Integrating VMware ESXi With Blumira

Blumira’s modern cloud SIEM platform integrates with VMware ESXi to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected.

 

When configured, the Blumira integration with VMware ESXi will stream security event logs to the Blumira service for automated threat detection and actionable response.

 

Get visibility, detect and respond to threats faster:

 

  • Quickly detect known and suspected threats with Blumira’s cloud-based platform
  • Reduce the noise of false-positive alerts with backend automation and fine-tuned alerting
  • Detect lateral movement across your environment with virtual honeypots
  • Get guided and actionable remediation playbooks for teams without security expertise
  • View easy-to-understand dashboards and security threat reports to help organizations meet compliance requirements

 

See how easy it is to set up Blumira with VMware ESXi:

Set Up Instructions

Configure Log Forwarding for VMware ESXi

Forward traffic logs from VMware ESXi to a SIEM for longterm storage, compliance, audit, reporting or legal reasons. The steps taken to forward traffic will vary depending on whether you are managing hosts with vSphere or vCenter.

VMware vSphere

Log in to the VMware vSphere web client.

  1. In the vSphere Web Client inventory, select the host.
  2. Click Configure.
  3. Under System, click Advanced System Settings.
  4. Filter for syslog.
  5. To set up logging globally, select the setting to change and click Edit.
    1. Modify the Syslog.global.LogHost option and enter the IP address/hostname of your Blumira Sensor in the format udp://hostname:514
  6. Click Ok. Changes will take effect immediately.

VMware vCenter

Log in to the vCenter Server Appliance Management Interface as root.

  1. In the vCenter Server Appliance Management Interface, select Syslog.
  2. In the Forwarding Configuration section, click Configure if you have not configured any remote syslog hosts. Click Edit if you already have configured hosts.
  3. In the Create Forwarding Configuration pane, enter the server address of the Blumira Sensor host. The maximum number of supported destination hosts is three.
  4. From the Protocol drop-down menu, select the UDP protocol 
  5. In the Port text box, enter the port number to use for communication with the destination host, this is typically 514.
  6. In the Create Forwarding Configuration pane, click Add to enter another remote syslog server.
  7. Click Save.
  8. Verify that the remote syslog server is receiving messages:
    • In the Forwarding Configuration section, click Send Test Message.
    • Verify in the Blumira console that the test message was received, alternatively you may tail the logs on the Blumira Sensor server with the following command:
    • sudo docker exec -it $(sudo docker ps --filter status=running --format "{{.ID}}") /blutail | grep <ip_or_hostname_of_source>

    While completing this step, take the time to review your current security policies and ensure that they’re up to date.  Blumira generally prefers settings that will result in the most verbosity in regard to log content and volume and should be applied to every policy in the device.