cancel
Showing results for 
Search instead for 
Did you mean: 

Parsers for VMWare ESX ?

Hi !

I just added some VMWare ESX 6.5 data sources on my ESM 10.3.2. But as far as I see there are some issues with logs parsing. Most of events are "unknown event".

What can I do ?

esx.JPG

Thanks for your help !

6 Replies
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Parsers for VMWare ESX ?

Check that VMWare isn't in debug mode for logging.  We've had several instances where for some reason it was in debug mode and sending a huge number of logs that aren't relevant from a security context.

Re: Parsers for VMWare ESX ?

Several ESX nodes were in debug/verbose mode, thanks for that. But I still get a huge amount of logs that are not parsed.

I though McAfee would have a default VMWare ESX 6.5 parser so I don't have to write it.

Some SIEM have a full integration of VMWare products with dedicated dashboards and so on...

Tags (1)
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Parsers for VMWare ESX ?

Hi

could you please paste the row packet text ?

(without ip addresses details etc.)

Thank you

Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: Parsers for VMWare ESX ?

I'm not quite sure what you're asking for.

 

Highlighted
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: Parsers for VMWare ESX ?

Ooooopppss sorry i asked respssi if he could send me the row log packet

Re: Parsers for VMWare ESX ?

Looks like the events that are not parsed are coming from VSAN and NSX.

That should be quite easy to write

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center