Configuration of syslog for VMware vShield Manager 5.0.1 has been brought up a lot lately, so here’s a quick reference:
At the vCenter main page for vShield Manager go to “Settings and Reports” and then the “Configuration” tab to specify the syslog server configuration. Audit logs and system events for vShield Manager will be sent via UDP using the default port (514) unless a different port is specified.
A system event in vShield has the followng format:
syslog header (timestamp + hostname + event)
Name/value pairs are separated by delimiter ‘::’ (double colons)
Event ID :: 32 bit unsigned integer
Timestamp :: 32 bit unsigned integer
Application Name :: string
Application Submodule :: string
Application Profile :: string
Event Code :: integer (possible values: 10007 10016 10043 20019) Severity :: string (possible values: INFORMATION LOW MEDIUM HIGH CRITICAL) Message :: string