Collect VMware vCenter logs

Supported in:

This document explains how to ingest VMware vCenter logs to Google Security Operations using the Bindplane agent.

VMware vCenter is a server management platform that generates JSON and syslog messages for virtual machine operations, host management, authentication, and configuration changes.

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance
  • Windows Server 2016 or later, or Linux host with systemd
  • Network connectivity between the Bindplane agent and the VMware vCenter server
  • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
  • Privileged access to the VMware vCenter Server Management web UI

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File.
  4. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

  1. Open Command Prompt or PowerShell as an administrator.
  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
    
  3. Wait for the installation to complete.

  4. Verify the installation by running:

    sc query observiq-otel-collector
    

    The service should show as RUNNING.

Linux installation

  1. Open a terminal with root or sudo privileges.
  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
    
  3. Wait for the installation to complete.

  4. Verify the installation by running:

    sudo systemctl status observiq-otel-collector
    

    The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see the Bindplane agent installation guide.

Configure the Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

  • Linux:

    sudo nano /opt/observiq-otel-collector/config.yaml
    
  • Windows:

    notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
    

Edit the configuration file

  • Replace the entire contents of config.yaml with the following configuration:

    receivers:
        udplog:
            listen_address: "0.0.0.0:514"
    
    exporters:
        chronicle/vmware_vcenter:
            compression: gzip
            creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
            customer_id: '<customer_id>'
            endpoint: malachiteingestion-pa.googleapis.com
            log_type: VMWARE_VCENTER
            raw_log_field: body
    
    service:
        pipelines:
            logs/vmware_vcenter_to_chronicle:
                receivers:
                    - udplog
                exporters:
                    - chronicle/vmware_vcenter
    

Configuration parameters

Replace the following placeholders:

  • Receiver configuration:

    • listen_address: IP address and port to listen on:
      • 0.0.0.0 to listen on all interfaces (recommended)
      • Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)
  • Exporter configuration:

    • creds_file_path: Full path to ingestion authentication file:
      • Linux: /etc/bindplane-agent/ingestion-auth.json
      • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
    • customer_id: Customer ID copied from the Google SecOps console
    • endpoint: Regional endpoint URL:
      • US: malachiteingestion-pa.googleapis.com
      • Europe: europe-malachiteingestion-pa.googleapis.com
      • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
      • See Regional Endpoints for complete list

Save the configuration file

  • After editing, save the file:
    • Linux: Press Ctrl+O, then Enter, then Ctrl+X
    • Windows: Click File > Save

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart observiq-otel-collector
    
    1. Verify the service is running:

      sudo systemctl status observiq-otel-collector
      
    2. Check logs for errors:

      sudo journalctl -u observiq-otel-collector -f
      
  • To restart the Bindplane agent in Windows, choose one of the following options:

    • Command Prompt or PowerShell as administrator:

      net stop observiq-otel-collector && net start observiq-otel-collector
      
    • Services console:

      1. Press Win+R, type services.msc, and press Enter.
      2. Locate observIQ OpenTelemetry Collector.
      3. Right-click and select Restart.
      4. Verify the service is running:

        sc query observiq-otel-collector
        
      5. Check logs for errors:

        type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
        

Configure syslog in VMware vCenter

  1. Sign in to the vCenter Server Management web UI.
  2. Go to Syslog > Forwarding Configuration.
  3. Click Configure to create a new forwarding configuration.
  4. Provide the following configuration details:
    • Server address: Enter the Bindplane agent IP address.
    • Protocol: Select UDP.
    • Port: Enter the Bindplane agent port number (for example, 514).
  5. Click Save.
  6. Click Send Test Message to verify the configuration.

UDM mapping table

Log Field UDM Mapping Logic
Access Mask principal.process.access_mask Converted to decimal from hexadecimal.
Account Domain principal.administrative_domain
Account Name principal.user.userid
ApplicationProtocol additional.fields
Authentication Package security_result.about.resource.name
Client Address principal.ip,, principal.asset.ip Parsed as IP.
Client Port principal.port Converted to integer.
cmd target.process.command_line
date timestamp Parsed as yyyy-MM-dd and merged with time as yyyy-MM-dd HH:mm:ss to when, parsed as date.
date_time timestamp Parsed as date with RFC 3339, TIMESTAMP_ISO8601, SYSLOGTIMESTAMP formats.
desc metadata.description
eventid metadata.product_event_type Merged with task as eventid - task.
host_name principal.hostname,, principal.asset.hostname
http_method network.http.method
ip target.ip,, target.asset.ip
kv_data1 Parsed as key-value pairs.
kv_data2 Parsed as key-value pairs.
kv_msg1.cipher network.tls.cipher
kv_msg1.ctladdr intermediary.labels
kv_msg1.daemon security_result.about.labels
kv_msg1.from network.email.from If mail_from does not contain @ then appended with @local.
kv_msg1.msgid network.email.mail_id
kv_msg1.proto security_result.about.labels
kv_msg1.relay intermediary.hostname,, intermediary.ip Parsed as (HOSTNAME)? [IP] or HOSTNAME, if relay_domain is present then set to intermediary.hostname, if relay_ip is present then merged to intermediary.ip.
kv_msg1.size network.sent_bytes Converted to unsigned integer.
kv_msg1.stat security_result.summary
kv_msg1.verify security_result.description,, security_result.action If kv_msg1.verify is FAIL then security_result.action set to BLOCK.
kv_msg1.version network.tls.version
labels.log_type metadata.product_event_type
labels.net.host.ip principal.ip,, principal.asset.ip
labels.net.host.port principal.port
labels.net.peer.ip target.ip,, target.asset.ip
labels.net.peer.port target.port
labels.net.transport network.ip_protocol If labels.net.transport is TCP then TCP.
level security_result.severity If level is INFO/Informational/DEBUG/info/Information then INFORMATIONAL, if level is ERROR/error then ERROR, if level is WARNING then LOW.
log.file.path target.process.file.full_path
logName security_result.category_details
Logon Account principal.user.userid
Logon Type extensions.auth.mechanism If logon_type is 2/Interactive then INTERACTIVE, if logon_type is 3/8 then NETWORK, if logon_type is 4 then BATCH, if logon_type is 5 then SERVICE, if logon_type is 7 then UNLOCK, if logon_type is 9 then NEW_CREDENTIALS, if logon_type is 10 then REMOTE_INTERACTIVE, if logon_type is 11 then CACHED_INTERACTIVE, else MECHANISM_UNSPECIFIED.
mail_from network.email.from If mail_from does not contain @ then appended with @local.
mail_to network.email.to If mail_to does not contain @ then appended with @local.
message Parsed with grok patterns.
namespace principal.namespace
port target.port Converted to integer.
process_id target.process.pid
providername principal.application
Relative Target Name target.file.full_path
resource.labels.project_id src.cloud.project.id
resource.type src.labels
response_status network.http.response_code Converted to integer.
sec_desc security_result.description
Security ID target.user.windows_sid
security_result_action_detail security_result.action_details
server_name target.hostname,, target.asset.hostname
Share Name target.resource.name
Source Network Address principal.ip,, principal.asset.ip Parsed as IP.
Source Port principal.port Converted to integer.
summary security_result.summary
target_host target.hostname,, target.asset.hostname
target_url target.url
target_userid target.user.userid
time timestamp Parsed as HH:mm:ss and merged with date as yyyy-MM-dd HH:mm:ss to when, parsed as date.
upn_name intermediary.url
URL target.url
User ID target.user.windows_sid
user_id principal.user.userid
UserAgent network.http.user_agent
metadata.event_type Set to STATUS_UPDATE if msg contains API_HEALTH. or JobDispatcher, set to USER_LOGIN if msg contains logged in as and target_userid is not empty, set to SCAN_HOST if msg contains Leave Validate., set to NETWORK_UNCATEGORIZED if msg contains Getting IP Address from host, set to RESOURCE_WRITTEN if msg contains Wrote vpxd health, set to NETWORK_HTTP if has_principal and has_target are true and application_protocol is not empty, set to PROCESS_LAUNCH if process_id and cmd are not empty, set to USER_UNCATEGORIZED if user_id is not empty or eventid is 4776, set to USER_LOGIN if eventid is 4624/4768/4769, set to USER_LOGOUT if eventid is 4634/4647, set to USER_RESOURCE_ACCESS if eventid is 5145, set to STATUS_UPDATE if host_name is not empty, set to GENERIC_EVENT otherwise.
extensions.auth.type Set to MACHINE if eventid is 4624/4768/4769.
metadata.log_type Set to VMWARE_VCENTER.
metadata.vendor_name Set to VMWARE.
metadata.product_name Set to VCENTER.
security_result.action Set to ALLOW if response_status is 200 or action is Allow.
r_name event.idm.read_only_udm.principal.resource.name Mapped from changelog
ppid event.idm.read_only_udm.principal.process.pid Mapped from changelog
p_ip event.idm.read_only_udm.principal.ip Mapped from changelog
p_ip event.idm.read_only_udm.principal.asset.ip Mapped from changelog
p_port event.idm.read_only_udm.principal.port Mapped from changelog
i_ip event.idm.read_only_udm.intermediary.ip Mapped from changelog
i_ip event.idm.read_only_udm.intermediary.asset.ip Mapped from changelog
i_port event.idm.read_only_udm.intermediary.port Mapped from changelog
t_ip event.idm.read_only_udm.target.ip Mapped from changelog
t_ip event.idm.read_only_udm.target.asset.ip Mapped from changelog
o_ip event.idm.read_only_udm.observer.ip Mapped from changelog
o_ip event.idm.read_only_udm.observer.asset.ip Mapped from changelog
o_port event.idm.read_only_udm.observer.port Mapped from changelog
tls_details event.idm.read_only_udm.network.tls.version_protocol Mapped from changelog
duration event.idm.read_only_udm.network.session_duration.seconds Mapped from changelog
r_bytes event.idm.read_only_udm.network.received_bytes Mapped from changelog
s_bytes event.idm.read_only_udm.network.sent_bytes Mapped from changelog
response_flag event.idm.read_only_udm.additional.fields Mapped from changelog
unknown_metric_2 event.idm.read_only_udm.additional.fields Mapped from changelog
unknown_metric_1 event.idm.read_only_udm.additional.fields Mapped from changelog
http_path event.idm.read_only_udm.additional.fields Mapped from changelog
pusername event.idm.read_only_udm.principal.user.user_display_name Mapped from changelog
puserid event.idm.read_only_udm.principal.user.userid Mapped from changelog
log_level event.idm.read_only_udm.security_result.severity Mapped from changelog
response_code event.idm.read_only_udm.network.http.response_code Mapped from changelog
http_details event.idm.read_only_udm.network.http.user_agent Mapped from changelog
http_details event.idm.read_only_udm.network.http.parsed_user_agent Mapped from changelog
t_url event.idm.read_only_udm.target.url Mapped from changelog
hmethod event.idm.read_only_udm.network.http.method Mapped from changelog
p_log_id event.idm.read_only_udm.metadata.product_log_id Mapped from changelog
meta_description event.idm.read_only_udm.metadata.description Mapped from changelog
p_event_type event.idm.read_only_udm.metadata.product_event_type Mapped from changelog
p_hostname event.idm.read_only_udm.principal.hostname Mapped from changelog
p_hostname event.idm.read_only_udm.principal.asset.hostname Mapped from changelog
c_timestamp event.idm.read_only_udm.metadata.collected_timestamp Mapped from changelog
action event.idm.read_only_udm.additional.fields Mapped from changelog
conn_id event.idm.read_only_udm.additional.fields Mapped from changelog
facility event.idm.read_only_udm.additional.fields Mapped from changelog
process event.idm.read_only_udm.additional.fields Mapped from changelog
tenant event.idm.read_only_udm.additional.fields Mapped from changelog
duration_ms event.idm.read_only_udm.additional.fields Mapped from changelog
provider event.idm.read_only_udm.additional.fields Mapped from changelog
provider_type event.idm.read_only_udm.additional.fields Mapped from changelog
cor_id event.idm.read_only_udm.metadata.product_log_id Mapped from changelog
inter_ip event.idm.read_only_udm.intermediary.ip Mapped from changelog
tls_cipher event.idm.read_only_udm.network.tls.cipher Mapped from changelog
event_status event.idm.read_only_udm.security_result.summary Mapped from changelog
file_path event.idm.read_only_udm.target.file.full_path Mapped from changelog
target_userid event.idm.read_only_udm.target.user.userid Mapped from changelog
open_connections event.idm.read_only_udm.additional.fields Mapped from changelog
total_connections event.idm.read_only_udm.additional.fields Mapped from changelog
channel_id event.idm.read_only_udm.additional.fields Mapped from changelog
line_number event.idm.read_only_udm.additional.fields Mapped from changelog
timestamps' read_only_udm.metadata.event_timestamp Mapped from changelog
event_name' event.idm.read_only_udm.metadata.product_event_type Mapped from changelog
srcip event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip Mapped from changelog
usrName event.idm.read_only_udm.target.user.userid Mapped from changelog
user_agent event.idm.read_only_udm.network.http.user_agent Mapped from changelog
LEEF_version_label event.idm.read_only_udm.additional.fields Mapped from changelog
msg event.idm.read_only_udm.metadata.description Mapped from changelog
opID event.idm.read_only_udm.additional.fields Mapped from changelog
sub event.idm.read_only_udm.additional.fields Mapped from changelog
api_invocations additional.fields Mapped from changelog
response_details target.resource.attribute.labels Mapped from changelog
usr_agnt network.http.user_agent Mapped from changelog
ver_proto network.tls.version Mapped from changelog
DeviceUUID metadata.product_log_id Mapped from changelog
InstanceId target.asset_id Mapped from changelog
EventPriority security_result.severity Mapped from changelog
AccessControlRuleAction security_result_action Mapped from changelog
SrcIP principal.ip Mapped from changelog
DstIP target.ip Mapped from changelog
ICMPType", "ICMPCode", "IngressInterface", "EgressInterface", "WebApplication", "DNSQuery", "DNSRecordType", "DNSResponseType", "DNS_TTL", "service.type", "log.syslog.facility.code", "log.syslog.facility.name", "log.syslog.severity.code","log.syslog.severity.name", "log.syslog.priority additional.fields Mapped from changelog
IngressZone principal.location.name Mapped from changelog
EgressZone target.location.name Mapped from changelog
ACPolicy security_result.rule_labels Mapped from changelog
AccessControlRuleName security_result.rule_name Mapped from changelog
NAPPolicy security_result.rule_labels Mapped from changelog
InitiatorPackets network.sent_packets Mapped from changelog
ResponderPackets network.received_packets Mapped from changelog
InitiatorBytes network.sent_bytes Mapped from changelog
ResponderBytes network.received_bytes Mapped from changelog
FirstPacketSecond" and "ConnectionID security_result.about.labels Mapped from changelog
Client target.labels Mapped from changelog
ClientVersion target.platform_version Mapped from changelog
ReferencedHost target.hostname Mapped from changelog
HTTPResponse network.http.response_code Mapped from changelog
ApplicationProtocol network.application_protocol Mapped from changelog
host1.ip principal.ip Mapped from changelog
version metadata.product_version Mapped from changelog
principal_ip1 principal.ip Mapped from changelog
principal_ip2 principal.ip Mapped from changelog
target_ip1 target.ip Mapped from changelog
target_ip2 target.ip Mapped from changelog
principal_port principal.port Mapped from changelog
target_port target.port Mapped from changelog
Client port principal.port Mapped from changelog
Source port principal.port Mapped from changelog
insertId metadata.product_log_id Mapped from changelog
@fields.host principal.hostname Mapped from changelog
@fields.facility principal.resource.type Mapped from changelog
@fields.company_name principal.user.company_name Mapped from changelog
@fields.privatecloud_id principal.cloud.project.id Mapped from changelog
@fields.privatecloud_name principal.cloud.project.name Mapped from changelog
@fields.procid principal.process.pid Mapped from changelog
@fields.region_id principal.location.country_or_region Mapped from changelog
@version principal.platform_version Mapped from changelog
basedn_group_iden target.user.group_identifiers Mapped from changelog
get_error intermediary.labels Mapped from changelog
ssh_proto network.application_protocol Mapped from changelog
file_path target.process.file.full_path Mapped from changelog

Change Log

View the Change Log for this parser

Need more help? Get answers from Community members and Google SecOps professionals.