Hello all,

I suspect I am missing something obvious, but where are all the CIM fields for ESXi audit logs?

- I have VMware logs being sent to a syslog port. Have a mix of vmware 7.0 and 6.7 vcenters (Splunk 8.2)
# https://docs.splunk.com/Documentation/AddOns/released/VMW/ESXihosts
- I am using the latest Splunk Add-on for VMware ESXi Logs (4.2.1)
- I have had to modify line breaking rules
- I have an index cluster, so I had to update the DATETIME_CONFIG field (from .../apps/... to slave_apps)
- I am capturing the hostname via rsyslog and putting into into the directory. I am reading it as my host value

(example: /var/log/vmware/hostname/day_hour/log.log)
- I am capturing logs as "vmw-syslog," logs are being renamed to things such as "vmware:esxlog:vpxd" by the TA

The TA as-is captures application and message fields for most events. But I don't see any configurations that would capture a user or action field, CIM fields or tags for login events, etc. Am I missing something?

I am seeing logs that look like this, but no attempt to parse CIM fields:

2022-04-21T17:37:17.686700+00:00 <host> vpxd 3115 - - Event [49110010] [1-1] [2022-04-21T17:37:17.685845Z] [vim.event.UserLogoutSessionEvent] [info] [AD\<user>] [] [49111254] [User AD\<user>@127.0.0.1 logged out (login time: Thursday, 21 April, 2022 05:27:42 PM, number of API invocations: 1, user agent: VMware vim-java 1.0)]

2022-04-21T17:27:42.654618+00:00 <host> vpxd 3115 - - Event [49109228] [1-1] [2022-04-21T17:27:42.654052Z] [vim.event.UserLoginSessionEvent] [info] [AD\<user>] [] [49104519] [User AD\<user>@127.0.0.1 logged in as VMware vim-java 1.0]