The Security Analytics system can capture and index VLAN-tagged traffic.

When running Security Analytics (SA) as a virtual appliance under ESX, the virtual networking components of ESX, by default, will discard VLAN-tagged traffic before it reaches the SA VM. Therefore that traffic will not be found in the SA.
 

Within the configuration of an ESX vSwitch, the default behavior of a Virtual Machine Port Group is to discard incoming VLAN-tagged traffic before it gets to the VM.  For more detail on Virtual Machine Port Groups, please see VMware's ESXi or vSphere documentation.

 

For each vSwitch being used to send Capture traffic to the SA VMs, click "Properties...":



Select the Virtual Machine Port Group for the SA VM's capture interface(s), and select "Edit...":



Modify the port group's VLAN ID field to pass either the single desired VLAN ID (a number between 1 and 4094) that the SA VM needs to capture, or, set it to "All (4095)" to pass all VLAN-tagged traffic to the SA VM. Click OK to save changes.



The SA VM should now see the desired VLAN-tagged traffic on its Capture interface(s).