From 2e9a27a9fa39d1c96f9f2451fc270eb1a0f464b3 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 9 Jul 2024 18:36:25 +0200 Subject: [PATCH 1/2] fix(Vcenter): add filter for vpxd events --- .../endpoint/vmware/vmware_vcenter.md | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/docs/xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md b/docs/xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md index 8d6b3d5096..8f90c22551 100644 --- a/docs/xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md +++ b/docs/xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md @@ -27,3 +27,45 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io Please consult the [Syslog Forwarding](../../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. + +Create a new configuration file: + +``` +sudo vim ./extended_conf/11-vcenter.conf +``` + +with the following template: + +``` +$DefaultNetstreamDriverCAFile /etc/rsyslog.d/Sekoia-io-intake.pem +input(type="imtcp" port="20513" ruleset="remote20513") + +template(name="SEKOIAIOTemplate" type="string" string="<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG [SEKOIA@53288 intake_key=\"YOUR_INTAKE_KEY\"] %msg%\n") +ruleset(name="remote20513"){ + if($programname == "vpxd") { + action( + type="omfwd" + protocol="tcp" + target="intake.sekoia.io" + port="10514" + TCP_Framing="octet-counted" + StreamDriver="gtls" + StreamDriverMode="1" + StreamDriverAuthMode="x509/name" + StreamDriverPermittedPeers="intake.sekoia.io" + Template="SEKOIAIOTemplate" + ) + } +} +``` + +Please change using the YOUR_INTAKE_KEY accordingly, as well as, the input port if needed. + +Update the `docker-compose.yml` file of the Sekoia.io forwarder to mount the extended conf: + +``` +volumes: + - ./intakes.yaml:/intakes.yaml +... + - ./extended_conf:/extended_conf +``` From d7596532d8dc135a6f258726d3f585c6eee78e63 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 10 Jul 2024 09:30:56 +0200 Subject: [PATCH 2/2] fix(VMware): use placeholder to define the port --- .../collect/integrations/endpoint/vmware/vmware_vcenter.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md b/docs/xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md index 8f90c22551..6a738ca9fb 100644 --- a/docs/xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md +++ b/docs/xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md @@ -38,10 +38,11 @@ with the following template: ``` $DefaultNetstreamDriverCAFile /etc/rsyslog.d/Sekoia-io-intake.pem -input(type="imtcp" port="20513" ruleset="remote20513") + +input(type="imtcp" port="PORT" ruleset="remoteVmwarevCenter") template(name="SEKOIAIOTemplate" type="string" string="<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG [SEKOIA@53288 intake_key=\"YOUR_INTAKE_KEY\"] %msg%\n") -ruleset(name="remote20513"){ +ruleset(name="remoteVmwarevCenter"){ if($programname == "vpxd") { action( type="omfwd" @@ -59,7 +60,7 @@ ruleset(name="remote20513"){ } ``` -Please change using the YOUR_INTAKE_KEY accordingly, as well as, the input port if needed. +Please change using the YOUR_INTAKE_KEY accordingly, as well as, the PORT. Update the `docker-compose.yml` file of the Sekoia.io forwarder to mount the extended conf: