VMware vCenter

integrations network vmware vcenter

The following instructions are for configuring VMware vCenter to facilitate log ingestion into Taegis™ XDR.

Connectivity Requirements ⫘

Source	Destination	Port/Protocol
VMware vCenter	Taegis™ XDR Collector (mgmt IP)	TCP/601

Data Provided from Integration ⫘

	Alerts	Auth	CloudAudit	DNS	HTTP	Management	Netflow	NIDS	Process	Thirdparty
vCenter		✓				✓

Configure the VMware vCenter Platform ⫘

Follow the instructions in the VMware documentation to configure log forwarding.

When defining a Syslog configuration, enter the following information:

Field	Required Value
Server Address	Taegis™ XDR Collector (mgmt IP)
Protocol	TCP
Port	601

Example Query Language Searches ⫘

To search for auth events from the last 24 hours:

FROM auth WHERE sensor_type = 'VMWARE_VCENTER' and EARLIEST=-24h

To search for managementevent events:

FROM managementevent WHERE sensor_type = 'VMWARE_VCENTER'

To search for auth events associated with a specific user:

FROM auth WHERE sensor_type='VMWARE_VCENTER' AND source_user_name = 'foo'

Sample logs ⫘

Authentication:

Jan 24 00:33:06 1.2.3.4 1 2023-01-24T02:14:38.893453+00:00 somehost1111 vpxd 31038 - -  Event [123445] [1-1] [2022-12-20T02:14:38.892052Z] [vim.event.UserLogoutSessionEvent] [info] [SOMEDOM.LOCAL\Administrator] [] [654321] [User SOMEDOM.LOCAL\Administrator@10.7.007.19 logged out (login time: Tuesday, 20 December, 2022 01:58:49, number of API invocations: 9, user agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.42000))]

Command Execution:

Jan 24 00:33:06 1.2.3.4 1 2023-01-24T02:16:01.544091+00:00 computername CROND 16388 - -  (root) CMD ( test -x /usr/sbin/vpxd_periodic && /usr/sbin/vpxd_periodic >/dev/null 2>&1)

Event Details ⫘

vCenter Event Details