ASIM Authentication Parser for VMware ESXi#13989
ASIM Authentication Parser for VMware ESXi#13989SpeedyFireCyclone wants to merge 6 commits intoAzure:masterfrom
Conversation
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2026-04-03T12:06:10.060Z |
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2026-04-03T13:25:45.667Z |
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2026-04-06T08:01:42.341Z |
v-atulyadav
added
SafeToRun
|
Hi @SpeedyFireCyclone, 
|
| EventSubType, | ||
| EventResult, | ||
| EventResultDetails, | ||
| //EventSeverity, |
There was a problem hiding this comment.
Syslog itself has SeverityLevel, you can use
| project-rename EventOriginalSeverity = SeverityLevel
| extend EventSeverity = _ASIM_LookupSyslogSeverityLevel(EventOriginalSeverity),
| let HostdEvents = ( | ||
| Syslog | ||
| | where not(disabled) | ||
| | where ProcessName == "Hostd" |
There was a problem hiding this comment.
For this filter, I do see logs that have this particular string "sub=Vimsvc.ha-eventmgr". Would it be worthwhile to include it based on the logs that you see?
| , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) ))) | ||
| , vimAuthenticationNative (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationNative' in (DisabledParsers) ))) | ||
| , vimAuthenticationFortinetFortigate (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationFortigate' in (DisabledParsers) ))) | ||
| , vimAuthenticationVMwareESXi (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareESXi' in (DisabledParsers) ))) |
| - _ASim_Authentication_IllumioSaaSCore | ||
| - _ASim_Authentication_Native No newline at end of file | ||
| - _ASim_Authentication_Native | ||
| - _ASim_Authentication_VMwareCarbonESXi No newline at end of file |
There was a problem hiding this comment.
Naming: _ASim_Authentication_VMwareESXi
| EventSubType, | ||
| EventResult, | ||
| EventResultDetails, | ||
| //EventSeverity, |
There was a problem hiding this comment.
Same comment in Asim parser
| | summarize arg_min(TimeGenerated, *) by TargetUsername, SrcIpAddr, EventResult, Computer, bin(TimeGenerated, 1s) | ||
| | project-away TimeGenerated1 | ||
| ); | ||
| union DCUIEvents, HostdEvents |
There was a problem hiding this comment.
Another source for ESXi logs include this table: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/AVSEsxiSyslog
Please union logs from that table as well. I would expect the log format to be the same, but column names differ slightly.
4 participants
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: