A few days ago I was required to obtain some audit logs from our SIEM system (Sumologic) and from vCenter and I noticed that our vCenter logs weren’t going in to Sumologic and that the log files required for SSO auditing or the VPXD log (where, among other things, stipulates what client was used by who to connect) were rotating every 7 days. This was not good. So I decided what better time than now to forward vCenter syslogs to Sumologic.
It was a little more complex than just enabling syslog through appliance management as by default, this does not collect the SSO logs, like:
- /var/log/vmware/sso/ssoAdminServer.log – Auditing SSO logins
- /var/log/vmware/sso/vmware-identity-sts.log – Auditing SSO user changes
I found this out by scouring the internet and piecing little pieces together and eventually, creating a rock solid syslog source for our vCenter Servers.
Please note: This is not an officially supported configuration by VMware and for larger environments, this could potentially have an impact on the vCenter Server service, so please take caution in the logs you decide to forward. And as always, test this in a lab first.
I also want to mention that this needs to be done on each VCSA instance, i.e. if you have a vCenter with an External PSC, this would need to be done on both servers, in order to collect all the logs.
So, lets begin:
Log in to VAMI (VMware Appliance Management Interface) using the root credentials
The URL is normally https://fqdn.domain.com:5480
Once logged in, click on Syslog Configuration and then on Edit
You are now given the option to configure Syslog. The common Log Level we decided to go with was * (which covers all the things. Well, kind of. More to come on that). The other options are:
We used the IP for the remote syslog collector and kept the standard / default udp port of 514
Once this was completed, syslog was configured. But the configuration was not yet complete.
For the next part, we will need to use an rsyslog Text File Input Module (imfile), which will allow us to process additional local log files in the VCSA.
SSH to the VCSA hosting the PSC and open /etc/rsyslog.conf for editing.
Press Insert to get in to edit mode, and just below the last entry under ###### Module declarations ##### add:
$ModLoad imfile #Added for enhanced rSyslogging
Then directly under ###### Rule declarations ###### add:
$InputFileName /var/log/vmware/sso/ssoAdminServer.log $InputFileTag ssoAdminServer $InputFileStateFile ssoAdminServer $InputFileSeverity debug $InputFileFacility local7 $InputRunFileMonitor $InputFilePollInterval 10 $InputFileName /var/log/vmware/sso/vmware-identity-sts.log $InputFileTag ssoIdentitySts $InputFileStateFile ssoIdentitySts $InputFileSeverity debug $InputFileFacility local7 $InputRunFileMonitor $InputFilePollInterval 10
So your file should look something like this:
If you press Escape and then wq, this will write and quit vi.
You then need to restart rsyslog in order for the logs to actually go to your SIEM instance or your syslog server. I recommend doing this on each VCSA that you configured to send rSyslog
systemctl restart rsyslog
If everything was configured properly, you should start to see entries from both log files, namely: ssoAdminServer.log (ssoAdminServer) and vmware-identity-sts.log (ssoStsIdmd) in your syslog server.
Examples of log files from the Virtual Center:
Please note, these are only snippets and not entire logs.
Successful login using a browser –
Successful login using PowerCLI –
Examples of log files from the Platform Services Controller:
Successful login using a browser –
Also, something to note, during my travels across the internet, I stumbled upon a blog by “Navin”, who listed a complete (or at least it seems like it) list of vCenter logs and ESXi logs. So if you have any requirement or additional logs to be ingested, this is the place to find the location. If you want to add those log files in, just use this as a basis:
$InputFileName /path/to/log/file.log #This is the path for the log file $InputFileTag Appname #the "app" name that will show up when its forwarded $InputFileStateFile AppName #This is the log monitoring file $InputFileSeverity debug #Severity of the log $InputFileFacility local7 #facility $InputRunFileMonitor $InputFilePollInterval 10
For a more complete list of options and or description, check out the rSyslog website