fbpx
Back Arrow Back to All Integrations

VMware VSphere/VCenter

VMware VSphere/VCenter

Integrating VMware ESXi With Blumira

 

Click here for the most updated version of this documentation.

 

Blumira’s modern cloud SIEM platform integrates with VMware ESXi to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected.

 

When configured, the Blumira integration with VMware ESXi will stream security event logs to the Blumira service for automated threat detection and actionable response.

 

 

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

 

Free Trial

Set Up Instructions

Integrating with VMware VSphere/VCenter

Forward traffic logs from VMware ESXi to a SIEM for longterm storage, compliance, audit, reporting or legal reasons. The steps taken to forward traffic will vary depending on whether you are managing hosts with vSphere or vCenter.

Configure Log Forwarding for VMware ESXi

Forward traffic logs from VMware ESXi to a SIEM for longterm storage, compliance, audit, reporting or legal reasons. The steps taken to forward traffic will vary depending on whether you are managing hosts with vSphere or vCenter.

VMware vSphere

Log in to the VMware vSphere web client.

  1. Select the Host you’d like to push logs from (Note, you can not select the entire cluster)
  2. Click Configure at the top
  3. On the left hand column – Select System, click Advanced System Settings
  4. Select Edit in the top right corner
  5. Filter for – Syslog
  6. Select Syslog.Global.LogHost
  7. Modify the Syslog.Global.LogHost Value to the IP of the Blumira Sensor in UDP format
    1. Example – udp://IP of Sensor:514
  8. Click Ok. Changes will take effect immediately.

VMware vCenter

Log in to the vCenter Server Appliance Management Interface as root. The vCenter Server Appliance Management Interface, also known as VAMI, is on the same server as vCenter Server, but is on port 5480. To access the VAMI, you would use https://<vcenter-ip>:5480. The password for VAMI may not be the same as the normal vCenter SSO login. The username is typically ‘root’. Some admins will set the VAMI root password to the same as the [email protected] account, but those two passwords are not linked.

  1. In the vCenter Server Appliance Management Interface, select Syslog.
  2. In the Forwarding Configuration section, click Configure if you have not configured any remote syslog hosts. Click Edit if you already have configured hosts.
  3. In the Create Forwarding Configuration pane, enter the server address of the Blumira Sensor host. The maximum number of supported destination hosts is three.
  4. From the Protocol drop-down menu, select the UDP protocol 
  5. In the Port text box, enter the port number to use for communication with the destination host, this is typically 514.
  6. In the Create Forwarding Configuration pane, click Add to enter another remote syslog server.
  7. Click Save.
  8. Verify that the remote syslog server is receiving messages:
    • In the Forwarding Configuration section, click Send Test Message.
    • Verify in the Blumira console that the test message was received, alternatively you may tail the logs on the Blumira Sensor server with the following command:
    • sudo docker exec -it $(sudo docker ps --filter status=running --format "{{.ID}}") /blutail | grep <ip_or_hostname_of_source>

    While completing this step, take the time to review your current security policies and ensure that they’re up to date.  Blumira generally prefers settings that will result in the most verbosity in regard to log content and volume and should be applied to every policy in the device.