Documentation Center
AlienVault® USM Anywhere™

VMware vCenter

When you configure VMware vCenter to send log data to USM Anywhere, you can use the VMware vCenter plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor VMware
Device Type Virtual machine management
Connection Type Syslog

Integrating VMware vCenter

To configure VMware vCenter to send log data to USM Anywhere on a Linux machine

  1. Establish an SSH connection to the VMware vCenter Server and log in as the root user.
  2. Navigate to /etc/syslog-ng/.
  3. Copy and paste the following content at the end of the /etc/syslog-ng/syslog-ng.conf file on the VCenter Server

    # vpxd source log

    source vpxd {

    file("/var/log/vmware/vpx/vpxd.log" follow_freq(1) flags(no-parse));

    file("/var/log/vmware/vpx/vpxd-alert.log" follow_freq(1) flags(no-parse));

    file("/var/log/vmware/vpx/vws.log" follow_freq(1) flags(no-parse));

    file("/var/log/vmware/vpx/vmware-vpxd.log" follow_freq(1) flags(no-parse));

    file("/var/log/vmware/vpx/inventoryservice/ds.log" follow_freq(1) flags(no-parse));


    # Remote USM Sensor

    destination remote_syslog {

    udp("<USM-Anywhere-Sensor-IP-Address>" port (514));


    # Log vCenter Server vpxd log remotely

    log {




  4. Run the following command to restart the syslog service on the vCenter Server
  5. service syslog restart

To configure VMware vCenter to send log data to USM Anywhere on a Windows machine

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome
  • customfield_0
  • destination_address
  • destination_hostname
  • destination_ntdomain
  • destination_port
  • event_name
  • event_outcome
  • event_severity
  • file_path
  • rep_device_inbound_interface
  • rep_device_mac
  • session
  • source_address
  • source_hostname
  • source_port
  • source_process
  • source_process_commandline
  • source_userid
  • source_username
  • timestamp_occured
  • timestamp_received
  • transport_protocol

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation: