VMWare

  • Updated on Mar 5, 2025
  • Published on May 31, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

VMWare ESXI Logs

✅

vmware_esxi_log_files

Text

S3

VMWare Airwatch Workspace One Logs

✅

✅

vmware_airwatch_workspace_one_logs

Nested JSON key-value

S3

VMWare NSX Advanced Load Balancer Logs

✅

✅

vmware_nsx_avi_application_logs

NDJSON

S3

Overview

imageVMware is a global leader in cloud infrastructure and digital workspace technology. It provides solutions that enable businesses to run, manage, and secure applications across private and public clouds. VMware's products focus on virtualization technology, allowing organizations to create virtual versions of their hardware resources, such as servers, storage, and networks, to improve resource utilization, scalability, and flexibility. Its solutions are used for server consolidation, disaster recovery, and cloud management, helping enterprises enhance operational efficiency, reduce costs, and ensure business continuity in dynamic IT environments.

Supported data types

VMWare ESXI Logs

Table name: vmware_esxi_log_files

ESXi logs are invaluable resources for system administrators and IT professionals, providing a wealth of information critical for monitoring the health, performance, and security of the ESXi hosts and their resident VMs. These logs detail events related to system operations, VM execution, network activities, and errors or warnings that can signify potential issues.

Learn more here.

VMWare Airwatch Workspace One Logs

Table name: vmware_airwatch_workspace_one_logs

Workspace ONE logs are crucial for IT administrators to monitor and manage the deployment, operation, and security of devices and applications across an organization. These logs provide detailed information on device enrollment, application distribution, user activities, security incidents, and system performance. By analyzing Workspace ONE logs, organizations can identify potential issues with device compliance, application performance, or security breaches, enabling timely remediation to ensure business continuity and data protection.

📘Note

VMWare Airwatch Workspace One is now part of Omnissa.

VMWare NSX Advanced Load Balancer Logs

Table name: vmware_nsx_avi_application_logs

The logs generated by the NSX Advanced Load Balancer are critical for monitoring the health, performance, and security of applications. These logs offer detailed visibility into traffic patterns, client connections, system events, and security incidents, enabling administrators to fine-tune load balancing configurations, troubleshoot issues, and respond to potential threats effectively. By analyzing the event logs, organizations can gain insights into application behavior, user experiences, and potential bottlenecks or vulnerabilities within their network infrastructure.

Learn more here.

Send data to Hunters

These logs should be sent to an S3 bucket and from there into Hunters. Follow the steps below to make the connection:

  1. Collect the logs from VMWare into an S3 bucket by following this guide for ESXI, or this if you are collecting the NSX Logs. The logs should be collected in a raw text format as below.

  2. Follow this guide to complete the connection process.

Expected format

VMWare ESXI Logs

Logs are expected in text format.

domain.com Rhttpproxy: verbose rhttpproxy[2100001] [Originator@6876 sub=Proxy Req 58200] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x000000123456] _serverNamespace = /vpxa action = Allow _port = 8089
domain.com Rhttpproxy: verbose rhttpproxy[2099468] [Originator@6876 sub=Proxy Req 55600] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x000000123457] _serverNamespace = /abc action = Close _port = 8000
domain.com hostd-probe: info hostd-probe[8555587] [Originator@6876 sub=Default] Syscommand enabled: true
domain.com Hostd: warning hostd[2129272] [Originator@6876 sub=VigorStatsProvider(0000009270199a50)] AddVirtualMachine: VM '113' already registered
domain.com Vpxa: info vpxa[8033216] [Originator@6876 sub=vpxLro opID=op123] [VpxLRO] -- FINISH lro-1234
domain.com Fdm: verbose fdm[8423179] [Originator@6876 sub=SoapAdapter[0].HTTPService] HTTP Response: Auto-completing at 118/118 bytes; <<io_obj p:0x0000001234ff, h:22, <TCP '127.0.0.1 : 9089'>, <TCP '127.0.0.1 : 32827'>>, 52b4621d-1234-4321-abcd-73bbc0f8effd>

VMWare Airwatch Workspace One Logs Sample

Logs are expected in Nested JSON key-value format.

{"pri":"101","host":"AirWatch","ident":"AirWatch","pid":"-","msgid":"-","extradata":"-","message":"Event Type: Device ; Event: WindowsInformationConfirmed ; User: sysadmin ; Enrollment User:user1@example.com ; Device: host-232 ; Event Source: Device ; Event Module: Devices ; Event Category: Command ; Event Data:  Event Timestamp: 2023-04-26T15:59:59.297000"}
{"pri":"102","host":"AirWatch","ident":"AirWatch","pid":"-","msgid":"-","extradata":"-","message":"Event Type: Device ; Event: SampleResponseListReceived ; User: sysadmin ; Enrollment User:user2@example.com ; Device: host-3214 ; Event Source: Device ; Event Module: Devices ; Event Category: Command ; Event Data: MessageText=WindowsInformationSample, SystemSampleV6, PowerSample, Event Timestamp: 2023-04-26T15:59:59.600000"}

VMWare NSX Advanced Load Balancer Sample

Logs are expected in JSON format.

{"adf":1,"virtualservice":"virtualservice-abcdefh-1234-4ca2-813f-234567g","report_timestamp":"2017-05-01T15:10:08.798592","service_engine":"10.10.10.100","vcpu_id":1,"log_id":2,"client_ip":"11.11.11.11","client_src_port":123456,"client_dest_port":100,"client_rtt":1,"http_version":"1.1","method":"GET","uri_path":"/note.html","referer":"www.example.com","user_agent":"TestUserAgent","xff":"123.123.1.1 12.12.12.127 12.123.13.12 129.12.12.14 123.12.13.12","host":"10.90.20.64:9000","persistent_session_id":123458765,"response_content_type":"text/html","request_length":99,"cacheable":1,"pool":"pool-2345698h-01db-467a-b673-8765432234","pool_name":"pool1","server_ip":"11.12.13.14","server_name":"12.123.12.12","server_conn_src_ip":"12.12.12.12","server_dest_port":10,"server_src_port":34567,"server_rtt":11,"server_response_length":1345,"server_response_code":404,"server_response_time_first_byte":1,"server_response_time_last_byte":1,"response_length":1397,"response_code":299,"response_time_first_byte":1,"response_time_last_byte":1,"compression":"NO_COMPRESSION","client_insights":"NO_INSIGHTS","request_headers":76543,"response_headers":13,"request_state":"TEST_HTTP_REQUEST_STATE_SEND_TO_CLIENT","significant_log":["TEST_RESPONSE_CODE_4XX"],"headers_sent_to_server":"X-Forwarded-For: 10.90.20.11  Host: 10.90.20.64:9000  Accept-Encoding: identity  Accept: */*  User-Agent: L7ProxyTest  referer: www.avinetworks.com  Authorization: Basic YXZpdXNlcjphdml1c2Vy","headers_received_from_server":"Server: server/1.2.1  Date: Mon, 01 May 2017 15:15:24 GMT  Content-Type: text/html  Content-Length: 1242  Connection: keep-alive","server_connection_reused":1,"vs_ip":"01.00.00.04","body_updated":"NOT_UPDATED","vs_name":"vs1"}