Splunk Enterprise Security

Has anyone had experience of ingesting logs from VMWare Unified Access Gateway?

sheamus69
Communicator

Has anyone had experience of ingesting logs from VMWare Unified Access Gateway (UAG)?

Splunkbase doesn't seem to have any apps for UAG, and looking at the VMWare docs for help interpreting the logs hasn't been much use.

Any Help / Advice would be gratefully received.

Labels (1)
0 Karma

youngsuh
Contributor

@sheamus69 

I've made some progress.  Initial work is getting the log ingestion from syslog and overriding the SourceType.

Here is my inputs.conf

 

[monitor:///var/log/$mask_host1$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host2$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host3$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

Here is props.conf on the HF.

[uag:syslog]
category = Custom
TRANSFORMS-uag:syslog = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager

 

Here is transforms.conf the HF.

[vmware:uag:admin]
REGEX = uag-admin\:
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:audit]
REGEX = uag-audit\:
FORMAT = sourcetype::vmware:uag:audit
DEST_KEY = MetaData:Sourcetype

[vmware:uag:esmanager]
REGEX = uag-esmanager\:
FORMAT = sourcetype::vmware:uag:esmanager
DEST_KEY = MetaData:Sourcetype

 

Next, I'll update with field extraction if you're intrested.

youngsuh
Contributor

Have made any progress?  I am think of forwarding the syslog from the UAG doing this setup.

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/WS1-Secure-Email-Gateway/GUID-8EFA64BD-...

hoping:  https://docs.splunk.com/Documentation/AddOns/released/VMW/Install parse data and line braking at lease.

Use the following document to create sourcetypes.

Syslog Formats and Events (vmware.com)

Any feedback would be appreciated.

0 Karma

seankoniarz
Explorer

So we have made SOME progress on using UAG + Vmware View in terms of finding logs and interesting logs.  We are still working on it fully but after investigating with our vmware teams we found a log actually stored on the hosts themselves in the debug logs.  C:\ProgramData\VMware\VDM\logs

Our goal was to be able to provide session data and understand where all the connections were coming from.  

Not sure if this pretains to every environment as I am not a vmware expert.   The data however does include external IPs, systems they are connecting with and disconnecting with, session time and a few others.  

 

Going to see from management what we can share if it would be valuable.  

JScordo
Path Finder

Hi @sheamus69 I just started going down this path myself. I've configured the UAG to output syslog to one of my Heavy Forwarders and have started ingesting those logs (no help with sourcetyping from the vmware apps). I am still going to have to build the sourcetype and field extractions so if you already have a working prototype i can start with that would help. Otherwise, i can work on getting some regex for the field extractions and share it once i've completed that.

0 Karma

sheamus69
Communicator

I didn't get all that far, myself. I found the vmware logging documentation to be absolutely useless, and most of what came in the logs was just noise.

If you progress this further, I'd be interested in what you have achieved.

0 Karma

JScordo
Path Finder

I've had to write a couple SH regex extractions to get the fields I wanted out. Nothing pretty, nothing that good. I still have to discuss with the team making the request to see if the data is valid or just noise, we haven't gotten that far ourselves.

0 Karma

tscroggins
Influencer

If Splunk won't detect the source type for *.log, try sourcetype = log4j in inputs.conf.

The *.json files may work automatically as _json, but if not, you can use a custom source type with either INDEXED_EXTRACTIONS = json or KV_MODE = json In props.conf.

0 Karma

adonio
Ultra Champion
0 Karma

sheamus69
Communicator

That doc just tells you the name of log files, it doesn't give any explanation of what to expect in the logs.

0 Karma

adonio
Ultra Champion

yes,
download the log -> open it up -> look at the format -> build your TA -> index and verify -> share with the community

0 Karma

youngsuh
Contributor

I'd posted an idea on Splunk Ideas.  Please vote to get this add-on and app created.

 

VMware Unified Access Gateway & Horizon Desktop Desktop | Ideas (splunk.com)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...