Log Collection VMware: References - VMware Event Source Configuration Parameters

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

You use the VMware option on the Log Collector Config View Event Sources tab to add and maintain configuration parameters for VMware event sources. These event sources generate events from a VMware virtual infrastructure. The infrastructure typically consists of multiple VMware vCenter Servers that connect to several ESX, ESXi, and embedded ESXi servers. Each of the vCenter servers collects and manages tasks and events. Events can be any message generated by a VMware event source (for example, an alarm).  Tasks are jobs that you schedule to perform.

To access the VMware Event Source Configuration Parameters:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNG under Actions and select View > Config.
    The Service Config view is displayed with the General tab open.
  4. Click the Event Sources tab.
  5. Select VMware from the drop-down menu.

VMwareEvSrcTb.png

Features

The VMware view in the Event Sources tab has two panels: Event Categories and Sources.

Event Categories Panel

In the Event Categories panel, you can add or delete VMware event source types.

                   
FeatureDescription
Icon-Add.pngDisplays the Available Event Source Types dialog from which you select the event source type for which you want to define parameters.
Icon_Delete_sm.pngDeletes the selected event source types from the Event Categories panel.
Checkbox.pngSelects event source types.
NameDisplays the name of the event source types that you have added.

Available Event Sources Types Dialog

The Available Event Source Types dialog displays the list of supported event source types.

                   
FeatureDescription
Checkbox.pngSelects the event source type that you want to add.
NameDisplays the event source types that are available to add. Valid values are:
  • vmware-events
    Setup vmware-events to collect events from vCenter Servers and ESX/ESXi servers.
  • vmware-tasks
    (Optional) Setup vmware-tasks to collect tasks from vCenter Servers.
CancelCloses the dialog without adding an event source type.
OKAdds the selected event source type to the Event Categories panel.

Sources Panel

Use this panel to review, add, modify, and delete event sources and their parameters for the event source type you selected in the Event Categories panel.

Caution: For VMware event collection, Security Analytics pulls all the currently existing events the first time that you start collecting VMware events.

Toolbar

The following table provides descriptions of the toolbar options.

                   
OptionDescription
Icon-Add.pngOpens the Add Source dialog in which you add an event source for the event source type that you selected in the Event Categories panel.
Icon_Delete_sm.pngDeletes the selected event sources.
icon-edit.pngOpens the Modify Source dialog in which you modify the configuration parameters for the selected event source.

When you select multiple event sources, opens the Bulk Edit Source dialog in which you can edit the parameters values for the selected event sources.

Refer to Import, Export, and Edit Event Sources in Bulk  for detailed steps on how to use this function.
ImportSourceIcon.PNGOpens the Bulk Add Option dialog in which you can import source parameters in bulk from a comma-separated values (CSV) file.  The Bulk Add Option dialog has the following two options.

Refer to Import, Export, and Edit Event Sources in Bulk  for detailed steps on how to use this function.
ExportSourceIcon.PNGCreates a .csv file that contains the parameters for the selected sources.

Refer to Import, Export, and Edit Event Sources in Bulk  for detailed steps on how to use this function.

Add or Modify Sources Dialog

In this dialog, you add or modify an event source for the selected event source.

                
FeatureDescription
Source ParametersLists the parameters populated with the default values. Enter or modify the appropriate values.
CancelCloses the dialog without adding an event source or saving the parameter values for the selected event source.
OKIn the Add Sources dialog, adds the event source and its parameters. In the Modify Sources dialog, applies the parameter value changes for the selected event source.

Source Parameters

The following table provides descriptions of the source parameters.

                                            
NameDescription
Basic
Name *Name of the server on which VMware is running.
Address *IP Address of the VMware server. (127.0.0.1 is the default value).
Username *User name that the Log Collector uses to connect to the VMware server. You must specify a user name when you create the event source.

Caution: If you need to enter the domain name as part of the Username, you must use a backslash as a separator For example, if the domain\username is corp\smithj , you must specify corp\\smithj.

Password *Password that the Log Collector uses to connect to the VMware server.

Caution: The password is encrypted internally and is displayed in its encrypted form.

EnabledSelect the check box to enable the event source configuration to start collection. The check box is selected by default.
Advanced
Polling IntervalInterval (amount of time in seconds) between each poll. The default value is 180.

For example, if you specify 180, the collector schedules a polling of the event source every 180 seconds. If the previous polling cycle is still underway, the collector waits for that cycle to finish. If you have a large number of event sources that you are polling, it may take longer than 180 seconds for the polling to start because the threads are busy.
Max Duration PollThe maximum duration of polling cycle (how long the cycle lasts) in seconds.
Max Idle Time PollMaximum idle time, in seconds, of a polling cycle. 0 indicates no limit. 300 is the default value.
Max Events PollThe maximum number of events per polling cycle (how many events collected per polling cycle).
Debug

Caution: Only enable debugging (set this parameter to "On" or "Verbose") if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables or disables debug logging for the event source. Valid values are:
  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.
This parameter is designed to debug and monitor isolated event source collection issues.

If you change this value, the change takes effect immediately (no restart required).

The debug logging is verbose, so limit the number of event sources to minimize performance impact.
CancelCloses the dialog without adding an event source type.
OKAdds the parameters for the event source.

Tasks

Step 1: Configure VMware Event Sources in Security Analytics

You are here: VMware Collection Configuration Guide > References - VMware Event Source Configuration Parameters

Attachments

    Outcomes