Share via

Unable to Collect VMware ESXi logs in Microsoft Sentinel

Moksh Vir 1 Reputation point
2022-09-08T13:13:34.99+00:00

I am trying to ingest the logs from VMware ESXi to Microsoft Sentinel via the syslog server but somehow after configuring the syslog settings as per the VMware docs, we are unable to ingest the logs. Below is the article that I referred and configured accordingly.
https://kb.vmware.com/s/article/2003322

Microsoft Security | Microsoft Sentinel
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Broggy 6,371 Reputation points MVP Volunteer Moderator
    2022-09-08T13:45:20.54+00:00

    Hi MokshVir,
    You'll need to explain at what point your logs are getting dropped.
    Here are some troubleshooting tips:

    on the syslog server run tcpdump to verify the logs are being received:

    tcpdump -i any port syslog -A -s0 -nn

    then verify the logs are being forwarded from the syslog daemon to the OMS agent which should be running on your syslog server:
    tcpdump -i lo port 252245 -A -s0 -nn

    If you don't see traffic then check your syslog configuration: cat /etc/rsyslog.d/95-omsagent.conf - share your configuration with us.
    Also verify the oms agent is running:
    ps -ef|grep oms

    If all is ok then the last step is checking the syslog table for your data in Sentinel!
    ingest-your-vmware-esxi-logs-into-azure-sentinel

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.