Guidance on Security Related Event Types to Forward to Splunk
search cancel

Guidance on Security Related Event Types to Forward to Splunk

book

Article ID: 324379

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

When setting up a log forwarding connection from vRealize Log Insight to SplunkES, you need to filter on a particular event type to limit the stream of logs that are sent to Splunk. This article offers guidance on which events are typically filtered for security auditing like logins, reboots, etc.

Environment

VMware vRealize Log Insight 4.8.x
VMware vRealize Log Insight 4.6.x
VMware vRealize Log Insight 4.7.x
VMware vRealize Log Insight 8.x

Resolution

For sending security related events to a SIEM solution you could use text filters in addition to the appname filter.

This list will cover all the security specific logs but must be entered manually:

*password was changed*
*logged out*
*cannot login*
*logged in*
*rejected password for user*
*Permission rule removed*
*DCUI has been enabled*
*Firewall configuration has changed*
*Permission created*


Additional Information

https://blogs.vmware.com/services-education-insights/2018/02/configuring-vrealize-log-insight-event-forwarding-splunk.html