Graylog Content Pack for VMWare 8.X (VCSA and ESXI)

This content Pack is only intended for Security Monitoring.

If you noticed some data about security that is not parsed, you can open an issue and I will update the Content Pack.

Tested with VMWARE vSphere 8.0.2 and ESXI 8.0.0 and Graylog 5.2.0.

The Content Pack should be compatible with all Graylog 5.X version.

Note this was built without extractors, only pipeline rules.

Includes (ESXI & VCSA)

Graylog 5.0+
VCENTER Appliance and ESXI integrated with VCENTER
VCSA configured to send logs
ESXI configured to send log
Open port 1514+1515 for TCP on the graylog host and/or docker compose file
Download this CSV file (RFC_log_level.csv) for Lookup Table and place it on your graylog servers (if different than /srv , edit the Data adapter from System > Lookup Table > Data Adapter to change the path)
Before installing the content pack you need to replace all source-entries in json file with the names, using wildcards, of the esxi servers.
- VMWARE-VCenter-Content-Pack-Security-Events.json: replace source:vcsa with source:your_vcsa_dns_name (check the raw logs of the VCSA input if you are not sure)
- ESXI-Content-Pack-Security-Events.json:
- replace source:esxi*.lab.lan with source:your_esxis_hostname*.domain_name
- replace esxi[0-9]\\.lab\\.lan with esxi[0-9]\\.your\\.domain where esxi[0-9] is the name of the one I have (exsi1, esxi2 etc), adapt according to your conf

Go to System > Content Pack > Upload (Drag and drop file or Select) Then click install,

I recommend you to create a specific Indice for VCSA and one for ESXI, and apply the VCSA/ESXI Stream to it.

Go to Syslog > Edit

Select your esxi > Manage > System > Advanced Settings > On the top right, filter with syslog > Click on the line Syslog.global.logHost and Edit it:

tcp://192.168.1.51:1514?formatter=RFC_5424

YOU NEED TO CHOSE RFC_5424, not the default one.