Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VCenter Parser: Hostname not being extracted #11642

Open
kevintamlsWork opened this issue Jan 8, 2025 · 1 comment
Open

VCenter Parser: Hostname not being extracted #11642

kevintamlsWork opened this issue Jan 8, 2025 · 1 comment
Assignees
@v-sudkharat @v-visodadasi
Labels
Parser Parser specialty review needed

Comments

@kevintamlsWork
Copy link

Describe the bug
The vCenter parser does not extract the hostname of the vCenter Syslog.

To Reproduce
Steps to reproduce the behavior:

  1. Execute KQL search
    vCenterV2
  2. See error

Expected behavior
Hostname (in the example below, VDIVCSA-P-01-01) should be extracted with a field name "Hostname"

Screenshots
Image

Desktop (please complete the following information):

  • OS: Windows 11
  • Browser: Google Chrome
  • Version: 131.0.6778.205

Additional context
We have had a modified version of the parser provided from issue#11542. If any modifications are required, please use the latest version of the modified parser from that issue.

Modified Parser Code

 let vCenter_Login =() {
        vcenter_CL
        | where Message has ("UserLoginSessionEvent")
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " DomainName:string "\\" Username:string "@" SourceIP " logged in as " UserAgent:string "]" *
        | extend DomainName = iff(isnull(DomainName), "", DomainName)
        | extend Username = iff(isnull(Username), DomainName, Username)
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " Username:string "@" SourceIP " logged in as " UserAgent:string "]" *
        | extend Username = iff(isnull(Username), DomainName, Username)
    };
    let vCenter_Logout =() {
        vcenter_CL
        | where Message has ("UserLogoutSessionEvent")
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " DomainName:string "\\" Username:string "@" SourceIP " logged out (login time:" LoginTime:string ", number of API invocations: " APIInvocationCount:dynamic ", user agent:" UserAgent:string ")]" *
        | extend DomainName = iff(isnull(DomainName), "", DomainName)
        | extend Username = iff(isnull(Username), DomainName, Username)
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " Username:string "@" SourceIP " logged out (login time:" LoginTime:string ", number of API invocations: " APIInvocationCount:dynamic ", user agent:" UserAgent:string ")]" *
        | extend Username = iff(isnull(Username), DomainName, Username)
    };
    let vCenter_Role=() {
        vcenter_CL
        | where Message has_any("RoleAddedEvent","RoleRemovedEvent")
        | parse Message with * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "[New role " RoleName:string " " Operation:string  "]" *
    };
    let vCenter_RoleModified=() {
        vcenter_CL
        | where Message has ("RoleUpdatedEvent")
        | parse Message with * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "Previous name: " OldRoleName:string ", new name "NewRoleName:string " Added privileges: " AddedPriviledges:string " Removed privileges: " RemovedPriviledges:string "]" *
    };
    union vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified
    | extend ClientIP = SourceIP

Syslog Message Example

Jan 8 11:56:13 VDIVCSA-P-01-01 vpxd[7058] Event [50736315] [1-1] [2025-01-08T11:56:13.977736Z] [vim.event.UserLogoutSessionEvent] [info] [VDIP.LOCAL\Administrator] [] [50736315] [User VDIP.LOCAL\[email protected] logged out (login time: Wednesday, 08 January, 2025 11:56:13 AM, number of API invocations: 1, user agent: Apache-CXF/3.4.10)]
@v-sudkharat v-sudkharat added the Parser Parser specialty review needed label Jan 9, 2025
@v-sudkharat
Copy link
Contributor

Hi @kevintamlsWork, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-sudkharat v-sudkharat

@v-visodadasi v-visodadasi

Labels
Parser Parser specialty review needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@v-sudkharat @kevintamlsWork @v-visodadasi