Hi
Is anyone been able to collect their hypervisor syslog into IDR? I am unable to find anything in R7 IDR documentation.
ESXi can forward syslogs to your collector. I would recommend setting this up with a generic syslog collection and then parse out the logs you are wanting.
Thanks.
Not sure why IDR doesn’t have native parsers for this and detection rules… I am only seeing (2) ESX detection rules.
1 Like
They do not, you have to parse it and create custom detection rules in order to cover your usecases. Really painstaking work!
Bummer
@rapid7_admin @support_rapid7 are there any plans on adding a native parser to be able to ingest ESXi logs natively?
We started on-boarding vCenter logs. All parsers and detection rules had to be created. Let’s go Rapid7!!
Regarding on VMware log parsing. Does anyone had a good list on what important fields to parse? Once we have parsed those logs, Can anyone share some good detection rules correlating user to an event type? The VMware logs does not provide a single log that shows adversary user and src ip when a VM was created.
Im also interested, currently following this writeup
VMware ESXi Logging & Detection Opportunities | by Nathan Burns | Detect FYI
I am interested and following as well. Especially with Brickstorm and large focus on ransomware focusing on ESXI hosts