Skip to main content
Skip table of contents

Configure VMWare ESXi Log Ingestion

This tutorial will show you how to onboard an ESXi host into Azure Sentinel via the Log Analytics Agent.

Pre-requisite

  1. Log Analytics Agent

    1. If you do not have one, you can follow these steps to create one:

      1. Log Analytics Agent for Windows

      2. Log Analytics Agent for Linux

  2. Configure Azure log collector for syslog

    1. You can follow the link “Collect Syslog data sources with Log Analytics agent” if you haven’t configured it yet.

Scope and Limitation

  1. This tutorial is base on ESXi 7 and above

  2. This tutorial would show you the basic setup but if you have a hardened syslog setup you may also need to set the other fields in your ESXi settings using the following keywords: “syslog.global”

    1. You can refer to “Configure Syslog on ESXi Hosts” for more information

Onboarding your ESXi

You have to do this for each of your ESXi host

  1. Login to you ESXi server

  2. Go to “Host”

  3. Go to “Manage”

  4. Select “System” Tab

  5. Select “Advance Settings”

  6. Search for “syslog.global.logHost“

  7. Click on edit option

  8. Add in your log analytics agent setup details with the following details

    1. udp or tcp

    2. ip or hostname

    3. port

    4. example: udp://192.168.246.3:514

  9. Click “Save”

  10. You can verify if the setup is working by going to your Sentinel log query and see if your ESXi hostname is in there under the Computer fields

    1. Syslog | distinct Computer

Note: If you have VSphere setup, you should be able to see all your ESXi host from there without logging in to each server one by one.

Troubleshooting

  1. Make sure your Agent is listening to the port (Note: Depending on your setup, the sample below is listening to udp and tcp but normally syslog listens to udp only)

    NONE 
    netstat -taupn | grep syslog 
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      4483/rsyslogd       
udp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      4483/rsyslogd

  2. Test if the port is open (you can do this on both local and remote)

    1. UDP: nc -z -v -u [ip address] [port]

    2. TCP: nc -z -v [ip address] [port]

    3. Succesful connection should look something like

      CODE 
      nc -z -v -u 127.0.0.1 514
localhost [127.0.0.1] 514 (syslog) open

  3. Test if you can send a message (you can do this on both local and remote)

    1. UDP: nc -w1 -u [ip address] [port] <<< "testUDP" 

    2. TCP: nc -w1 -u [ip address] [port] <<< "testTCP" 

    3. If everything is successful you should immediately see the Computer name: testUDP or testTCP in the Sentinel log or you can use this query:

      1. Syslog | where Computer == "testUDP" or Computer == "testTCP"

Appendix

  1. Enable SSH access on the ESXi host for troubleshooting connections

    1. Login to ESXi server

    2. Click the host

    3. Click on Actions

    4. Click on Services

    5. Enable SSH

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close