cancel
Showing results for 
Search instead for 
Did you mean: 

Parsers for VMWare ESX ?

Hi !

I just added some VMWare ESX 6.5 data sources on my ESM 10.3.2. But as far as I see there are some issues with logs parsing. Most of events are "unknown event".

What can I do ?

esx.JPG

Thanks for your help !

6 Replies
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Parsers for VMWare ESX ?

Check that VMWare isn't in debug mode for logging.  We've had several instances where for some reason it was in debug mode and sending a huge number of logs that aren't relevant from a security context.

Re: Parsers for VMWare ESX ?

Several ESX nodes were in debug/verbose mode, thanks for that. But I still get a huge amount of logs that are not parsed.

I though McAfee would have a default VMWare ESX 6.5 parser so I don't have to write it.

Some SIEM have a full integration of VMWare products with dedicated dashboards and so on...

Tags (1)
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Parsers for VMWare ESX ?

Hi

could you please paste the row packet text ?

(without ip addresses details etc.)

Thank you

Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: Parsers for VMWare ESX ?

I'm not quite sure what you're asking for.

 

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: Parsers for VMWare ESX ?

Ooooopppss sorry i asked respssi if he could send me the row log packet

Re: Parsers for VMWare ESX ?

Looks like the events that are not parsed are coming from VSAN and NSX.

That should be quite easy to write

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.