Splunk Enterprise Security

VMWare Unified Access Gateway

sheamus69
Communicator

Has anyone had experience of ingesting logs from VMWare Unified Access Gateway (UAG)?

Splunkbase doesn't seem to have any apps for UAG, and looking at the VMWare docs for help interpreting the logs hasn't been much use.

Any Help / Advice would be gratefully received.

0 Karma

youngsuh
Communicator

Have made any progress?  I am think of forwarding the syslog from the UAG doing this setup.

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/WS1-Secure-Email-Gateway/GUID-8EFA64BD-...

hoping:  https://docs.splunk.com/Documentation/AddOns/released/VMW/Install parse data and line braking at lease.

Use the following document to create sourcetypes.

https://docs.vmware.com/en/Unified-Access-Gateway/3.3.1/com.vmware.uag-331-deploy-config.doc/GUID-C1...

Any feedback would be appreciated.

0 Karma

seankoniarz
Explorer

So we have made SOME progress on using UAG + Vmware View in terms of finding logs and interesting logs.  We are still working on it fully but after investigating with our vmware teams we found a log actually stored on the hosts themselves in the debug logs.  C:\ProgramData\VMware\VDM\logs

Our goal was to be able to provide session data and understand where all the connections were coming from.  

Not sure if this pretains to every environment as I am not a vmware expert.   The data however does include external IPs, systems they are connecting with and disconnecting with, session time and a few others.  

 

Going to see from management what we can share if it would be valuable.  

JScordo
Path Finder

Hi @sheamus69 I just started going down this path myself. I've configured the UAG to output syslog to one of my Heavy Forwarders and have started ingesting those logs (no help with sourcetyping from the vmware apps). I am still going to have to build the sourcetype and field extractions so if you already have a working prototype i can start with that would help. Otherwise, i can work on getting some regex for the field extractions and share it once i've completed that.

0 Karma

sheamus69
Communicator

I didn't get all that far, myself. I found the vmware logging documentation to be absolutely useless, and most of what came in the logs was just noise.

If you progress this further, I'd be interested in what you have achieved.

0 Karma

JScordo
Path Finder

I've had to write a couple SH regex extractions to get the fields I wanted out. Nothing pretty, nothing that good. I still have to discuss with the team making the request to see if the data is valid or just noise, we haven't gotten that far ourselves.

0 Karma

tscroggins
Motivator

If Splunk won't detect the source type for *.log, try sourcetype = log4j in inputs.conf.

The *.json files may work automatically as _json, but if not, you can use a custom source type with either INDEXED_EXTRACTIONS = json or KV_MODE = json In props.conf.

0 Karma

adonio
Ultra Champion
0 Karma

sheamus69
Communicator

That doc just tells you the name of log files, it doesn't give any explanation of what to expect in the logs.

0 Karma

adonio
Ultra Champion

yes,
download the log -> open it up -> look at the format -> build your TA -> index and verify -> share with the community

0 Karma

youngsuh
Communicator

I'd posted an idea on Splunk Ideas.  Please vote to get this add-on and app created.

 

VMware Unified Access Gateway & Horizon Desktop Desktop | Ideas (splunk.com)

0 Karma