VMware

Overview

VMware is a global leader in cloud infrastructure and digital workspace technology. It provides solutions that enable businesses to run, manage, and secure applications across private and public clouds. VMware's products focus on virtualization technology, allowing organizations to create virtual versions of their hardware resources, such as servers, storage, and networks, to improve resource utilization, scalability, and flexibility. Its solutions are used for server consolidation, disaster recovery, and cloud management, helping enterprises enhance operational efficiency, reduce costs, and ensure business continuity in dynamic IT environments.

Supported data types

VMware ESXi Logs

Table name: vmware_esxi_log_files

ESXi logs are invaluable resources for system administrators and IT professionals, providing a wealth of information critical for monitoring the health, performance, and security of the ESXi hosts and their resident VMs. These logs detail events related to system operations, VM execution, network activities, and errors or warnings that can signify potential issues.

Learn more here.

VMware Airwatch Workspace One Logs

Table name: vmware_airwatch_workspace_one_logs

Workspace ONE logs are crucial for IT administrators to monitor and manage the deployment, operation, and security of devices and applications across an organization. These logs provide detailed information on device enrollment, application distribution, user activities, security incidents, and system performance. By analyzing Workspace ONE logs, organizations can identify potential issues with device compliance, application performance, or security breaches, enabling timely remediation to ensure business continuity and data protection.

VMware NSX Advanced Load Balancer Logs

Table name: vmware_nsx_avi_application_logs

The logs generated by the NSX Advanced Load Balancer are critical for monitoring the health, performance, and security of applications. These logs offer detailed visibility into traffic patterns, client connections, system events, and security incidents, enabling administrators to fine-tune load balancing configurations, troubleshoot issues, and respond to potential threats effectively. By analyzing the event logs, organizations can gain insights into application behavior, user experiences, and potential bottlenecks or vulnerabilities within their network infrastructure.

Learn more here.

VMware vCenter Logs

Table name: vmware_vcenter_logs

The logs generated by VMware vCenter Server and associated ESXi hosts are critical for monitoring the health, performance, and security of virtualized infrastructure. These logs provide detailed visibility into management-plane activities such as user and API authentication, virtual machine lifecycle operations, host and cluster events, alarms, and infrastructure health signals. By analyzing vCenter logs, organizations can effectively troubleshoot issues, optimize resource utilization, and gain insights into virtualization operations, potential misconfigurations, and security-relevant events across their data center environment.

Send data to Hunters

These logs should be sent to an S3 bucket and from there into Hunters. Follow the steps below to make the connection:

1. Collect the logs from VMware into an S3 bucket by following this guide for ESXi, or this if you are collecting the NSX Logs. The logs should be collected in a raw text format as below.

2. Follow this guide to complete the connection process.

Expected format

VMware ESXi Logs Sample

Logs are expected in text format.

domain.com Rhttpproxy: verbose rhttpproxy[1234] [Originator@1234 sub=Proxy Req 58200] Resolved endpoint : [VMhttpSERVICE:0x000000123456] _serverNamespace = /vpxa action = Allow _port = 1234
domain.com Rhttpproxy: verbose rhttpproxy[12345] [Originator@1234 sub=Proxy Req 55600] Resolved endpoint : [VMhttpSERVICE:0x000000123457] _serverNamespace = /abc action = Close _port = 1234
domain.com hostd-probe: info hostd-probe[12345] [Originator@1234 sub=Default] Syscommand enabled: true
domain.com Hostd: warning host[12345] [Originator@1234 sub=VigorStatsProvider(0000009270199a50)] AddVirtualMachine: VM '113' already registered
domain.com Vpxa: info machine[12345] [Originator@1234 sub=vpxLro opID=op123] [VpxLRO] -- FINISH lro-1234
domain.com Fdm: verbose function[12345] [Originator@1234 sub=SoapAdapter[0].HTTPService] HTTP Response: Auto-completing at 118/118 bytes; <<io_obj p:0x0000001234ff, h:22, <TCP '127.0.0.1 : 1234'>, <TCP '127.0.0.1 : 1234'>>, 52b4621d-1234-1234-1234-73bbc0f8effd>

VMware Airwatch Workspace One Logs Sample

Logs are expected in Nested JSON key-value format.

{"pri":"101","host":"AirWatch","ident":"AirWatch","pid":"-","msgid":"-","extradata":"-","message":"Event Type: Device ; Event: WindowsInformationConfirmed ; User: sysadmin ; Enrollment User:user1@example.com ; Device: host-232 ; Event Source: Device ; Event Module: Devices ; Event Category: Command ; Event Data:  Event Timestamp: 2023-04-26T15:59:59.297000"}
{"pri":"102","host":"AirWatch","ident":"AirWatch","pid":"-","msgid":"-","extradata":"-","message":"Event Type: Device ; Event: SampleResponseListReceived ; User: sysadmin ; Enrollment User:user2@example.com ; Device: host-3214 ; Event Source: Device ; Event Module: Devices ; Event Category: Command ; Event Data: MessageText=WindowsInformationSample, SystemSampleV6, PowerSample, Event Timestamp: 2023-04-26T15:59:59.600000"}

VMware NSX Advanced Load Balancer Logs Sample

Logs are expected in JSON format.

{"adf":1,"virtualservice":"virtualservice-abcdefh-1234-4ca2-813f-234567g","report_timestamp":"2017-05-01T15:10:08.798592","service_engine":"1.1.1.1","vcpu_id":1,"log_id":2,"client_ip":"11.11.11.11","client_src_port":123456,"client_dest_port":100,"client_rtt":1,"http_version":"1.1","method":"GET","uri_path":"/note.html","referer":"www.example.com","user_agent":"TestUserAgent","xff":"123.123.1.1 12.12.12.127 12.123.13.12 129.12.12.14 123.12.13.12","host":"1.1.1.1:9000","persistent_session_id":123458765,"response_content_type":"text/html","request_length":99,"cacheable":1,"pool":"pool-q234567-01db-467a-b673-123456789","pool_name":"pool1","server_ip":"11.12.13.14","server_name":"12.123.12.12","server_conn_src_ip":"12.12.12.12","server_dest_port":10,"server_src_port":34567,"server_rtt":11,"server_response_length":1345,"server_response_code":404,"server_response_time_first_byte":1,"server_response_time_last_byte":1,"response_length":1397,"response_code":299,"response_time_first_byte":1,"response_time_last_byte":1,"compression":"NO_COMPRESSION","client_insights":"NO_INSIGHTS","request_headers":12345,"response_headers":13,"request_state":"TEST_HTTP_REQUEST_STATE_SEND_TO_CLIENT","significant_log":["TEST_RESPONSE_CODE_4XX"],"headers_sent_to_server":"X-Forwarded-For: 1.1.1.1  Host: 1.1.1.1:9000  Accept-Encoding: identity  Accept: */*  User-Agent: ASDFGHJ  referer: www.a_network.com  Authorization: Basic ABCDEFGHIJK","headers_received_from_server":"Server: server/1.2.1  Date: Mon, 01 May 2017 15:15:24 GMT  Content-Type: text/html  Content-Length: 1242  Connection: keep-alive","server_connection_reused":1,"vs_ip":"01.00.00.04","body_updated":"NOT_UPDATED","vs_name":"vs1"}

VMware vCenter Logs Sample

Logs are expected in Text format.

<14>1 2026-01-21T08:53:44.189Z abc-def-and.exmple.io vcenter-server - - - User root@X.X.X.X logged out (login time: Wednesday, 21 January, 2026 08:53:44 AM, number of API invocations: 1, user agent: VMware-client/8.0.3)
<14>1 2026-01-21T08:53:48.246Z abc-def-and.exmple.io vcenter-server - - - Migrating ubuntu_000 off host abc-def-and.exmple.io in EXAMPLE-Datacenter