Configuring syslog on VMware ESX and ESXi servers

To collect syslog events for VMware, you must configure the server to forward events by using syslogd from your ESXi server to IBM QRadar.

1. Log in to your VMware vSphere Client.
2. Select the host that manages your VMware inventory.
3. Click the Configuration tab.
4. From the Software pane, click Advanced Settings.
5. In the navigation menu, click Syslog.
6. Configure values for the following parameters:

   Table 1. VMware syslog protocol parameters

   Parameter	ESX version	Description
   Syslog.Local.DatastorePath	ESX or ESXi 3.5.x or 4.x	Type the directory path for the local syslog messages on your ESXi server. The default directory path is [] /scratch/log/messages.
   Syslog.Remote.Hostname	ESX or ESXi 3.5.x or 4.x	Type the IP address or host name of QRadar.
   Syslog.Remote.Port	ESX or ESXi 3.5.x or 4.x	Type the port number the ESXi server uses to forward syslog data. The default is port 514.
   Syslog.global.logHost	ESXi v5.x, ESXi v6.x or ESXi v7.x	Type the URL and port number that the ESXi server uses to forward syslog data. Examples: udp://<QRadar IP address>:514 tcp://<QRadar IP address>:514

7. Click OK to save the configuration.

   The default firewall configuration on VMware ESXi v5.x. VMware ESXi v6.x and VMware ESXi v7.x servers, disable outgoing connections by default. Outgoing syslog connections that are disabled restrict the internal syslog forwarder from sending security and access events to QRadar.