Collect VMware ESXi logs
Overview
This parser extracts fields from VMware ESXi syslog and JSON formatted logs. It normalizes the variety of ESXi log formats into a common structure, then populates UDM fields based on extracted values, including handling specific cases for different ESXi services like crond, named, and sshd using include files.
Before you begin
- Ensure that you have a Google SecOps instance.
- Ensure that you have privileged access to VMWare ESX.
- Ensure that you have a Windows 2012 SP2 or later or Linux host with systemd.
- If running behind a proxy, ensure firewall ports are open.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer ID from the Organization Details section.
Install Bindplane Agent
- For Windows installation, run the following script: msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet.
- For Linux installation, run the following script: sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh.
- Additional installation options can be found in this installation guide.
Configure Bindplane Agent to ingest Syslog and send to Google SecOps
- Access the machine where Bindplane Agent is installed.
- Edit the - config.yamlfile as follows:- receivers: tcplog: # Replace the below port <54525> and IP (0.0.0.0) with your specific values listen_address: "0.0.0.0:54525" exporters: chronicle/chronicle_w_labels: compression: gzip # Adjust the creds location below according the placement of the credentials file you downloaded creds: '{ json file for creds }' # Replace <customer_id> below with your actual ID that you copied customer_id: <customer_id> endpoint: malachiteingestion-pa.googleapis.com # You can apply ingestion labels below as preferred ingestion_labels: log_type: SYSLOG namespace: raw_log_field: body service: pipelines: logs/source0__chronicle_w_labels-0: receivers: - tcplog exporters: - chronicle/chronicle_w_labels
- Restart Bindplane Agent to apply the changes using the following command: - sudo systemctl bindplane restart
Allow syslog ESXi firewall rule
- Go to Networking > Firewall rules.
- Find syslog in the Name column.
- Click Edit settings.
- Update the tcporudpport you configured in Bindplane.
- Click Save.
- Keep the syslog line selected.
- Select Actions > Enable.
Export Syslog from VMware ESXi using vSphere Client
- Sign in to your ESXi host using vSphere Client.
- Go to Manage > System > Advanced Settings.
- Find the Syslog.global.logHost key in the list.
- Select the key and click Edit option.
- Enter <protocol>://<destination_IP>:<port>- Replace <protocol>withtcp(if you configured Bindplane Agent to use UDP, then typeudp).
- Replace <destination_IP>with the IP address of your Bindplane Agent.
- Replace <port>with the port previously setup in Bindplane Agent.
 
- Replace 
- Click Save.
Optional: Export Syslog from VMware ESXi using SSH
- Connect to your ESXi host using SSH.
- Use the command esxcli system syslog config set --loghost=<protocol>://<destination_IP>:<port>.- Replace <protocol>withtcp(if you configured Bindplane Agent to use UDP, then typeudp).
- Replace <destination_IP>with the IP address of your Bindplane Agent.
- Replace <port>with the port previously set up in Bindplane.
 
- Replace 
- Restart the syslog service by entering the command /etc/init.d/syslog restart.
UDM Mapping Table
| Log Field | UDM Mapping | Logic | 
|---|---|---|
| @fields.alias | event.idm.read_only_udm.principal.cloud.project.alias | Directly mapped from the JSON log's @fields.aliasfield. | 
| @fields.company_name | event.idm.read_only_udm.principal.user.company_name | Directly mapped from the JSON log's @fields.company_namefield. | 
| @fields.facility | event.idm.read_only_udm.principal.resource.type | Directly mapped from the JSON log's @fields.facilityfield. | 
| @fields.host | event.idm.read_only_udm.principal.hostname,event.idm.read_only_udm.principal.asset.hostname | Directly mapped from the JSON log's @fields.hostfield. | 
| @fields.privatecloud_id | event.idm.read_only_udm.principal.cloud.project.id | Directly mapped from the JSON log's @fields.privatecloud_idfield. | 
| @fields.privatecloud_name | event.idm.read_only_udm.principal.cloud.project.name | Directly mapped from the JSON log's @fields.privatecloud_namefield. | 
| @fields.procid | event.idm.read_only_udm.principal.process.pid | Directly mapped from the JSON log's @fields.procidfield. | 
| @fields.region_id | event.idm.read_only_udm.principal.location.country_or_region | Directly mapped from the JSON log's @fields.region_idfield. | 
| @fields.severity | event.idm.read_only_udm.security_result.severity | Mapped from the JSON log's @fields.severityfield. If the value is "info" or similar, it's mapped to "INFORMATIONAL". | 
| @timestamp | event.idm.read_only_udm.metadata.event_timestamp | Parsed and converted to a timestamp object from the log's @timestampfield using thedatefilter. | 
| adapter | event.idm.read_only_udm.target.resource.name | Directly mapped from the raw log's adapterfield. | 
| action | event.idm.read_only_udm.security_result.action | Directly mapped from the raw log's actionfield.  Values like "ALLOW" and "BLOCK" are used. | 
| action | event.idm.read_only_udm.security_result.action_details | Directly mapped from the raw log's actionfield. Values like "Redirect" are used. | 
| administrative_domain | event.idm.read_only_udm.principal.administrative_domain | Directly mapped from the raw log's administrative_domainfield. | 
| agent.hostname | event.idm.read_only_udm.intermediary.hostname | Directly mapped from the JSON log's agent.hostnamefield. | 
| agent.id | event.idm.read_only_udm.intermediary.asset.id | Directly mapped from the JSON log's agent.idfield. | 
| agent.name | event.idm.read_only_udm.intermediary.asset.name | Directly mapped from the JSON log's agent.namefield. | 
| agent.type | event.idm.read_only_udm.intermediary.asset.type | Directly mapped from the JSON log's agent.typefield. | 
| agent.version | event.idm.read_only_udm.intermediary.asset.version | Directly mapped from the JSON log's agent.versionfield. | 
| app_name | event.idm.read_only_udm.principal.application | Directly mapped from the raw log's app_namefield. | 
| app_protocol | event.idm.read_only_udm.network.application_protocol | Directly mapped from the raw log's app_protocolfield. If the value matches "http" (case-insensitive), it's mapped to "HTTP". | 
| application | event.idm.read_only_udm.principal.application | Directly mapped from the JSON log's programfield. | 
| cmd | event.idm.read_only_udm.target.process.command_line | Directly mapped from the raw log's cmdfield. | 
| collection_time | event.idm.read_only_udm.metadata.event_timestamp | The nanoseconds from the collection_timefield are added to the seconds from thecollection_timefield to create theevent_timestamp. | 
| data | event.idm.read_only_udm.metadata.description | The raw log message is parsed and relevant parts are extracted to populate the description field. | 
| descrip | event.idm.read_only_udm.metadata.description | Directly mapped from the raw log's descripfield. | 
| dns.answers.data | event.idm.read_only_udm.network.dns.answers.data | Directly mapped from the JSON log's dns.answers.datafield. | 
| dns.answers.ttl | event.idm.read_only_udm.network.dns.answers.ttl | Directly mapped from the JSON log's dns.answers.ttlfield. | 
| dns.answers.type | event.idm.read_only_udm.network.dns.answers.type | Directly mapped from the JSON log's dns.answers.typefield. | 
| dns.questions.name | event.idm.read_only_udm.network.dns.questions.name | Directly mapped from the JSON log's dns.questions.namefield. | 
| dns.questions.type | event.idm.read_only_udm.network.dns.questions.type | Directly mapped from the JSON log's dns.questions.typefield. | 
| dns.response | event.idm.read_only_udm.network.dns.response | Directly mapped from the JSON log's dns.responsefield. | 
| ecs.version | event.idm.read_only_udm.metadata.product_version | Directly mapped from the JSON log's ecs.versionfield. | 
| event_message | event.idm.read_only_udm.metadata.description | Directly mapped from the JSON log's event_messagefield. | 
| event_metadata | event.idm.read_only_udm.principal.process.product_specific_process_id | The event_metadatafield is parsed to extract theopIDvalue, which is then prepended with "opID:" and mapped to the UDM. | 
| event_type | event.idm.read_only_udm.metadata.event_type | Directly mapped from the JSON log's event_typefield. | 
| filepath | event.idm.read_only_udm.target.file.full_path | Directly mapped from the raw log's filepathfield. | 
| fields.company_name | event.idm.read_only_udm.principal.user.company_name | Directly mapped from the JSON log's fields.company_namefield. | 
| fields.facility | event.idm.read_only_udm.principal.resource.type | Directly mapped from the JSON log's fields.facilityfield. | 
| fields.host | event.idm.read_only_udm.principal.hostname,event.idm.read_only_udm.principal.asset.hostname | Directly mapped from the JSON log's fields.hostfield. | 
| fields.privatecloud_id | event.idm.read_only_udm.principal.cloud.project.id | Directly mapped from the JSON log's fields.privatecloud_idfield. | 
| fields.privatecloud_name | event.idm.read_only_udm.principal.cloud.project.name | Directly mapped from the JSON log's fields.privatecloud_namefield. | 
| fields.procid | event.idm.read_only_udm.principal.process.pid | Directly mapped from the JSON log's fields.procidfield. | 
| fields.region_id | event.idm.read_only_udm.principal.location.country_or_region | Directly mapped from the JSON log's fields.region_idfield. | 
| fields.severity | event.idm.read_only_udm.security_result.severity | Mapped from the JSON log's fields.severityfield. If the value is "info" or similar, it's mapped to "INFORMATIONAL". | 
| host.architecture | event.idm.read_only_udm.principal.asset.architecture | Directly mapped from the JSON log's host.architecturefield. | 
| host.containerized | event.idm.read_only_udm.principal.asset.containerized | Directly mapped from the JSON log's host.containerizedfield. | 
| host.hostname | event.idm.read_only_udm.principal.hostname,event.idm.read_only_udm.principal.asset.hostname | Directly mapped from the JSON log's host.hostnamefield. | 
| host.id | event.idm.read_only_udm.principal.asset.id | Directly mapped from the JSON log's host.idfield. | 
| host.ip | event.idm.read_only_udm.principal.ip,event.idm.read_only_udm.principal.asset.ip | Directly mapped from the JSON log's host.ipfield. | 
| host.mac | event.idm.read_only_udm.principal.mac,event.idm.read_only_udm.principal.asset.mac | Directly mapped from the JSON log's host.macfield. | 
| host.name | event.idm.read_only_udm.principal.asset.name | Directly mapped from the JSON log's host.namefield. | 
| host.os.codename | event.idm.read_only_udm.principal.asset.os.codename | Directly mapped from the JSON log's host.os.codenamefield. | 
| host.os.family | event.idm.read_only_udm.principal.asset.os.family | Directly mapped from the JSON log's host.os.familyfield. | 
| host.os.kernel | event.idm.read_only_udm.principal.asset.os.kernel | Directly mapped from the JSON log's host.os.kernelfield. | 
| host.os.name | event.idm.read_only_udm.principal.asset.os.name | Directly mapped from the JSON log's host.os.namefield. | 
| host.os.platform | event.idm.read_only_udm.principal.asset.os.platform | Directly mapped from the JSON log's host.os.platformfield. | 
| host.os.version | event.idm.read_only_udm.principal.asset.os.version | Directly mapped from the JSON log's host.os.versionfield. | 
| iporhost | event.idm.read_only_udm.principal.hostname,event.idm.read_only_udm.principal.asset.hostname | Directly mapped from the raw log's iporhostfield. | 
| iporhost | event.idm.read_only_udm.principal.ip | Directly mapped from the raw log's iporhostfield if it's an IP address. | 
| iporhost1 | event.idm.read_only_udm.principal.hostname,event.idm.read_only_udm.principal.asset.hostname | Directly mapped from the raw log's iporhost1field. | 
| kv_data1 | event.idm.read_only_udm.principal.process.product_specific_process_id | The kv_data1field is parsed to extract theopIDorsubvalue, which is then prepended with "opID:" or "sub:" respectively and mapped to the UDM. | 
| kv_msg | event.idm.read_only_udm.additional.fields | The kv_msgfield is parsed as key-value pairs and added to theadditional_fieldsarray in the UDM. | 
| kv_msg1 | event.idm.read_only_udm.additional.fields | The kv_msg1field is parsed as key-value pairs and added to theadditional_fieldsarray in the UDM. | 
| lbdn | event.idm.read_only_udm.target.hostname | Directly mapped from the raw log's lbdnfield. | 
| log.source.address | event.idm.read_only_udm.observer.hostname | Directly mapped from the JSON log's log.source.addressfield, taking only the hostname part. | 
| log_event.original | event.idm.read_only_udm.metadata.description | Directly mapped from the JSON log's event.originalfield. | 
| log_level | event.idm.read_only_udm.security_result.severity_details | Directly mapped from the JSON log's log_levelfield. | 
| logstash.collect.host | event.idm.read_only_udm.observer.hostname | Directly mapped from the JSON log's logstash.collect.hostfield. | 
| logstash.collect.timestamp | event.idm.read_only_udm.metadata.ingested_timestamp | Parsed and converted to a timestamp object from the log's logstash.collect.timestampfield using thedatefilter. | 
| logstash.ingest.host | event.idm.read_only_udm.intermediary.hostname | Directly mapped from the JSON log's logstash.ingest.hostfield. | 
| logstash.ingest.timestamp | event.idm.read_only_udm.metadata.ingested_timestamp | Parsed and converted to a timestamp object from the log's logstash.ingest.timestampfield using thedatefilter. | 
| logstash.process.host | event.idm.read_only_udm.intermediary.hostname | Directly mapped from the JSON log's logstash.process.hostfield. | 
| logstash.process.timestamp | event.idm.read_only_udm.metadata.ingested_timestamp | Parsed and converted to a timestamp object from the log's logstash.process.timestampfield using thedatefilter. | 
| log_type | event.idm.read_only_udm.metadata.log_type | Directly mapped from the raw log's log_typefield. | 
| message | event.idm.read_only_udm.metadata.description | Directly mapped from the JSON log's messagefield. | 
| message_to_process | event.idm.read_only_udm.metadata.description | Directly mapped from the raw log's message_to_processfield. | 
| metadata.event_type | event.idm.read_only_udm.metadata.event_type | Set to "GENERIC_EVENT" initially, then potentially overwritten based on the parsed serviceor other log content.  Can be values likePROCESS_LAUNCH,NETWORK_CONNECTION,USER_LOGIN, etc. | 
| metadata.product_event_type | event.idm.read_only_udm.metadata.product_event_type | Directly mapped from the raw log's process_idorprod_event_typefield. | 
| metadata.product_log_id | event.idm.read_only_udm.metadata.product_log_id | Directly mapped from the raw log's event_idfield. | 
| metadata.product_name | event.idm.read_only_udm.metadata.product_name | Set to "ESX". | 
| metadata.product_version | event.idm.read_only_udm.metadata.product_version | Directly mapped from the JSON log's versionfield. | 
| metadata.vendor_name | event.idm.read_only_udm.metadata.vendor_name | Set to "VMWARE". | 
| msg | event.idm.read_only_udm.metadata.description | Directly mapped from the raw log's msgfield. | 
| network.application_protocol | event.idm.read_only_udm.network.application_protocol | Set to "DNS" if the serviceis "named", "HTTPS" if the port is 443, or "HTTP" if theapp_protocolmatches "http". | 
| network.direction | event.idm.read_only_udm.network.direction | Determined from keywords in the raw log, such as "IN", "OUT", "->".  Can be INBOUNDorOUTBOUND. | 
| network.http.method | event.idm.read_only_udm.network.http.method | Directly mapped from the raw log's methodfield. | 
| network.http.parsed_user_agent | event.idm.read_only_udm.network.http.parsed_user_agent | Parsed from the useragentfield using theconvertfilter. | 
| network.http.referral_url | event.idm.read_only_udm.network.http.referral_url | Directly mapped from the raw log's prin_urlfield. | 
| network.http.response_code | event.idm.read_only_udm.network.http.response_code | Directly mapped from the raw log's status_codefield and converted to an integer. | 
| network.http.user_agent | event.idm.read_only_udm.network.http.user_agent | Directly mapped from the raw log's useragentfield. | 
| network.ip_protocol | event.idm.read_only_udm.network.ip_protocol | Determined from keywords in the raw log, such as "TCP", "UDP". | 
| network.received_bytes | event.idm.read_only_udm.network.received_bytes | Directly mapped from the raw log's rec_bytesfield and converted to an unsigned integer. | 
| network.sent_bytes | event.idm.read_only_udm.network.sent_bytes | Extracted from the raw log's message_to_processfield. | 
| network.session_id | event.idm.read_only_udm.network.session_id | Directly mapped from the raw log's sessionfield. | 
| pid | event.idm.read_only_udm.target.process.parent_process.pid | Directly mapped from the raw log's pidfield. | 
| pid | event.idm.read_only_udm.principal.process.pid | Directly mapped from the JSON log's pidfield. | 
| pid | event.idm.read_only_udm.target.process.pid | Directly mapped from the raw log's pidfield. | 
| port | event.idm.read_only_udm.target.port | Directly mapped from the JSON log's portfield. | 
| principal.application | event.idm.read_only_udm.principal.application | Directly mapped from the raw log's app_nameorservicefield. | 
| principal.asset.hostname | event.idm.read_only_udm.principal.asset.hostname | Directly mapped from the raw log's principal_hostnameoriporhostfield. | 
| principal.asset.ip | event.idm.read_only_udm.principal.asset.ip | Directly mapped from the raw log's syslog_ipfield. | 
| principal.hostname | event.idm.read_only_udm.principal.hostname | Directly mapped from the raw log's principal_hostnameoriporhostfield. | 
| principal.ip | event.idm.read_only_udm.principal.ip | Directly mapped from the raw log's iporhostorsyslog_ipfield. | 
| principal.port | event.idm.read_only_udm.principal.port | Directly mapped from the raw log's srcportfield. | 
| principal.process.command_line | event.idm.read_only_udm.principal.process.command_line | Directly mapped from the raw log's cmdfield. | 
| principal.process.parent_process.pid | event.idm.read_only_udm.principal.process.parent_process.pid | Directly mapped from the raw log's parent_pidfield. | 
| principal.process.pid | event.idm.read_only_udm.principal.process.pid | Directly mapped from the raw log's process_idfield. | 
| principal.process.product_specific_process_id | event.idm.read_only_udm.principal.process.product_specific_process_id | Extracted from the raw log's message_to_processfield, usually prefixed with "opID:". | 
| principal.url | event.idm.read_only_udm.principal.url | Directly mapped from the raw log's prin_urlfield. | 
| principal.user.company_name | event.idm.read_only_udm.principal.user.company_name | Directly mapped from the JSON log's fields.company_namefield. | 
| principal.user.userid | event.idm.read_only_udm.principal.user.userid | Directly mapped from the raw log's USERfield. | 
| priority | event.idm.read_only_udm.metadata.product_event_type | Directly mapped from the raw log's priorityfield. | 
| program | event.idm.read_only_udm.principal.application | Directly mapped from the JSON log's programfield. | 
| qname | event.idm.read_only_udm.network.dns.questions.name | Directly mapped from the raw log's qnamefield. | 
| response_data | event.idm.read_only_udm.network.dns.answers.data | Directly mapped from the raw log's response_datafield. | 
| response_rtype | event.idm.read_only_udm.network.dns.answers.type | Directly mapped from the raw log's response_rtypefield. The numeric DNS record type is extracted. | 
| response_ttl | event.idm.read_only_udm.network.dns.answers.ttl | Directly mapped from the raw log's response_ttlfield. | 
| rtype | event.idm.read_only_udm.network.dns.questions.type | Directly mapped from the raw log's rtypefield. The numeric DNS record type is extracted. | 
| security_result.action | event.idm.read_only_udm.security_result.action | Determined from keywords or status in the raw log. Can be ALLOWorBLOCK. | 
| security_result.action_details | event.idm.read_only_udm.security_result.action_details | Extracted from the raw log message, providing more context about the action taken. | 
| security_result.category | event.idm.read_only_udm.security_result.category | Set to POLICY_VIOLATIONif the log indicates a firewall rule match. | 
| security_result.description | event.idm.read_only_udm.security_result.description | Extracted from the raw log message, providing more context about the security result. | 
| security_result.rule_id | event.idm.read_only_udm.security_result.rule_id | Directly mapped from the raw log's rule_idfield. | 
| security_result.severity | event.idm.read_only_udm.security_result.severity | Determined from keywords in the raw log, such as "info", "warning", "error". Can be INFORMATIONAL,LOW,MEDIUM, orHIGH. | 
| security_result.severity_details | event.idm.read_only_udm.security_result.severity_details | Directly mapped from the raw log's severityorlog.syslog.severity.namefield. | 
| security_result.summary | event.idm.read_only_udm.security_result.summary | Extracted from the raw log message, providing a concise summary of the security result. | 
| service | event.idm.read_only_udm.principal.application | Directly mapped from the raw log's servicefield. | 
| source | event.idm.read_only_udm.principal.hostname,event.idm.read_only_udm.principal.asset.hostname | Directly mapped from the raw log's sourcefield. | 
| src.file.full_path | event.idm.read_only_udm.src.file.full_path | Extracted from the raw log message. | 
| src.hostname | event.idm.read_only_udm.src.hostname | Directly mapped from the raw log's src.hostnamefield. | 
| src_ip | event.idm.read_only_udm.principal.ip | Directly mapped from the raw log's src_ipfield. | 
| src_mac_address | event.idm.read_only_udm.principal.mac | Directly mapped from the raw log's src_mac_addressfield. | 
| srcport | event.idm.read_only_udm.principal.port | Directly mapped from the raw log's srcportfield. | 
| srcip | event.idm.read_only_udm.principal.ip | Directly mapped from the raw log's srcipfield. | 
| subtype | event.idm.read_only_udm.metadata.event_type | Directly mapped from the raw log's subtypefield. | 
| tags | event.idm.read_only_udm.metadata.tags | Directly mapped from the JSON log's tagsfield. | 
| target.application | event.idm.read_only_udm.target.application | Directly mapped from the raw log's target_applicationfield. | 
| target.file.full_path | event.idm.read_only_udm.target.file.full_path | Extracted from the raw log message. | 
| target.hostname | event.idm.read_only_udm.target.hostname,event.idm.read_only_udm.target.asset.hostname | Directly mapped from the raw log's target_hostnameoriporhostfield. | 
| target.ip | event.idm.read_only_udm.target.ip | Directly mapped from the raw log's target_ipfield. | 
| target.mac | event.idm.read_only_udm.target.mac | Directly mapped from the raw log's target_mac_addressfield. | 
| target.port | event.idm.read_only_udm.target.port | Directly mapped from the raw log's target_portfield. | 
| target.process.command_line | event.idm.read_only_udm.target.process.command_line | Directly mapped from the raw log's cmdfield. | 
| target.process.parent_process.pid | event.idm.read_only_udm.target.process.parent_process.pid | Directly mapped from the raw log's parent_pidfield. | 
| target.process.pid | event.idm.read_only_udm.target.process.pid | Directly mapped from the raw log's pidfield. | 
| target.process.product_specific_process_id | event.idm.read_only_udm.target.process.product_specific_process_id | Extracted from the raw log's message_to_processfield, usually prefixed with "opID:". | 
| target.resource.name | event.idm.read_only_udm.target.resource.name | Directly mapped from the raw log's adapterfield. | 
| target.resource.resource_type | event.idm.read_only_udm.target.resource.resource_type | Set to VIRTUAL_MACHINEif the log indicates a VM operation. | 
| target.resource.type | event.idm.read_only_udm.target.resource.type | Set to SETTINGif the log indicates a setting modification. | 
| target.user.userid | event.idm.read_only_udm.target.user.userid | Directly mapped from the raw log's target_usernameoruser1field. | 
| timestamp | event.timestamp | Parsed and converted to a timestamp object from the log's timestampordatafield using thedatefilter. | 
| type | event.idm.read_only_udm.additional.fields | The log's typefield is added to theadditional_fieldsarray in the UDM with the key "LogType". | 
| user1 | event.idm.read_only_udm.target.user.userid | Directly mapped from the raw log's user1field. | 
| useragent | event.idm.read_only_udm.network.http.user_agent | Directly mapped from the raw log's useragentfield. | 
| vmw_cluster | event.idm.read_only_udm.target.resource.name | Directly mapped from the raw log's vmw_clusterfield. | 
| vmw_datacenter | event.idm.read_only_udm.target.resource.name | Directly mapped from the raw log's vmw_datacenterfield. | 
| vmw_host | event.idm.read_only_udm.target.ip | Directly mapped from the raw log's vmw_hostfield. | 
| vmw_object_id | event.idm.read_only_udm.target.resource.id | Directly mapped from the raw log's vmw_object_idfield. | 
| vmw_product | event.idm.read_only_udm.target.application | Directly mapped from the raw log's vmw_productfield. | 
| vmw_vcenter | event.idm.read_only_udm.target.cloud.availability_zone | Directly mapped from the raw log's vmw_vcenterfield. | 
| vmw_vcenter_id | event.idm.read_only_udm.target.cloud.availability_zone.id | Directly mapped from the raw log's vmw_vcenter_idfield. | 
| vmw_vr_ops_appname | event.idm.read_only_udm.target.application | Directly mapped from the raw log's vmw_vr_ops_appnamefield. | 
| vmw_vr_ops_clustername | event.idm.read_only_udm.target.resource.name | Directly mapped from the raw log's vmw_vr_ops_clusternamefield. | 
| vmw_vr_ops_clusterrole | event.idm.read_only_udm.target.resource.type | Directly mapped from the raw log's vmw_vr_ops_clusterrolefield. | 
Need more help? Get answers from Community members and Google SecOps professionals.