diff --git a/docs/xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md b/docs/xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md index 8d6b3d5096..8f90c22551 100644 --- a/docs/xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md +++ b/docs/xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md @@ -27,3 +27,45 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io Please consult the [Syslog Forwarding](../../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. + +Create a new configuration file: + +``` +sudo vim ./extended_conf/11-vcenter.conf +``` + +with the following template: + +``` +$DefaultNetstreamDriverCAFile /etc/rsyslog.d/Sekoia-io-intake.pem +input(type="imtcp" port="20513" ruleset="remote20513") + +template(name="SEKOIAIOTemplate" type="string" string="<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG [SEKOIA@53288 intake_key=\"YOUR_INTAKE_KEY\"] %msg%\n") +ruleset(name="remote20513"){ + if($programname == "vpxd") { + action( + type="omfwd" + protocol="tcp" + target="intake.sekoia.io" + port="10514" + TCP_Framing="octet-counted" + StreamDriver="gtls" + StreamDriverMode="1" + StreamDriverAuthMode="x509/name" + StreamDriverPermittedPeers="intake.sekoia.io" + Template="SEKOIAIOTemplate" + ) + } +} +``` + +Please change using the YOUR_INTAKE_KEY accordingly, as well as, the input port if needed. + +Update the `docker-compose.yml` file of the Sekoia.io forwarder to mount the extended conf: + +``` +volumes: + - ./intakes.yaml:/intakes.yaml +... + - ./extended_conf:/extended_conf +```