Guidance on Security Related Event Types to Forward to Splunk
Article ID: 324379
Updated On:
Products
VMware Aria Suite
Issue/Introduction
When setting up a log forwarding connection from vRealize Log Insight to SplunkES, you need to filter on a particular event type to limit the stream of logs that are sent to Splunk. This article offers guidance on which events are typically filtered for security auditing like logins, reboots, etc.
Environment
VMware vRealize Log Insight 4.8.x
VMware vRealize Log Insight 4.6.x
VMware vRealize Log Insight 4.7.x
VMware vRealize Log Insight 8.x
VMware vRealize Log Insight 4.6.x
VMware vRealize Log Insight 4.7.x
VMware vRealize Log Insight 8.x
Resolution
For sending security related events to a SIEM solution you could use text filters in addition to the appname filter.
This list will cover all the security specific logs but must be entered manually:
*password was changed*
*logged out*
*cannot login*
*logged in*
*rejected password for user*
*Permission rule removed*
*DCUI has been enabled*
*Firewall configuration has changed*
*Permission created*
Feedback
Yes
No
Powered by
