Skip to main content

VMware vSphere Integration

This integration periodically fetches logs and metrics from vSphere vCenter servers. 

 Compatibility 
The integration uses the Govmomi library to collect metrics and logs from any Vmware SDK URL (ESXi/VCenter). This library is built for and tested against ESXi and vCenter 6.5, 6.7 and 7.0. 

 Installation Guide:  

VMware vSphere 7.0 Installation 
Govmomi Library 

 Integration Process 

Go> Cyber Incident Management (XDR and MDR) 

 

 Go> Cyber Incident Management (XDR and MDR)> Settings 

 

 Go> Cyber Incident Management (XDR and MDR)> Settings> Integration 

 

Go> Cyber Incident Management (XDR and MDR)> Settings> Integration> 
In search bar type “Vmware 

 

 Click Add Agent 

 

 Choose your Log Collector 

A screenshot of a log collector

Description automatically generated 

 

Click the vSphere logs and metrics 

 

 

  Keep it as is  

A screenshot of a computer

Description automatically generated 

 

Enter the IP address and port 

A screenshot of a computer

Description automatically generated 

Example: https://127.0.0.1:8989/sdk 
127.0.0.1: This is the IP address of the local machine (localhost). 
8989: This is the port number on which the SDK service is running. (Keep it as is) 
/sdk: This indicates that the SDK is accessible at this path. (Keep it as is) 

Notes: To add multiple hosts, enter each IP address following the same format (https://<IP_or_hostname>:port/sdk) and press enter. 

 

Enter the Username and password of vSphere account 

A screenshot of a computer

Description automatically generated 

Notes: The insecure option bypasses the verification of the server's certificate chain, which can be useful in certain scenarios but comes with significant security risks. It is recommended to use this option only when necessary and in environments where security concerns are minimal. 

 Logs collection 

 

 

 Collect logs from vSphere via UDP 

 UDP.png

Tags: Click the given tags  

UDP host to listen on: This is the IP address of the machine where the log collector is running. 

UDP port to listen on: This is the port on which the log collector will listen for incoming log data. (Keep it as is) 

Notes: Enabling "Preserve original event" ensures raw log data is always available, crucial for troubleshooting, compliance, and verifying log accuracy. It adds raw data to event.original, doubling storage needs and potentially slowing processing if storage isn't scaled, impacting efficiency. 

 

 Collect logs from vSphere via TCP 

A screenshot of a computer

Description automatically generated 

 

Tags: Click the given tags  

TCP host to listen on: This is the IP address of the machine where the log collector is running. 

TCP port to listen on: This is the port on which the log collector will listen for incoming log data. (Keep it as is) 

Notes: Enabling "Preserve original event" ensures raw log data is always available, crucial for troubleshooting, compliance, and verifying log accuracy. It adds raw data to event.original, doubling storage needs and potentially slowing processing if storage isn't scaled, impacting efficiency. 

 
Click Next to complete the integration.