7. Click OK.

EMC VMware Log Source Parameters for VMware ESX or ESXi

If JSA does not automatically detect the log source, add an EMC VMware log source on the JSA Console by using the EMC VMware protocol.

When using the EMC VMware protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect EMC VMware events from VMware ESX or ESXi:

Table 3: VMware Protocol Parameters

Parameter

Description

Log Source Name (Optional)

Type a name for your log source.

Log Source Type

EMC VMware

Log Source Identifier

Type the IP address or host name for the log source. This value must match the value that is configured in the ESX IP field.

ESX IP

Type the IP address of the VMware ESX or ESXi server.

The VMware protocol prepends the IP address of your VMware ESX or ESXi server with HTTPS before the protocol requests event data.

User Name

Type the user name that is required to access the VMware server.

Password

Type the password that is required to access the VMware server.

EMC VMWare sample event messages

Use these sample event messages to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

EMC VMWare sample message when you use the Syslog protocol

Sample 1: The following sample event messages shows that an event is generated by the hostd process on an ESXi/ESX host to report that a user is logged out.

Table 4: Highlighted values in the EMC VMWare event

JSA field name

Highlighted values in the event payload

Event ID

User

Source IP

10.21.120.237

Username

root

Identity IP

10.21.120.237

Identity Username

root

Sample 2: The following sample event message shows that a virtual machine (VM) is powered off.

Table 5: Highlighted values in the EMC VMWare event

JSA field name

Highlighted values in the event payload

Event ID

VmPoweredOffEvent

Source IP

10.16.210.163

Username

userName

Sample 3: The following sample event message shows that a user login session is in progress.

Table 6: Highlighted values in the EMC VMWare event

JSA field name

Highlighted values in the event payload

Event ID

UserLoginSessionEvent

Source

172.16.210.35

Destination IP

172.16.210.175

Username

root