Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

We are providing you the steps to integrate your Vmware Esxi/Vsphere with Seceon SIEM so that you can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Netflows and Syslog forwarding.

Procedure :


  1. From the object navigator select “Esxi host” that you want to configure and click the “Manage” tab.

Image Added

2.On the Settings tab, click “Advanced System Settings”

Image Added

3.Locate the Syslog.global.logHost property and click the “Edit” icon.

Image Added

4.Modify the Syslog.global.logHost property to point to the Log Insight IP address or host name and click 

Image Added

5.The format is tcp|udp|ssl://log_insight-host:514|1514, where log_insight-hostis the IP address or host name of the Log Insight virtual appliance. Next steps to be followed are:

...

NOTE : Use port 514 for UDP and TCP communication, and port 1514 for SSL protocol. 

                           1. Verify that Firewall is not blocking the communication ports.

                           2. On the Settings tab, click Security Profile, and verify that syslog appears in the Outgoing Connections list.

                           3.  If you do not see syslog in the Outgoing Connections list, click Edit on the upper right.

                           4. On the list of services, scroll down to locate the syslog service, and select the syslog check box.

                           5.  Click OK


VERIFICATION OF CONFIGURATION

Verification can be done either from CCE Server or from UI.

Using UI

STEP 1: Log in to UI >> SYSTEM

Image Added

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS.


Image Added


STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Image Added

Using CCE SERVER

sudo tcpdump -i any host 514 (for logs) and 9995 (for flows) and host <IP address> -AAA” command should be running on the CCE server to check whether or not we are getting logs.