app-115003782445.png

Vmware ESX/ESXi

Vmware ESX/ESXi allows you to monitor and identify threats in your organization using the Vmware ESX/ESXi data. Vmware ESX/ESXi's dashboard provides visualization of event details for actions performed by the hosts or groups on virtual machines, authentication requests,  and account management activities detected in your network. 

Release Details
Version: 5.1.0
Release date: May 08, 2024
Supported On: Logpoint v7.4.0 or later for log source template
Documentation: VMware ESX/ESXi guide
SHA 256: b6dfc3dec01fff02b78b94fcd6bda07289cc4c518d62083f905cff09b01a875d
Download

Package Details

Vmware ESX/ESXi components:

  1. Dashboard Package
    • LP_VMware 
  2. Normalization Packages
    • LP_Vmware ESX/ESXi Vpxa
    • LP_Vmware ESX/ESXi Vpxd Generic
    • LP_Vmware ESX/ESXi Vpxd
    • LP_Vmware ESX/ESXi Hostd
    • LP_Vmware ESX/ESXi Vpxd-profiler
    • LP_Vmware ESX/ESXi vmkwarning
    • LP_Vmware ESX/ESXi Syslog
    • LP_Vmware ESX/ESXi Vpxd_cfg
    • LP_Vmware ESX/ESXi smartd
    • LP_Vmware ESX/ESXi EPSecMux
    • LP_Vmware ESX/ESXi lwsmd
    • LP_Vmware ESX/ESXi vmauthd
    • LP_VMware vCenter Generic
    • LP_Vmware ESX/ESXi Fdm
    • LP_VMware Horizon View
    • LP_VMWare vRealize Operation Manager
    • LP_Vmware ESX/ESXi SNMPD
    • LP_Vmware NSX
    • LP_VMware vCenter
    • LP_Vmware ESX/ESXi vmkernel
    • LP_VMware Horizon View Generic
    • LP_Vmware ESX/ESXi Jointool
    • LP_Vmware ESX/ESXi VOBD
    • LP_Vmware ESX/ESXi SFCBD
    • LP_Vmware ESX/ESXi Rhttpproxy
    • LP_Vmware ESX/ESXi Kernel
    • LP_Vmware ESX/ESXi Access
    • LP_Vmware ESX/ESXi Ls
    • LP_Vmware ESX/ESXi root
    • LP_Vmware ESX/ESXi smbiosDump
    • LP_VMware VRealize Log Insight
    • LP_Vmware ESX/ESXi TmpWatch
    • LP_Vmware ESX/ESXi sshd
    • LP_Vmware ESX/ESXi hostd-probe
    • LP_VMware UAG
    • LP_Vmware ESX/ESXi
    • LP_Vmware ESX/ESXi Hostd Generic
    • LP_Vmware ESX/ESXi localcli
    • LP_Vmware ESX/ESXi Stats
    • LP_Vmware ESX/ESXi CROND
    • LP_Vmware ESX/ESXi CIMSLP
    • LP_Vmware ESX/ESXi Heartbeat 
  3. Label Package
    • LP_Vmware ESX/ESXi 

Important Notices

  • The normalization package LP_Vmware ESX/ESXi is generic, so you must include it at the end of the normalization policy along with other generic packages. 
  • The normalization packages have been divided based on processes, services, or events, such as Hostd or Syslog. So, we recommend you use the normalization packages with these elements in their name as they are periodically updated. Also, if you know which of these elements triggers logs, you must put the process-specific normalization package in the normalization policy. If not, put all the normalization packages in the normalization policy with generic normalization packages at the end.

  • You must activate the label package LP_Vmware ESX/ESXi to apply specific labels and group similar logs together. You can find the steps to activate the label package in the Activating Labels Packages section of the Logpoint Data Integration Guide.

Enhancement

Description
Issue ID
Reference ID
Added Syslog Collector based VMware log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template.

KB-22652

-

 

Past Releases

VMware ESX/ESXi v5.0.2

Release date: August 07, 2021
Supported On: Logpoint v6.0.0 and later
SHA 256: 32aa6a039689f6eccd6a6b7d71e870cde47397b4f4b0bc6ab096953608b2a758

Enhancement

Description
Issue ID
Reference ID

New signatures have been added in the following normalization packages for the normalization of the VMware VRealize Log Insight (VRLI ) logs:

  • LP_VMware vCenter 
  •  LP_VMware vCenter Generic 
  •  LP_VMware Esx/Esxi sshd 
  •  LP_VMware Esx/Esxi Hostd 
  •  LP_VMware Esx/Esxi vpxa 
  •  LP_VMware NSX 
KB-13773, KB- 11607 57811, 49020, 53119

Bug Fix

Description
Issue ID
Reference ID
An issue in the LP_Vmware vmkwarning, LP_Vmware ESX/ESXi Syslog, and LP_Vmware ESX/ESXi Kernel normalization packages where some Kernel logs were not normalized. KB-11575 49126

VMware ESX/ESXi v5.0.1

Enhancements

Description

Issue ID

Reference ID

The application now includes normalization packages LP_VMware UAG (VMware Horizon Unified Access Gateway), LP_Vmware NSX, and LP_Vmware VRealize Log Insight to support the Vmware Unified Access Gateway logs, the VMware NSX logs, and  the Vmware vRealize Log Insight (VRLI) logs, respectively.  

The application's normalization packages LP_Vmware ESX/ESXi, LP_Vmware ESX/ESXi Vpxd, LP_Vmware ESX/ESXi Syslog, and LP_VMware Horizon View have been updated with new signatures.

KB-12535, KB-10778, KB-11608, KB-13674 53199, 46159, 49020
New signatures have been added to the normalization package LP_VMware vCenter to support the vCenter logs. Also, the normalization package has been updated to normalize the value of the method and session_id fields. KB-12569 53383

Support

If you have any questions or require assistance, create a support ticket.

Comments

  • Avatar
    Stephane Nardy

    Hello,
    Is it compatible for vcenter 6.5 logs ? Vpxd logs are not correctly parsed.

    Thks

    Comment actions Permalink
  • Avatar
    Stefan Dorka

    does anyone got this normalisation working? we got 2-3k logs in 30sec but no no logs are normalized.
    We have several ESX Servers with vCenter

    Comment actions Permalink
  • Avatar
    Andrew King

    Hello,

    We've got VCenter 6.5 and it (sort of) works - we get normlisations for the type of events from virtual center but not much else (OK, we haven't tried the esx normalisations yet)

    Seems a couple of the latest norms don't work all that well, we're looking to do our own when we get some time.

    Comment actions Permalink
  • Avatar
    Stefan Dorka

    Thanks for reply, i see that the hosts logs too much crap, i try to focus it to the vcenter only

    Comment actions Permalink
  • Avatar
    Daniel Roth

    We have it somewhat working aswell on ESXi 6.5.
    FYI, I have a ticket (#9364) that you also could try to push, for a plugin support to poll logs from vCenter using the VMWare API.
    No need to configure individual ESXi hosts that way as all logs are pulled from the vCenters. (I have this set up in an old system that we are migrating from to LogPoint)

    Comment actions Permalink
  • Avatar
    Hans Vedder

    Two helpful additional informations of the support:
    1. The packages for VMware has been divided into several ones depending on process or service or event itself e.g. Hostd, syslog, etc . If you know which processes or services are generating logs then place them only in normalization policy. If not we recommend you to place all in normalization policy with generic packages at the end of normalization policy.

    2. Actually, our initial implementation packaged all the process log into a single package LP_Vmware ESX/ESXi. Later we had split in process wise package. You can only use packages with the name of the process as they are the one which is updated periodically.

    Comment actions Permalink
  • Avatar
    Hans Vedder

    Third information:
    3. LP_Vmware ESX/ESXi is the generic package. You can keep it at the end of norm policy along with other generic packages for generic normalization.

    Comment actions Permalink

Article is closed for comments.