VMware Logging Guide for Snare Server v7.0

Similar documents
LDAP and LDAP Groups for Snare Central - User Information

Reflector - User Information

Agent vs Agentless Log Collection

Release Notes for Snare Server v6 Release Notes for Snare Server v6

Snare v6 - Feature Summary

SNARE Enterprise Agents Features

ESXi Version 5.1 Host

Log & Event Manager UPGRADE GUIDE. Version Last Updated: Thursday, May 25, 2017

RSA NetWitness Logs. Microsoft Windows. Event Source Log Configuration Guide. Last Modified: Thursday, October 5, 2017

Integrate VMware ESX/ESXi and vcenter Server

User s Guide to the Snare Server v6.2. User's Guide to the Snare Server v6.2

User s Guide to the Snare Server v6.1. User's Guide to the Snare Server v6.1

UPGRADE GUIDE. Log & Event Manager. Version 6.4

StarWind iscsi SAN Software: Using an existing SAN for configuring High Availability with VMWare vsphere and ESX server

vsphere Host Profiles 17 APR 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

Avaya Aura 6.2 Feature Pack 2

Veritas NetBackup Plug-in for VMware vsphere Web Client Guide. Release 8.1.1

All rights reserved. All trademarks are the property of their respective owners.

VMware Horizon View Configuration Tool 2.0 QUICK START GUIDE

Managing Virtual Machines Using the Cisco SRE-V CLI

User Guide for Snare Server v7

How to Install ESXi 4.0 on Workstation as a VM

vsphere Host Profiles Update 1 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Learning Secomea Remote Access (Using SiteManager Embedded for Windows)

Setting up the DR Series System with vranger. Technical White Paper

Cisco C880 M4 Server User Interface Operating Instructions for Servers with E v2 and E v3 CPUs

RSA NetWitness Logs. VMware ESX/ESXi. Event Source Log Configuration Guide. Last Modified: Tuesday, November 7, 2017

Implementing Infoblox Data Connector 2.0

Cisco UCS C-Series IMC Emulator Quick Start Guide. Cisco IMC Emulator 2 Overview 2 Setting up Cisco IMC Emulator 3 Using Cisco IMC Emulator 9

AKIPS Network Monitor User Manual Version 18.x. AKIPS Pty Ltd

Clearswift SECURE Exchange Gateway V4.8

StarWind iscsi SAN Software: ESX Storage Migration

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

PHD Virtual Backup Exporter. version 6.5 Users Guide. Document Release Date: August 26,

vcenter Server Appliance Configuration Update 1 Modified on 04 OCT 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Clearswift SECURE Exchange Gateway Installation & Setup Guide. Version 1.0

VMware ESXi Host Configuration

HP 3PAR StoreServ Storage VMware ESX Host Persona Migration Guide

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

Migrating JBOD to RAID

Upgrade VMware ESXi from Version 5.5 to 6.x.

ITCorporation HOW DO I INSTALL A FRESH INSTANCE OF ANALYZER? DESCRIPTION RESOLUTION. Knowledge Database KNOWLEDGE DATABASE

Getting Started with Bluesocket vwlan on VMware

Ports and Protocols. Clearswift SECURE ICAP Gateway v4.3. Version 01 14/03/2016. Clearswift Public

Datrium Technical Note Citrix Ready Setup for XenDesktop on Datrium DVX

Synchronise Contacts with MS Outlook. Version 2015

RSA NetWitness Logs. Bit9 Security Platform. Event Source Log Configuration Guide. Last Modified: Friday, May 05, 2017

Ports and Protocols. Clearswift SECURE ICAP Gateway v4.8. Version 2.0. July Clearswift Public

Mail Setup Tool (Version 1.2US) User's Guide

How to Install ESX 4.0 on Workstation as a VM

IronKey EMS On-Prem 7.1 Quick Start Guide

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

EVault Software Agent for VMware 6.91 Quick Start Guide

Hitachi Storage Management Pack for VMware vrealize Operations Dashboard User s Guide

RSA NetWitness Logs. F5 Big-IP Access Policy Manager. Event Source Log Configuration Guide. Last Modified: Friday, May 12, 2017

Veeam ONE. Version 8.0. User Guide for VMware vsphere Environments

UDP Director Virtual Edition

Direct Upgrade Procedure for Cisco Unified Communications Manager Releases 6.1(2) 9.0(1) to 9.1(x)

ETERNUS VAAI Plug-in for VMware vsphere User s Guide

Clearswift SECURE Exchange Gateway V4.9

GateManager Server model 9250 Installation STEP 1 for the IT department

SuperLumin Nemesis. Getting Started Guide. February 2011

5 Critical Vmware Esxcli Network Troubleshooting Commands

Mellanox MLX4_EN Driver for VMware README

ECDS MDE 100XVB Installation Guide on ISR G2 UCS-E and VMWare vsphere Hypervisor (ESXi)

Configuring General Settings for the EN-4000

What's New for UCB 6.0?

Eaton Intelligent Power Manager as a Virtual Appliance Deployment s Guide

efolder BDR for Quest Rapid Recovery / VMware Continuity Cloud Guide

VMware vrealize Log Insight Getting Started Guide

Getting Started GateManager5 PREMIUM Domain Administration

Hitachi Storage Adapter for VMware vcenter Operations Management Suite Dashboard User s Guide

Clearswift Gateway Installation & Getting Started Guide. Version 4.1 Document Revision 1.4

IBM Storage Management Console for VMware vcenter. Version Release Notes. First Edition (July 2011)

Symantec Protection Center Getting Started Guide. Version 2.0

> Nortel Switched Firewall (NSF) SecurID Configuration Guide

Clearswift SECURE Gateway V4.x

5.7. Quick Guide to Fusion Settings

CipherMail Gateway Virtual Appliance Guide

IBM XIV Provider for Microsoft Windows Volume Shadow Copy Service. Version 2.3.x. Installation Guide. Publication: GC (August 2011)

Mission Control 5.0. Mission Control Admin Guide. January, 2016

Teradici APEX 2800 Server Offload Card Administrator's Guide TER

vcenter Server Appliance Configuration Modified on 17 APR 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

NNMi Integration User Guide for CiscoWorks Network Compliance Manager 1.6

Product Support Notice

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

CRYPTOCard BlackBerry Token Implementation Guide

Clearswift SECURE Web Gateway V4.x

Command-Line Interface (CLI) Basics

IBM Storage Device Driver for VMware VAAI. Installation Guide. Version 1.1.0

vcenter Server Installation and Setup Modified on 11 MAY 2018 VMware vsphere 6.7 vcenter Server 6.7

Stratusphere FIT & Stratusphere UX

Videoscape Distribution Suite Software Installation Guide

Compatibility Matrixes for VMware vcenter Site Recovery Manager 4.0 and Later

Eaton NetWatch NetWatch installation and configuration guide VMware ESXi 3 Virtual architecture

M-Switch MIXER Evaluation Guide

NexentaStor VVOL

agility17dns Release latest Jun 15, 2017

Avigilon Control Center 6 System Integration Guide. for Jacques Technologies IP Audio Intercom System

RSA NetWitness Logs. VMware NSX. Event Source Log Configuration Guide. Last Modified: Thursday, November 30, 2017

Transcription:

VMware Logging Guide for Snare Server v7.0 Intersect Alliance International Pty Ltd. All rights reserved worldwide. Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct, or indirect damages in connection with the use of this material. No part of this work may be reproduced or transmitted in any form or by any means except as expressly permitted by Intersect Alliance International Pty Ltd. This does not include those documents and software developed under the terms of the open source General Public Licence, which covers the Snare agents and some other software. The Intersect Alliance logo and Snare logo are registered trademarks of Intersect Alliance International Pty Ltd. Other trademarks and trade names are marks' and names of their owners as may or may not be indicated. All trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications and content are subject to change without notice. Page 1 of 14

Table of Contents 1. About this Guide.................................................... 3 2. VMware Server Configuration.......................................... 4 3. Analysis........................................................... 6 Page 2 of 14

1. About this Guide This document details the steps required to configure VMware ESXi vsphere CLI to log to the Snare Server, and also highlights some basic analysis strategies for Snare Server v7. More details on the techniques used, are available in the Snare Server User Guide. Important Note These instructions have been tested on VMware ESXi 5.1, and should also apply to other versions of ESXi and ESX, as long as the syslog configuration can be modified to forward events to the Snare Server. Other Resources Other resources that may be useful to read include: Snare Server v7.0 Users Guide vsphere Command-Line Interface Documentation http://www.vmware.com/support/developer/vcli/ Intersect Alliance International Pty Ltd Page 3 of 14

2. VMware Server Configuration The following procedure assumes that you wish to configure the vsphere server via the command line. Logging functionality can also be modified using vclient GUI tools; please see the VMware documentation for detailed procedures. 2.1. Activate SSH, or access the vsphere Console 2.1.1. What you need... The DNS name or IP address of your vsphere server. Access to the vsphere console to enable SSH 2.1.2. Instructions Initial Screen On the vsphere console, use the F2 key to access the system configuration options. Hit F2 on your keyboard. Troubleshooting Use your cursor keys to choose the 'Troubleshooting options' menu option, and hit ENTER on your keyboard. Choose 'Troubleshooting options". Intersect Alliance International Pty Ltd Page 4 of 14

Activate SSH / Console You will need to either activate the vsphere console, or SSH. If you choose to activate the console, the keyboard sequence Alt+F1 will open a local console. Log in using your administrator account and password. If you choose to activate ssh, connect to your ESX machine using the IP address displayed on the first console screen. 2.1.3. Syslog delivery In order to activate remote delivery of VMware log data using the syslog protocol, several commands need to be run. 2.1.3.1. Firewall configuration Run the following commands, to allow syslog data to be sent through the ESX local firewall. esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true esxcli network firewall refresh 2.1.3.2. Syslog configuration Configure the server to send syslog data to a remote server, using the syslog protocol. Substitute the IP address of your Snare Server, for the "10.11.12.13" in the following command: esxcli system syslog config set --loghost='udp://10.11.12.13:514' esxcli system syslog reload Intersect Alliance International Pty Ltd Page 5 of 14

3. Analysis If you are not familiar with the operation of the Snare Server, please refer to the Snare Server User Guide for more information. The Snare Server will receive data from your ESX/vSphere server, and add it to the generic syslog data source. The following series of screenshots provide an example of how to perform basic analysis on VMware vsphere/esx log data. Create a new objective called "VMWare ESX". Modify the objective configuration. Choose the "Change Type" button. Choose the "Analyse data from Generic Syslog logs" objective template, from the "Generic Syslog" group. Intersect Alliance International Pty Ltd Page 6 of 14

Once the objective template has been selected, the Configuration window will reappear, with log-type specific settings. Add a new match, and tell the Snare Server to look for logs from the ESX/vSphere server's hostname. Intersect Alliance International Pty Ltd Page 7 of 14

Add output components to the objective, such as the 15 minute pattern map, and Tabular Details. Modify the Table output configuration to include the fields of interest, save the configuration, and regenerate the objective. Intersect Alliance International Pty Ltd Page 8 of 14

We have some data returned from the objective. In this case, the data has arrived from the 'v5dev' server. You will notice though, that there are some interesting details within the body of the message, that we may be interested in analysing in more detail. In particular, you can see that the Date/Time presented in the event, is actually a little different than the time at which the Snare Server received the event. Usually, Snare is able to retrieve the date/time from within each event, but in this case, VMware are using a non-standard syslog date format, so the Snare Server has opted to preserve both the receive-time and the log-time in the event. However, we can pull out this information for our analysis. Intersect Alliance International Pty Ltd Page 9 of 14

Go back to your Configuration settings, and select the green 'Add New' button near the top of the window. A new window will pop up, asking for the "Field Name". Let's use "VMDATE". Next, we'll test a "regular expression" match to pull out the date from within the event body. For this, I have copied and pasted a sample event from the tabular output, into the 'sample log entry' field. Next, I have crafted a simple regular expression to pull out the date from the entry. In this case, the regular expression translates to: Grab the first 10 characters from the event, that contain numbers or dashes. Copy this expression to our 'Token', and save the result using the 'Create Field' button. Intersect Alliance International Pty Ltd Page 10 of 14

Regular expressions are very powerful. We could do almost the same thing by using the expression above, instead. (Grab the first 10 characters from the event, regardless of what they look like). While we're at it, we can grab the time (VMTIME). Since VMware's time format is reasonably consistent, a simple regular expression like the one above may be perfectly adequate. Next, we can pull out the syslog 'category' ("VMCATEGORY") Intersect Alliance International Pty Ltd Page 11 of 14

And the actual message content ("VMEVENT") These fields, can then be added to our Table output as required. Or featured as part of a graph component. Regenerate the objective once more once configuration has been completed. Intersect Alliance International Pty Ltd Page 12 of 14

Pie graph of sources. If we wanted to search for a particular subset of messages, such as commands executed by the root-level user, we could modify our configuration further. In this case, we've asked Snare to search for events from 'VMWareESX001' with a 'VMSource' of 'shell'. Regenerate the objective once done. Intersect Alliance International Pty Ltd Page 13 of 14

Output of a search for root-level command execution. Intersect Alliance International Pty Ltd Page 14 of 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback