[ossec-list] Re: OSSEC - vSphere

Tue, 14 Jul 2015 02:18:01 -0700 

You can enable syslog on ESXi, but I don't know about vSphere on Windows.

Allow syslog on ESXi hosts (firewall):
http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-1083C791-83A1-4442-AE25-3BA454FC0444.html

Configure syslog on ESXi hosts:
https://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.install.doc_50%2FGUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html
 

Add source (ESXi) to OSSEC server configuration (ossec.conf), for example:

  <remote>
    <connection>syslog</connection>
    <allowed-ips>192.168.0.0/16</allowed-ips>
  </remote>

Hardest part - create rules, because ESXi are too "loud". For example:

<group name="syslog,esxi">
  <rule id="1500" level="5">
    <match>Rejected password|Authentication failure for</match>
    <description>Failed login - ESXi</description>
  </rule>
  <rule id="1501" level="5">
    <match>Accepted password</match>
    <description>Login successful - ESXi</description>
  </rule>
  <rule id="1502" level="5">
    <match>SSH login enabled</match>
    <description>ESXi - SSH enabled</description>
  </rule>
  <rule id="1503" level="3">
    <match>SSH login disabled</match>
    <description>ESXi - SSH disabled</description>
  </rule>
  <rule id="1504" level="5">
    <match>Failed keyboard-interactive</match>
    <description>ESXi - SSH invalid user</description>
  </rule>
  <rule id="1506" level="5">
    <match>UpdateRulesetStatus: enable</match>
    <description>ESXi - firewall exception enabled</description>
  </rule>
  <rule id="1507" level="3">
    <match>UpdateRulesetStatus: disable</match>
    <description>ESXi - firewall exception disabled</description>
  </rule>
  <rule id="1508" level="5">
    <match>Failed to authenticate user</match>
    <description>Login failed - vCenter</description>
  </rule>
  <rule id="1509" level="5">
    <match>authenticated successfully.</match>
    <description>Login successful - vCenter</description>
  </rule>
</group>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to