Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Has anyone had experience of ingesting logs from VMWare Unified Access Gateway?

sheamus69
Communicator
‎08-20-2019 08:28 AM

Has anyone had experience of ingesting logs from VMWare Unified Access Gateway (UAG)?

Splunkbase doesn't seem to have any apps for UAG, and looking at the VMWare docs for help interpreting the logs hasn't been much use.

Any Help / Advice would be gratefully received.

Labels (1)
Labels
0 Karma
Reply

youngsuh
Contributor
‎09-19-2022 12:54 PM

@sheamus69 

I've made some progress.  Initial work is getting the log ingestion from syslog and overriding the SourceType.

Here is my inputs.conf

 

[monitor:///var/log/$mask_host1$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host2$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

[monitor:///var/log/$mask_host3$/syslog]
disabled = false
#initCrcLength = 800
crcSalt = <SOURCE>
index = test
sourcetype = uag:syslog

Here is props.conf on the HF.

[uag:syslog]
category = Custom
TRANSFORMS-uag:syslog = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager

 

Here is transforms.conf the HF.

[vmware:uag:admin]
REGEX = uag-admin\:
FORMAT = sourcetype::vmware:uag:admin
DEST_KEY = MetaData:Sourcetype

[vmware:uag:audit]
REGEX = uag-audit\:
FORMAT = sourcetype::vmware:uag:audit
DEST_KEY = MetaData:Sourcetype

[vmware:uag:esmanager]
REGEX = uag-esmanager\:
FORMAT = sourcetype::vmware:uag:esmanager
DEST_KEY = MetaData:Sourcetype

 

Next, I'll update with field extraction if you're intrested.

Reply

youngsuh
Contributor
‎10-20-2020 06:24 AM

Have made any progress?  I am think of forwarding the syslog from the UAG doing this setup.

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/WS1-Secure-Email-Gateway/GUID-8EFA64BD-...

hoping:  https://docs.splunk.com/Documentation/AddOns/released/VMW/Install parse data and line braking at lease.

Use the following document to create sourcetypes.

Syslog Formats and Events (vmware.com)

Any feedback would be appreciated.

0 Karma
Reply

seankoniarz
Explorer
‎01-15-2021 01:24 PM

So we have made SOME progress on using UAG + Vmware View in terms of finding logs and interesting logs.  We are still working on it fully but after investigating with our vmware teams we found a log actually stored on the hosts themselves in the debug logs.  C:\ProgramData\VMware\VDM\logs

Our goal was to be able to provide session data and understand where all the connections were coming from.  

Not sure if this pretains to every environment as I am not a vmware expert.   The data however does include external IPs, systems they are connecting with and disconnecting with, session time and a few others.  

 

Going to see from management what we can share if it would be valuable.  

Reply

JScordo
Path Finder
‎03-04-2020 02:01 PM

Hi @sheamus69 I just started going down this path myself. I've configured the UAG to output syslog to one of my Heavy Forwarders and have started ingesting those logs (no help with sourcetyping from the vmware apps). I am still going to have to build the sourcetype and field extractions so if you already have a working prototype i can start with that would help. Otherwise, i can work on getting some regex for the field extractions and share it once i've completed that.

0 Karma
Reply

sheamus69
Communicator
‎03-09-2020 04:20 AM

I didn't get all that far, myself. I found the vmware logging documentation to be absolutely useless, and most of what came in the logs was just noise.

If you progress this further, I'd be interested in what you have achieved.

0 Karma
Reply

JScordo
Path Finder
‎03-09-2020 06:41 AM

I've had to write a couple SH regex extractions to get the fields I wanted out. Nothing pretty, nothing that good. I still have to discuss with the team making the request to see if the data is valid or just noise, we haven't gotten that far ourselves.

0 Karma
Reply

tscroggins
Influencer
‎09-01-2019 07:05 PM

If Splunk won't detect the source type for *.log, try sourcetype = log4j in inputs.conf.

The *.json files may work automatically as _json, but if not, you can use a custom source type with either INDEXED_EXTRACTIONS = json or KV_MODE = json In props.conf.

0 Karma
Reply

adonio
Ultra Champion
‎08-20-2019 09:04 AM

i would start here:
https://docs.vmware.com/en/Unified-Access-Gateway/3.3.1/com.vmware.uag-331-deploy-config.doc/GUID-C1...

0 Karma
Reply

sheamus69
Communicator
‎08-20-2019 09:12 AM

That doc just tells you the name of log files, it doesn't give any explanation of what to expect in the logs.

0 Karma
Reply

adonio
Ultra Champion
‎08-20-2019 09:18 AM

yes,
download the log -> open it up -> look at the format -> build your TA -> index and verify -> share with the community

0 Karma
Reply

youngsuh
Contributor
‎03-11-2021 08:58 AM

I'd posted an idea on Splunk Ideas.  Please vote to get this add-on and app created.

 

VMware Unified Access Gateway & Horizon Desktop Desktop | Ideas (splunk.com)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...