Posted on by Caenotech

Configuration of rSyslog on VMware vCenter Appliance VCSA and PSC for Logging Authentication and Authorisation Activities

Introduction

As part of a client’s environment, there was a requirement from the end customer to forward additional logging information above the default logs forwarded by vCenter Server and Platform Services Controller (PSC).

In order to provide these additional logs configuration of rSyslog is required to specify these files.

This post is intended to provide steps to implement these changes.

Additional logging available from non default vCenter logs

Single Sign-On Activities

  • Successful SSO Login
  • Successful SSO Logout
  • Successful SSO Active Directory Login
  • Successful SSO Active Directory Logout
  • Failed SSO Login
  • Failed SSO Login (User not found)
  • Failed SSO Active Directory Login
  • Failed SSO Active Directory Login (User not found)
  • SSO User Creation
  • SSO User Password Change
  • SSO User Deletion
  • SSO Group Creation
  • SSO Group Assignment
  • SSO Group Deletion
  • SSO Password policy update

vCenter Server Activities

  • Successful vCenter Server Login
  • Successful vCenter Server Logout
  • vSphere Permission Created
  • vSphere Permission Updated
  • vSphere Permission Deleted
  • vSphere Role Creation
  • vSphere Role Update
  • vSphere Role Deletion

In order to capture the above activities, you will need to forward the following log files:

  • /var/log/vmware/sso/vmware-sts-idmd.log
  • /var/log/vmware/sso/ssoAdminServer.log
  • /var/log/vmware/vpxd-svcs/vpxd-svcs.log
  • /var/log/vmware/vpx/vpxd.log

NOTE: I am not including the vpxd.log in my implementation below as it is an extremely verbose log and we did not require it for the security events we wished to capture. Additionally I don’t want someone blindly copying the config below without understanding it and accidentally upsetting their environment.

Implementation Steps

VMware Appliance Management Interface (VAMI)

Step 1 – Connect to the VAMI interface for all vCenters and PSCs on HTTPS with port 5480

https://<appliancename>:5480

Step 2 – Configure Syslog with the following settings.

  • Common Log Level
    • Info
  • Remote Syslog Host
    • <vRLI-LoadBalancer-VIP>
  • Remote Syslog Port
    • 6514
  • Remote Syslog Protocol
    • TLS

vCenter Server Appliance

Step 1 – SSH to the VCSA and open the following file /etc/rsyslog.conf for editing.

vi /etc/rsyslog.conf

Step 2 – Press [Insert] to put vi into insert mode and add following entry towards the top of the file at the bottom of the ###### Module declarations ###### section.

$ModLoad imfile

Step 3 – Add the following right below the “###### Rule declarations
######” section of the rsyslog configuration file 

$InputFileName /var/log/vmware/vpxd-svcs/vpxd-svcs.log
$InputFileTag vpxd-svcs
$InputFileStateFile vpxd-svcs
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFilePollInterval 20

$InputFileName specifies the log file that we want to forward.

$InputFileTag is the appname that will show up when it is forwarded to your remote syslog server

$InputFileStateFile is the log monitoring file.

$InputFilePollInterval is set 20 seconds, the default is 10 if you leave it blank.

Step 4 – Save your changes by pressing [Esc] and typing and pressing enter:

 :wq

Step 5 – Restart the rsyslog service in the VCSA for the changes to go into effect by running the following command:

systemctl restart rsyslog

Platform Services Controller Appliance

Step 1 – SSH to the PSC and open the following file /etc/rsyslog.conf for editing.

 vi /etc/rsyslog.conf

Step 2 – Press [Insert] to put vi into insert mode and add following entry towards the top of the file at the bottom of the ###### Module declarations ###### section.

$ModLoad imfile

Step 3 – Add the following right below the “###### Rule declarations ######” section of the rsyslog configuration file 

$InputFileName /var/log/vmware/vpxd-svcs/vpxd-svcs.log
$InputFileTag vpxd-svcs
$InputFileStateFile vpxd-svcs
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFilePollInterval 20
  • $InputFileName specifies the log file that we want to forward.
  • $InputFileTag is the appname that will show up when it is forwarded to your remote syslog server
  • $InputFileStateFile is the log monitoring file.
  • $InputFilePollInterval is set 20 seconds, the default is 10 if you leave it blank.

Step 4 – Save your changes by pressing [Esc] and typing and pressing enter:

 :wq

Step 5 – Restart the rsyslog service in the VCSA for the changes to go into effect by running the following command:

systemctl restart rsyslog