VMware : Forwarding vSphere Audit and Authentication Events from vRealize Log Insight to a SIEM

vRealize Log Insight makes it very easy to collect events from vCenter and ESX, and we even have a robust set of content packs for vSphere, but some customers require their auditing events to go to a 3^rd party SIEM due to information security requirements. In that use case, we can forward our audit logs via vRLI event forwarding to a SIEM. Let's look at how to do that here.

Finding Auditing and Authentication Dashboards in Log Insight

If we look at our out-of-the-box dashboards in Log Insight, most of the work of developing queries to forward events to our SIEM is already done!

Under the vSphere content pack, expand to find Auditing and Authentication.

Under authentication, we have dashboards with typical events that we would forward to a SIEM. (Failed logins, successful logins, admin logins)

Finding the Queries that the Dashboards are Created From

If we click on the top leftmost icon (looks like a bar graph with an arrow) in the group of icons to the top right of any widget, it will bring us to the interactive analysis page. This is where we can see the query that is being used to gather these events. In this case, we click on the interactive analysis button for the 'vCenter Server logins by type' dashboard.

In Interactive Analysis, we can see the query being used to pull up all vCenter authentication events.

Now all we have to do is go to the event forwarding section of Log Insight and create a new forwarding rule to send those event types to our SIEM. Specific details on the event forwarding feature aren't covered here, but are covered in our official documentation.

Creating a Forwarding Rule to our SIEM

We can use the 'vc_event_type' field, which should match the same event types as in the query above. Once we specify our SIEM host name and transport protocol, if your destination is configured correctly, we should start seeing events.

Now that the forwarding rule has been created, we can look in our SIEM for our vCenter authentication event. I ran a query for 'BadUsernameSessionEvent', and the event came up in our SIEM.

Creating a Forwarding Rule via Text Matching

While the example above was relatively straightforward, creating event forwarding rules isn't always that easy. The field 'vc_event_type' is a 'static field' that comes straight from our vCenter logs, so we can use it as a forwarding field. Some fields, known as 'extracted fields', are fields that are added to an event in Log Insight via regex after ingestion. Most content packs use extracted fields to create the useful dashboards and widgets we rely on, but you can't create forwarding rules based on extracted fields, so we need to be a little more clever.

Let's go back to our vCenter Authentication events dashboard and open the interactive analysis for 'ESX logins by type'. Remember, just click the bar chart icon with the arrow circled in the image below to get to Interactive Analysis for a widget.

Uh oh, it looks like 'vmw_esxi_auth_type' is an extracted field. It is created after ingestion using regex. If you click on the little pencil at the right near 'Manage Fields' and search for the field, you can see the regex pattern used to create it.

The regex pattern under the field name defines how the field is created and what its extracted from.

So now, if we go to create a forwarding rule based on that field, we can't because it doesn't appear in our list of fields to choose from under the filter section.

Now, what we can do is filter based on text matching. Let's go back to the interactive analysis query for the 'ESXi Logins by Type' dashboard.

If we sort the events by 'event type', we can look for text patterns in our events to create filters from. It looks like all of the events captured by this query are from the 'hostd' ESXi log on the host, and have the words 'logged in as' in the body of the message.

Next, lets check out the 'Failed login attempts by source and ESXi host' dashboard and drill down into the interactive analysis.

This widget isn't shy about using text matching, so we can use the text 'rejected password by user' for our forwarding rule.

Now that we have some text patterns to match on, lets create a new forwarding rule for our ESXi logins. Our filters will be 'appname matches hostd', since the hostd log is where our ESX login events come from, and the text fields '*logged in as*' and '*rejected password for user*'. Don't forget the wildcard asterisks or the filter wont work. We can test this filter to make sure it returns events by clicking on 'Run in Explore Logs page'. If nothing is returned, further tweaking could be required.

I added a complementary tag called 'type=esxlogins', so we can easily find the event when it gets to our SIEM. Once we're done, we save the forwarding rule and we can check our SIEM.

Once the events are forwarding, if we do a search for 'type=esxlogs' in out SIEM, our ESX login events should show up.

Conclusion

Armed with the information we just practiced, you can forward practically any authentication (or any other) event to a SIEM from vRealize Log Insight, as long as there is a static field to filter on or you can get the text pattern matching to match properly for the events you need to forward. Please try this our and let me know if you have any questions or comments. Thanks for reading!