Overview
Blumira integrates with VMware ESXi to stream security event logs to the Blumira service so that you can view and analyze your VMWare log data in Report Builder. You may also want to forward traffic logs from VMware ESXi to a SIEM for longterm storage, compliance, audit, reporting or legal reasons.
Important: Blumira currently does not provide detections or findings for VMWare logs.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- In the Overview section, next to Host Details, copy the IP address.
Configuring log forwarding
The steps taken to forward traffic will vary depending on whether you are managing hosts with vCenter or vSphere.
VMware vCenter
- Log in to the vCenter Server Appliance Management Interface as root.
Note: The vCenter Server Appliance Management Interface, also known as VAMI, is on the same server as vCenter Server, but is on port 5480. To access the VAMI, you would use https://<vcenter-ip>:5480. The password for VAMI may not be the same as the normal vCenter SSO login. The username is typically ‘root’. Some admins will set the VAMI root password to the same as the administrator@vcenter.local account, but those two passwords are not linked. - In the vCenter Server Appliance Management Interface, select Syslog.
- In the Forwarding Configuration section, click Configure if you have not configured any remote syslog hosts. Click Edit if you already have configured hosts.
- In the Create Forwarding Configuration pane, type the IP address of the Blumira sensor host.
Note: The maximum number of supported destination hosts is three. - From the Protocol dropdown menu, select the UDP protocol.
- In the Port text box, type the port number to use for communication with the destination host. This is typically 514.
- In the Create Forwarding Configuration pane, click Add to enter another remote Syslog server.
- Click Save.
- Verify that the remote syslog server is receiving messages:
- In the Forwarding Configuration section, click Send Test Message.
- Verify in the Blumira console that the test message was received. Alternatively, you can
tail
the logs on the Blumira Sensor server with the following command:sudo docker exec -it $(sudo docker ps --filter status=running --format "{{.ID}}") /blutail | grep <ip_or_hostname_of_source>
While completing this step, take the time to review your current security policies and ensure that they are up to date. We recommend settings that will result in the most verbosity in regard to log content and volume and should be applied to every policy in the device.
VMware ESXi
Important: Only use the procedure below if you are not already using vCenter. Configuring both options will result in log duplication.
- Log in to the VMware vSphere web client.
- Select the Host you want to push logs from.
Note: You cannot select the entire cluster. - Click Configure at the top.
- On the left hand column, select System then click Advanced System Settings.
- Select Edit in the top right corner.
- Filter for Syslog.
- Select Syslog.Global.LogHost.
- Modify the Syslog.Global.LogHost Value to the IP of the Blumira sensor in UDP format.
Example: udp://IP of Sensor:514 - Click Ok.
- Ensure the ESXi firewall allows outbound syslog traffic by running the following commands from an ESXi shell:
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh
- Test connectivity with
nc -v ip of sensor 514
. A success message appears if the connection was successful. - Reload syslog settings with
esxcli system syslog reload
.