You can enable syslog on ESXi, but I don't know about vSphere on Windows. Allow syslog on ESXi hosts (firewall): http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-1083C791-83A1-4442-AE25-3BA454FC0444.html
Configure syslog on ESXi hosts: https://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.install.doc_50%2FGUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html Add source (ESXi) to OSSEC server configuration (ossec.conf), for example: <remote> <connection>syslog</connection> <allowed-ips>192.168.0.0/16</allowed-ips> </remote> Hardest part - create rules, because ESXi are too "loud". For example: <group name="syslog,esxi"> <rule id="1500" level="5"> <match>Rejected password|Authentication failure for</match> <description>Failed login - ESXi</description> </rule> <rule id="1501" level="5"> <match>Accepted password</match> <description>Login successful - ESXi</description> </rule> <rule id="1502" level="5"> <match>SSH login enabled</match> <description>ESXi - SSH enabled</description> </rule> <rule id="1503" level="3"> <match>SSH login disabled</match> <description>ESXi - SSH disabled</description> </rule> <rule id="1504" level="5"> <match>Failed keyboard-interactive</match> <description>ESXi - SSH invalid user</description> </rule> <rule id="1506" level="5"> <match>UpdateRulesetStatus: enable</match> <description>ESXi - firewall exception enabled</description> </rule> <rule id="1507" level="3"> <match>UpdateRulesetStatus: disable</match> <description>ESXi - firewall exception disabled</description> </rule> <rule id="1508" level="5"> <match>Failed to authenticate user</match> <description>Login failed - vCenter</description> </rule> <rule id="1509" level="5"> <match>authenticated successfully.</match> <description>Login successful - vCenter</description> </rule> </group> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
