using the snare server to collect vmware esxi - intersect alliance

Snare Server v6 VMware Logging Guide

Using the Snare Serverto collect VMware ESXi

Logs

© InterSect Alliance International Pty Ltd of 20


© Intersect Alliance International Pty Ltd. All rights reserved worldwide.Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct, or indirect damages in connection with the use of this material. No part of this work may be reproduced or transmitted in any form or by any means except as expressly permitted by Intersect Alliance International Pty Ltd. This does not include those documents and software developed under the terms of the open source General Public Licence, which covers the Snare agents and some other software.The Intersect Alliance logo and Snare logo are registered trademarks of Intersect Alliance International Pty Ltd. Other trademarks and trade names are marks’ and names of their owners as may or may not be indicated. All trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications and content are subject to change without notice.



About this guide

This document details the steps required to configure VMware ESXi vSphere CLI to log to the Snare Server, and also highlights some basic analysis strategies for Snare version 6. More details on the techniques used, are available in the Snare Server Users Guide.

These instructions have been tested on VMware ESXi 5.1, and should also apply to other versions of ESXi and ESX, as long as the syslog configuration can be modified to forward events to the Snare Server.

Other resources that may be useful to read include:● Snare Server v6.x Users Guide● vSphere Command-Line Interface Documentation - http://www.vmware.com/support/developer/vcli/

Table of Contents :

1. VMware Server Configuration 1.1 Activate SSH , or access the vSphere Console

Initial Screen TroubleshootingActivate SSH / Console

1.2 Syslog delivery 1.2.1 Firewall configuration 1.2.2 Syslog configuration

2. Analysis



1. VMware Server Configuration The following procedure assumes that you wish to configure the vSphere server via the command line. Logging functionality can also be modified using vClient GUI tools; please see the VMware documentation for detailed procedures.

1.1 Activate SSH, or access the vSphere Console

➤ What You Need..○ The DNS name or IP address of your vSphere server.○ Access to the vSphere console to enable SSH

➤ Initial Screen

On the vSphere console, use the F2 key to access the system configuration options.

Hit F2 on your keyboard.

➤ Troubleshooting

Use your cursor keys to choose the ‘Troubleshooting options’ menu option, and hit ENTER on your keyboard.

Choose ‘Troubleshooting options”.



➤ Activate SSH / Console

You will need to either activate the vSphere console, or SSH.

If you choose to activate the console, the keyboard sequence Alt+F1 will open a local console. Log in using your administrator account and password.

If you choose to activate ssh, connect to your ESX machine using the IP address displayed on the first console screen, .

1.2 Syslog delivery

In order to activate remote delivery of VMware log data using the syslog protocol, several commands need to be run:

1.2.1 Firewall configuration

Run the following commands, to allow syslog data to be sent through the ESX local firewall.

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=trueesxcli network firewall refresh

1.2.2 Syslog configuration

Configure the server to send syslog data to a remote server, using the syslog protocol. Substitute the IP address of your Snare Server, for the “10.11.12.13” in the following command:

esxcli system syslog config set --loghost='udp://10.11.12.13:514'esxcli system syslog reload



2. Analysis

If you are not familiar with the operation of the Snare Server, please refer to the Snare Server Users Guide for more information.

The Snare Server will receive data from your ESX/vSphere server, and add it to the generic syslog data source. The following series of screenshots provide an example of how to perform basic analysis on VMware vSphere/ESX log data.

Create a new objective called “VMWare ESX”

Modify the objective configuration. Choose the “Change Type” button.



Choose the “Analyse data from Generic Syslog logs” objective template, from the “Generic Syslog” group.

Once the objective template has been selected, the Configuration window will reappear, with log-type



specific settings.

Add a new match, and tell the Snare Server to look for logs from the ESX/vSphere server’s hostname.



Add output components to the objective, such as the 15 minute pattern map, and Tabular Details.



Modify the Table output configuration to include the fields of interest, save the configuration, and regenerate the objective.



We have some data returned from the objective. In this case, the data has arrived from the ‘v5dev’ server.

You will notice though, that there are some interesting details within the body of the message, that we may be interested in analysing in more detail. In particular, you can see that the Date/Time presented in the event, is actually a little different than the time at which the Snare Server received the event.

Usually, Snare is able to retrieve the date/time from within each event, but in this case, VMware are using a non-standard syslog date format, so the Snare Server has opted to preserve both the receive-time and the log-time in the event. However, we can pull out this information for our analysis.



Go back to your Configuration settings, and select the green ‘Add New’ button near the top of the window.



A new window will pop up, asking for the “Field Name”. Lets use “VMDATE”.

Next, we’ll test a “regular expression” match to pull out the date from within the event body.For this, I have copied & pasted a sample event from the tabular output, into the ‘sample log entry’ field.Next, I have crafted a simple regular expression to pull out the date from the entry.

In this case, the regular expression translates to:* Grab the first 10 characters from the event, that contain numbers or dashes.

Copy this expression to our ‘Token’, and save the result using the ‘Create Field’ button.



Regular expressions are very powerful. We could do almost the same thing by using the expression above, instead. (Grab the first 10 characters from the event, regardless of what they look like).

While we’re at it, we can grab the time (VMTIME).Since VMware’s time format is reasonably consistent, a simple regular expression like the one above may be perfectly adequate.



Next, we can pull out the syslog ‘category’ (“VMCATEGORY”)

And the actual message content (“VMEVENT”)



These fields, can then be added to our Table output as required.



Or featured as part of a graph component.

Regenerate the objective once more once configuration has been completed.

Pie graph of sources.



If we wanted to search for a particular subset of messages, such as commands executed by the root-level user, we could modify our configuration further.

In this case, we’ve asked Snare to search for events from ‘VMWareESX001’ with a ‘VMSource’ of ‘shell’.

Regenerate the objective once done.



Output of a search for root-level command execution.


using the snare server to collect vmware esxi - intersect alliance

Documents