Collect VMware ESXi logs
Supported in:
This document explains how to ingest VMware ESXi logs to Google Security Operations using Bindplane. VMware ESXi is a bare-metal hypervisor that installs directly on physical servers to partition them into multiple virtual machines. ESXi logs capture host system events, authentication activity, virtual machine operations, storage and network events, and hypervisor kernel messages.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance.
- A Windows 2016 or later or Linux host with systemd.
- If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
- Privileged access to the VMware ESXi host (root or administrator role) via the ESXi Host Client or vSphere Client.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
-
Download the Ingestion Authentication File.
- Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer IDfrom the Organization Detailssection.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open the Command Promptor PowerShellas an administrator.
-
Run the following command:
msiexec / i "[https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi](https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi)" / quiet
Linux installation
- Open a terminal with root or sudo privileges.
-
Run the following command:
sudo sh -c " $( curl -fsSlL [ https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ]( https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) )" install_unix.sh
Additional installation resources
For additional installation options, consult this installation guide .
Configure Bindplane agent to ingest syslog and send to Google SecOps
-
Access the configuration file:
- Locate the
config.yamlfile. Typically, it's in the/etc/bindplane-agent/directory on Linux or in the installation directory on Windows. - Open the file using a text editor (for example,
nano,vi, or Notepad).
- Locate the
-
Edit the
config.yamlfile as follows:receivers : udplog : # Replace the port and IP address as required listen_address : "0.0.0.0:514" exporters : chronicle/chronicle_w_labels : compression : gzip # Adjust the path to the credentials file you downloaded in Step 1 creds_file_path : '/path/to/ingestion-authentication-file.json' # Replace with your actual customer ID from Step 2 customer_id : YOUR_CUSTOMER_ID endpoint : malachiteingestion-pa.googleapis.com # Add optional ingestion labels for better organization log_type : 'VMWARE_ESX' raw_log_field : body ingestion_labels : service : pipelines : logs/source0__chronicle_w_labels-0 : receivers : - udplog exporters : - chronicle/chronicle_w_labels
- Replace the port and IP address as required in your infrastructure.
- Replace
YOUR_CUSTOMER_IDwith the actual Customer ID. - Update
/path/to/ingestion-authentication-file.jsonto the file path where the authentication file was saved in Step 1.
Restart Bindplane agent to apply the changes
-
To restart the Bindplane agent in Linux, run the following command:
sudo systemctl restart observiq-otel-collector -
To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:
net stop observiq-otel-collector && net start observiq-otel-collector
Configure VMware ESXi syslog forwarding
ESXi supports native syslog forwarding over UDP. You can configure it using the ESXi Host Client, vSphere Client, or the ESXi Shell (SSH).
Option - ESXi Host Client or vSphere Client
- Sign in to the ESXi Host Client(
https://<esxi-host>/ui) or the vSphere Clientand select the ESXi host. - Go to Manage > System > Advanced Settings.
- Search for
Syslog.global.logHost. -
Click Editand set the value to:
-
udp://<BINDPLANE_IP>:514 - To add multiple syslog servers, separate them with commas (for example,
udp://<BINDPLANE_IP>:514,udp://<BACKUP_IP>:514).
-
-
Click Save.
-
Search for
Syslog.global.logDirto verify that local logging is also enabled (for example,[] /scratch/log).
Option - ESXi Shell (SSH)
- Connect to the ESXi host via SSH.
-
Run the following command to configure the remote syslog server:
esxcli system syslog config set --loghost = "udp://<BINDPLANE_IP>:514" -
Reload the syslog service:
esxcli system syslog reload -
Verify the configuration:
esxcli system syslog config get
Configure ESXi firewall for syslog
-
If the ESXi firewall is enabled, open the syslog outbound rule. Connect via SSH and run:
esxcli network firewall ruleset set --ruleset-id = syslog --enabled = true -
Refresh the firewall rules:
esxcli network firewall refresh -
Verify the syslog firewall rule is enabled:
esxcli network firewall ruleset list | grep syslog
For more information, see the VMware ESXi syslog documentation .
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
@fields.alias
|
event.idm.read_only_udm.principal.cloud.project.alias
|
Directly mapped from the JSON log's @fields.alias
field. |
@fields.company_name
|
event.idm.read_only_udm.principal.user.company_name
|
Directly mapped from the JSON log's @fields.company_name
field. |
@fields.facility
|
event.idm.read_only_udm.principal.resource.type
|
Directly mapped from the JSON log's @fields.facility
field. |
@fields.host
|
event.idm.read_only_udm.principal.hostname
, event.idm.read_only_udm.principal.asset.hostname
|
Directly mapped from the JSON log's @fields.host
field. |
@fields.privatecloud_id
|
event.idm.read_only_udm.principal.cloud.project.id
|
Directly mapped from the JSON log's @fields.privatecloud_id
field. |
@fields.privatecloud_name
|
event.idm.read_only_udm.principal.cloud.project.name
|
Directly mapped from the JSON log's @fields.privatecloud_name
field. |
@fields.procid
|
event.idm.read_only_udm.principal.process.pid
|
Directly mapped from the JSON log's @fields.procid
field. |
@fields.region_id
|
event.idm.read_only_udm.principal.location.country_or_region
|
Directly mapped from the JSON log's @fields.region_id
field. |
@fields.severity
|
event.idm.read_only_udm.security_result.severity
|
Mapped from the JSON log's @fields.severity
field. If the value is "info" or similar, it's mapped to "INFORMATIONAL". |
@timestamp
|
event.idm.read_only_udm.metadata.event_timestamp
|
Parsed and converted to a timestamp object from the log's @timestamp
field using the date
filter. |
adapter
|
event.idm.read_only_udm.target.resource.name
|
Directly mapped from the raw log's adapter
field. |
action
|
event.idm.read_only_udm.security_result.action
|
Directly mapped from the raw log's action
field. Values like "ALLOW" and "BLOCK" are used. |
action
|
event.idm.read_only_udm.security_result.action_details
|
Directly mapped from the raw log's action
field. Values like "Redirect" are used. |
administrative_domain
|
event.idm.read_only_udm.principal.administrative_domain
|
Directly mapped from the raw log's administrative_domain
field. |
agent.hostname
|
event.idm.read_only_udm.intermediary.hostname
|
Directly mapped from the JSON log's agent.hostname
field. |
agent.id
|
event.idm.read_only_udm.intermediary.asset.id
|
Directly mapped from the JSON log's agent.id
field. |
agent.name
|
event.idm.read_only_udm.intermediary.asset.name
|
Directly mapped from the JSON log's agent.name
field. |
agent.type
|
event.idm.read_only_udm.intermediary.asset.type
|
Directly mapped from the JSON log's agent.type
field. |
agent.version
|
event.idm.read_only_udm.intermediary.asset.version
|
Directly mapped from the JSON log's agent.version
field. |
app_name
|
event.idm.read_only_udm.principal.application
|
Directly mapped from the raw log's app_name
field. |
app_protocol
|
event.idm.read_only_udm.network.application_protocol
|
Directly mapped from the raw log's app_protocol
field. If the value matches "http" (case-insensitive), it's mapped to "HTTP". |
application
|
event.idm.read_only_udm.principal.application
|
Directly mapped from the JSON log's program
field. |
cmd
|
event.idm.read_only_udm.target.process.command_line
|
Directly mapped from the raw log's cmd
field. |
collection_time
|
event.idm.read_only_udm.metadata.event_timestamp
|
The nanoseconds from the collection_time
field are added to the seconds from the collection_time
field to create the event_timestamp
. |
data
|
event.idm.read_only_udm.metadata.description
|
The raw log message is parsed and relevant parts are extracted to populate the description field. |
descrip
|
event.idm.read_only_udm.metadata.description
|
Directly mapped from the raw log's descrip
field. |
dns.answers.data
|
event.idm.read_only_udm.network.dns.answers.data
|
Directly mapped from the JSON log's dns.answers.data
field. |
dns.answers.ttl
|
event.idm.read_only_udm.network.dns.answers.ttl
|
Directly mapped from the JSON log's dns.answers.ttl
field. |
dns.answers.type
|
event.idm.read_only_udm.network.dns.answers.type
|
Directly mapped from the JSON log's dns.answers.type
field. |
dns.questions.name
|
event.idm.read_only_udm.network.dns.questions.name
|
Directly mapped from the JSON log's dns.questions.name
field. |
dns.questions.type
|
event.idm.read_only_udm.network.dns.questions.type
|
Directly mapped from the JSON log's dns.questions.type
field. |
dns.response
|
event.idm.read_only_udm.network.dns.response
|
Directly mapped from the JSON log's dns.response
field. |
ecs.version
|
event.idm.read_only_udm.metadata.product_version
|
Directly mapped from the JSON log's ecs.version
field. |
event_message
|
event.idm.read_only_udm.metadata.description
|
Directly mapped from the JSON log's event_message
field. |
event_metadata
|
event.idm.read_only_udm.principal.process.product_specific_process_id
|
The event_metadata
field is parsed to extract the opID
value, which is then prepended with "opID:" and mapped to the UDM. |
event_type
|
event.idm.read_only_udm.metadata.event_type
|
Directly mapped from the JSON log's event_type
field. |
filepath
|
event.idm.read_only_udm.target.file.full_path
|
Directly mapped from the raw log's filepath
field. |
fields.company_name
|
event.idm.read_only_udm.principal.user.company_name
|
Directly mapped from the JSON log's fields.company_name
field. |
fields.facility
|
event.idm.read_only_udm.principal.resource.type
|
Directly mapped from the JSON log's fields.facility
field. |
fields.host
|
event.idm.read_only_udm.principal.hostname
, event.idm.read_only_udm.principal.asset.hostname
|
Directly mapped from the JSON log's fields.host
field. |
fields.privatecloud_id
|
event.idm.read_only_udm.principal.cloud.project.id
|
Directly mapped from the JSON log's fields.privatecloud_id
field. |
fields.privatecloud_name
|
event.idm.read_only_udm.principal.cloud.project.name
|
Directly mapped from the JSON log's fields.privatecloud_name
field. |
fields.procid
|
event.idm.read_only_udm.principal.process.pid
|
Directly mapped from the JSON log's fields.procid
field. |
fields.region_id
|
event.idm.read_only_udm.principal.location.country_or_region
|
Directly mapped from the JSON log's fields.region_id
field. |
fields.severity
|
event.idm.read_only_udm.security_result.severity
|
Mapped from the JSON log's fields.severity
field. If the value is "info" or similar, it's mapped to "INFORMATIONAL". |
host.architecture
|
event.idm.read_only_udm.principal.asset.architecture
|
Directly mapped from the JSON log's host.architecture
field. |
host.containerized
|
event.idm.read_only_udm.principal.asset.containerized
|
Directly mapped from the JSON log's host.containerized
field. |
host.hostname
|
event.idm.read_only_udm.principal.hostname
, event.idm.read_only_udm.principal.asset.hostname
|
Directly mapped from the JSON log's host.hostname
field. |
host.id
|
event.idm.read_only_udm.principal.asset.id
|
Directly mapped from the JSON log's host.id
field. |
host.ip
|
event.idm.read_only_udm.principal.ip
, event.idm.read_only_udm.principal.asset.ip
|
Directly mapped from the JSON log's host.ip
field. |
host.mac
|
event.idm.read_only_udm.principal.mac
, event.idm.read_only_udm.principal.asset.mac
|
Directly mapped from the JSON log's host.mac
field. |
host.name
|
event.idm.read_only_udm.principal.asset.name
|
Directly mapped from the JSON log's host.name
field. |
host.os.codename
|
event.idm.read_only_udm.principal.asset.os.codename
|
Directly mapped from the JSON log's host.os.codename
field. |
host.os.family
|
event.idm.read_only_udm.principal.asset.os.family
|
Directly mapped from the JSON log's host.os.family
field. |
host.os.kernel
|
event.idm.read_only_udm.principal.asset.os.kernel
|
Directly mapped from the JSON log's host.os.kernel
field. |
host.os.name
|
event.idm.read_only_udm.principal.asset.os.name
|
Directly mapped from the JSON log's host.os.name
field. |
host.os.platform
|
event.idm.read_only_udm.principal.asset.os.platform
|
Directly mapped from the JSON log's host.os.platform
field. |
host.os.version
|
event.idm.read_only_udm.principal.asset.os.version
|
Directly mapped from the JSON log's host.os.version
field. |
iporhost
|
event.idm.read_only_udm.principal.hostname
, event.idm.read_only_udm.principal.asset.hostname
|
Directly mapped from the raw log's iporhost
field. |
iporhost
|
event.idm.read_only_udm.principal.ip
|
Directly mapped from the raw log's iporhost
field if it's an IP address. |
iporhost1
|
event.idm.read_only_udm.principal.hostname
, event.idm.read_only_udm.principal.asset.hostname
|
Directly mapped from the raw log's iporhost1
field. |
kv_data1
|
event.idm.read_only_udm.principal.process.product_specific_process_id
|
The kv_data1
field is parsed to extract the opID
or sub
value, which is then prepended with "opID:" or "sub:" respectively and mapped to the UDM. |
kv_msg
|
event.idm.read_only_udm.additional.fields
|
The kv_msg
field is parsed as key-value pairs and added to the additional_fields
array in the UDM. |
kv_msg1
|
event.idm.read_only_udm.additional.fields
|
The kv_msg1
field is parsed as key-value pairs and added to the additional_fields
array in the UDM. |
lbdn
|
event.idm.read_only_udm.target.hostname
|
Directly mapped from the raw log's lbdn
field. |
log.source.address
|
event.idm.read_only_udm.observer.hostname
|
Directly mapped from the JSON log's log.source.address
field, taking only the hostname part. |
log_event.original
|
event.idm.read_only_udm.metadata.description
|
Directly mapped from the JSON log's event.original
field. |
log_level
|
event.idm.read_only_udm.security_result.severity_details
|
Directly mapped from the JSON log's log_level
field. |
logstash.collect.host
|
event.idm.read_only_udm.observer.hostname
|
Directly mapped from the JSON log's logstash.collect.host
field. |
logstash.collect.timestamp
|
event.idm.read_only_udm.metadata.ingested_timestamp
|
Parsed and converted to a timestamp object from the log's logstash.collect.timestamp
field using the date
filter. |
logstash.ingest.host
|
event.idm.read_only_udm.intermediary.hostname
|
Directly mapped from the JSON log's logstash.ingest.host
field. |
logstash.ingest.timestamp
|
event.idm.read_only_udm.metadata.ingested_timestamp
|
Parsed and converted to a timestamp object from the log's logstash.ingest.timestamp
field using the date
filter. |
logstash.process.host
|
event.idm.read_only_udm.intermediary.hostname
|
Directly mapped from the JSON log's logstash.process.host
field. |
logstash.process.timestamp
|
event.idm.read_only_udm.metadata.ingested_timestamp
|
Parsed and converted to a timestamp object from the log's logstash.process.timestamp
field using the date
filter. |
log_type
|
event.idm.read_only_udm.metadata.log_type
|
Directly mapped from the raw log's log_type
field. |
message
|
event.idm.read_only_udm.metadata.description
|
Directly mapped from the JSON log's message
field. |
message_to_process
|
event.idm.read_only_udm.metadata.description
|
Directly mapped from the raw log's message_to_process
field. |
metadata.event_type
|
event.idm.read_only_udm.metadata.event_type
|
Set to "GENERIC_EVENT" initially, then potentially overwritten based on the parsed service
or other log content. Can be values like PROCESS_LAUNCH
, NETWORK_CONNECTION
, USER_LOGIN
, etc. |
metadata.product_event_type
|
event.idm.read_only_udm.metadata.product_event_type
|
Directly mapped from the raw log's process_id
or prod_event_type
field. |
metadata.product_log_id
|
event.idm.read_only_udm.metadata.product_log_id
|
Directly mapped from the raw log's event_id
field. |
metadata.product_name
|
event.idm.read_only_udm.metadata.product_name
|
Set to "ESX". |
metadata.product_version
|
event.idm.read_only_udm.metadata.product_version
|
Directly mapped from the JSON log's version
field. |
metadata.vendor_name
|
event.idm.read_only_udm.metadata.vendor_name
|
Set to "VMWARE". |
msg
|
event.idm.read_only_udm.metadata.description
|
Directly mapped from the raw log's msg
field. |
network.application_protocol
|
event.idm.read_only_udm.network.application_protocol
|
Set to "DNS" if the service
is "named", "HTTPS" if the port is 443, or "HTTP" if the app_protocol
matches "http". |
network.direction
|
event.idm.read_only_udm.network.direction
|
Determined from keywords in the raw log, such as "IN", "OUT", "->". Can be INBOUND
or OUTBOUND
. |
network.http.method
|
event.idm.read_only_udm.network.http.method
|
Directly mapped from the raw log's method
field. |
network.http.parsed_user_agent
|
event.idm.read_only_udm.network.http.parsed_user_agent
|
Parsed from the useragent
field using the convert
filter. |
network.http.referral_url
|
event.idm.read_only_udm.network.http.referral_url
|
Directly mapped from the raw log's prin_url
field. |
network.http.response_code
|
event.idm.read_only_udm.network.http.response_code
|
Directly mapped from the raw log's status_code
field and converted to an integer. |
network.http.user_agent
|
event.idm.read_only_udm.network.http.user_agent
|
Directly mapped from the raw log's useragent
field. |
network.ip_protocol
|
event.idm.read_only_udm.network.ip_protocol
|
Determined from keywords in the raw log, such as "TCP", "UDP". |
network.received_bytes
|
event.idm.read_only_udm.network.received_bytes
|
Directly mapped from the raw log's rec_bytes
field and converted to an unsigned integer. |
network.sent_bytes
|
event.idm.read_only_udm.network.sent_bytes
|
Extracted from the raw log's message_to_process
field. |
network.session_id
|
event.idm.read_only_udm.network.session_id
|
Directly mapped from the raw log's session
field. |
pid
|
event.idm.read_only_udm.target.process.parent_process.pid
|
Directly mapped from the raw log's pid
field. |
pid
|
event.idm.read_only_udm.principal.process.pid
|
Directly mapped from the JSON log's pid
field. |
pid
|
event.idm.read_only_udm.target.process.pid
|
Directly mapped from the raw log's pid
field. |
port
|
event.idm.read_only_udm.target.port
|
Directly mapped from the JSON log's port
field. |
principal.application
|
event.idm.read_only_udm.principal.application
|
Directly mapped from the raw log's app_name
or service
field. |
principal.asset.hostname
|
event.idm.read_only_udm.principal.asset.hostname
|
Directly mapped from the raw log's principal_hostname
or iporhost
field. |
principal.asset.ip
|
event.idm.read_only_udm.principal.asset.ip
|
Directly mapped from the raw log's syslog_ip
field. |
principal.hostname
|
event.idm.read_only_udm.principal.hostname
|
Directly mapped from the raw log's principal_hostname
or iporhost
field. |
principal.ip
|
event.idm.read_only_udm.principal.ip
|
Directly mapped from the raw log's iporhost
or syslog_ip
field. |
principal.port
|
event.idm.read_only_udm.principal.port
|
Directly mapped from the raw log's srcport
field. |
principal.process.command_line
|
event.idm.read_only_udm.principal.process.command_line
|
Directly mapped from the raw log's cmd
field. |
principal.process.parent_process.pid
|
event.idm.read_only_udm.principal.process.parent_process.pid
|
Directly mapped from the raw log's parent_pid
field. |
principal.process.pid
|
event.idm.read_only_udm.principal.process.pid
|
Directly mapped from the raw log's process_id
field. |
principal.process.product_specific_process_id
|
event.idm.read_only_udm.principal.process.product_specific_process_id
|
Extracted from the raw log's message_to_process
field, usually prefixed with "opID:". |
principal.url
|
event.idm.read_only_udm.principal.url
|
Directly mapped from the raw log's prin_url
field. |
principal.user.company_name
|
event.idm.read_only_udm.principal.user.company_name
|
Directly mapped from the JSON log's fields.company_name
field. |
principal.user.userid
|
event.idm.read_only_udm.principal.user.userid
|
Directly mapped from the raw log's USER
field. |
priority
|
event.idm.read_only_udm.metadata.product_event_type
|
Directly mapped from the raw log's priority
field. |
program
|
event.idm.read_only_udm.principal.application
|
Directly mapped from the JSON log's program
field. |
qname
|
event.idm.read_only_udm.network.dns.questions.name
|
Directly mapped from the raw log's qname
field. |
response_data
|
event.idm.read_only_udm.network.dns.answers.data
|
Directly mapped from the raw log's response_data
field. |
response_rtype
|
event.idm.read_only_udm.network.dns.answers.type
|
Directly mapped from the raw log's response_rtype
field. The numeric DNS record type is extracted. |
response_ttl
|
event.idm.read_only_udm.network.dns.answers.ttl
|
Directly mapped from the raw log's response_ttl
field. |
rtype
|
event.idm.read_only_udm.network.dns.questions.type
|
Directly mapped from the raw log's rtype
field. The numeric DNS record type is extracted. |
security_result.action
|
event.idm.read_only_udm.security_result.action
|
Determined from keywords or status in the raw log. Can be ALLOW
or BLOCK
. |
security_result.action_details
|
event.idm.read_only_udm.security_result.action_details
|
Extracted from the raw log message, providing more context about the action taken. |
security_result.category
|
event.idm.read_only_udm.security_result.category
|
Set to POLICY_VIOLATION
if the log indicates a firewall rule match. |
security_result.description
|
event.idm.read_only_udm.security_result.description
|
Extracted from the raw log message, providing more context about the security result. |
security_result.rule_id
|
event.idm.read_only_udm.security_result.rule_id
|
Directly mapped from the raw log's rule_id
field. |
security_result.severity
|
event.idm.read_only_udm.security_result.severity
|
Determined from keywords in the raw log, such as "info", "warning", "error". Can be INFORMATIONAL
, LOW
, MEDIUM
, or HIGH
. |
security_result.severity_details
|
event.idm.read_only_udm.security_result.severity_details
|
Directly mapped from the raw log's severity
or log.syslog.severity.name
field. |
security_result.summary
|
event.idm.read_only_udm.security_result.summary
|
Extracted from the raw log message, providing a concise summary of the security result. |
service
|
event.idm.read_only_udm.principal.application
|
Directly mapped from the raw log's service
field. |
source
|
event.idm.read_only_udm.principal.hostname
, event.idm.read_only_udm.principal.asset.hostname
|
Directly mapped from the raw log's source
field. |
src.file.full_path
|
event.idm.read_only_udm.src.file.full_path
|
Extracted from the raw log message. |
src.hostname
|
event.idm.read_only_udm.src.hostname
|
Directly mapped from the raw log's src.hostname
field. |
src_ip
|
event.idm.read_only_udm.principal.ip
|
Directly mapped from the raw log's src_ip
field. |
src_mac_address
|
event.idm.read_only_udm.principal.mac
|
Directly mapped from the raw log's src_mac_address
field. |
srcport
|
event.idm.read_only_udm.principal.port
|
Directly mapped from the raw log's srcport
field. |
srcip
|
event.idm.read_only_udm.principal.ip
|
Directly mapped from the raw log's srcip
field. |
subtype
|
event.idm.read_only_udm.metadata.event_type
|
Directly mapped from the raw log's subtype
field. |
tags
|
event.idm.read_only_udm.metadata.tags
|
Directly mapped from the JSON log's tags
field. |
target.application
|
event.idm.read_only_udm.target.application
|
Directly mapped from the raw log's target_application
field. |
target.file.full_path
|
event.idm.read_only_udm.target.file.full_path
|
Extracted from the raw log message. |
target.hostname
|
event.idm.read_only_udm.target.hostname
, event.idm.read_only_udm.target.asset.hostname
|
Directly mapped from the raw log's target_hostname
or iporhost
field. |
target.ip
|
event.idm.read_only_udm.target.ip
|
Directly mapped from the raw log's target_ip
field. |
target.mac
|
event.idm.read_only_udm.target.mac
|
Directly mapped from the raw log's target_mac_address
field. |
target.port
|
event.idm.read_only_udm.target.port
|
Directly mapped from the raw log's target_port
field. |
target.process.command_line
|
event.idm.read_only_udm.target.process.command_line
|
Directly mapped from the raw log's cmd
field. |
target.process.parent_process.pid
|
event.idm.read_only_udm.target.process.parent_process.pid
|
Directly mapped from the raw log's parent_pid
field. |
target.process.pid
|
event.idm.read_only_udm.target.process.pid
|
Directly mapped from the raw log's pid
field. |
target.process.product_specific_process_id
|
event.idm.read_only_udm.target.process.product_specific_process_id
|
Extracted from the raw log's message_to_process
field, usually prefixed with "opID:". |
target.resource.name
|
event.idm.read_only_udm.target.resource.name
|
Directly mapped from the raw log's adapter
field. |
target.resource.resource_type
|
event.idm.read_only_udm.target.resource.resource_type
|
Set to VIRTUAL_MACHINE
if the log indicates a VM operation. |
target.resource.type
|
event.idm.read_only_udm.target.resource.type
|
Set to SETTING
if the log indicates a setting modification. |
target.user.userid
|
event.idm.read_only_udm.target.user.userid
|
Directly mapped from the raw log's target_username
or user1
field. |
timestamp
|
event.timestamp
|
Parsed and converted to a timestamp object from the log's timestamp
or data
field using the date
filter. |
type
|
event.idm.read_only_udm.additional.fields
|
The log's type
field is added to the additional_fields
array in the UDM with the key "LogType". |
user1
|
event.idm.read_only_udm.target.user.userid
|
Directly mapped from the raw log's user1
field. |
useragent
|
event.idm.read_only_udm.network.http.user_agent
|
Directly mapped from the raw log's useragent
field. |
vmw_cluster
|
event.idm.read_only_udm.target.resource.name
|
Directly mapped from the raw log's vmw_cluster
field. |
vmw_datacenter
|
event.idm.read_only_udm.target.resource.name
|
Directly mapped from the raw log's vmw_datacenter
field. |
vmw_host
|
event.idm.read_only_udm.target.ip
|
Directly mapped from the raw log's vmw_host
field. |
vmw_object_id
|
event.idm.read_only_udm.target.resource.id
|
Directly mapped from the raw log's vmw_object_id
field. |
vmw_product
|
event.idm.read_only_udm.target.application
|
Directly mapped from the raw log's vmw_product
field. |
vmw_vcenter
|
event.idm.read_only_udm.target.cloud.availability_zone
|
Directly mapped from the raw log's vmw_vcenter
field. |
vmw_vcenter_id
|
event.idm.read_only_udm.target.cloud.availability_zone.id
|
Directly mapped from the raw log's vmw_vcenter_id
field. |
vmw_vr_ops_appname
|
event.idm.read_only_udm.target.application
|
Directly mapped from the raw log's vmw_vr_ops_appname
field. |
vmw_vr_ops_clustername
|
event.idm.read_only_udm.target.resource.name
|
Directly mapped from the raw log's vmw_vr_ops_clustername
field. |
vmw_vr_ops_clusterrole
|
event.idm.read_only_udm.target.resource.type
|
Directly mapped from the raw log's vmw_vr_ops_clusterrole
field. |
Need more help? Get answers from Community members and Google SecOps professionals.
