Documentation Center
AlienVault® USM Appliance™

VMware vCenter

When you configure VMware vCenter to send log data to USM Appliance, you can use the VMware vCenter plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor VMware
Device Type Virtual machine management
Connection Type Syslog
Data Source Name vmware-vcenter
Data Source ID 1658

Integrating VMware vCenter

To configure VMware vCenter to send log data to USM Appliance on a Linux machine

  1. Establish an SSH connection to the VMware vCenter Server and log in as the root user.
  2. Navigate to /etc/syslog-ng/.
  3. Copy and paste the following content at the end of the /etc/syslog-ng/syslog-ng.conf file on the VCenter Server

    # vpxd source log

    source vpxd {

    file("/var/log/vmware/vpx/vpxd.log" follow_freq(1) flags(no-parse));

    file("/var/log/vmware/vpx/vpxd-alert.log" follow_freq(1) flags(no-parse));

    file("/var/log/vmware/vpx/vws.log" follow_freq(1) flags(no-parse));

    file("/var/log/vmware/vpx/vmware-vpxd.log" follow_freq(1) flags(no-parse));

    file("/var/log/vmware/vpx/inventoryservice/ds.log" follow_freq(1) flags(no-parse));

    };

    # Remote USM Sensor

    destination remote_syslog {

    udp("<USM-Appliance-Sensor-IP-Address>" port (514));

    };

    # Log vCenter Server vpxd log remotely

    log {

    source(vpxd);

    destination(remote_syslog);

    };

  4. Run the following command to restart the syslog service on the vCenter Server
  5. service syslog restart

To configure VMware vCenter to send log data to USM Appliance on a Windows machine

http://www.thevirtualist.org/sending-vcenter-logs-centralized-syslog-server-using-nxlog/

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://www.vmware.com/support/vcenter-server.html