Forward specific logs from VMware vRealize Log Insight (vRLI) to Splunk

26 Aug

If you are not using SIEM (Security Information & Event Management) solution within your environment, you should seriously consider one. Considering the modern cyber security threat landscape, it a handy tool for all teams.

I had a bunch of VMware Workspace ONE Access (WS1) appliances already performing the Syslog action within vRealize Log Insight. However, the partner team was using a different solution Splunk. The objective here was to forward a specific log Greenbox_web.log (It holds all the user interface interactions for WS1 – This is your main log to see all internet facing activities on the appliance) to Splunk.

Luckily the Log Forwarding capability already exists within the vRLI. However, the creation of filters was a bit time consuming as it will convert the input into regex.

Configure the log forwarding in vRLI to Splunk

Go to your vRLI instance and click on Administration –> Log Management –> Log Forwarding and select New Destination

vRLI Log Management
vRLI Log Management

Configuration Details

  • Name – The Log Forwarder Destination freindly name – VDI-WS1-Logs-Splunk
  • Host – Enter the Splunk load balancing VIP address
  • Protocol – RAW
  • Transport – TCP
  • Filter
    • Hostname – starts with – WS1ManagerAppPrimary* WS1ManagerAppSecondary*
    • text – matches – *GreenBox* (Note within the log its <GreenBox> however, if you put in the greater/less than symbol, the conversion of this string into regex doesn’t work within vRLI.)
    • Please Run in the interactive Analytics query to confirm your filters are working as expected
  • Enter the custom port provided to you by the Splunk team
  • Click on Save
Destination Details
Destination Details

After a while. you will start seeing the events forwarded to Splunk, and the state will be marked as Active. You can use the same logic above to forward other specific logs to 3rd party tools (Doesn’t have to be Splunk only). I hope you will find this helpful information on your SIEM journey. Please let me know if I have missed any steps, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Leave a Reply

%d