Data Source: VMWare ESXi Syslog

Date: 2025-11-04

ID: f91c5ad1-2a44-4be3-93df-43150fa243e5

Author: Raven Tait, Splunk

Description

Data source object for syslog data from VMWare ESXi

Details

Property	Value
Source	`vmware:esxlog`
Sourcetype	`vmw-syslog`

Name ▲▼	Technique ▲▼	Type ▲▼
ESXi Account Modified	Local Account, Valid Accounts, Account Manipulation	Anomaly
ESXi Audit Tampering	Impair Command History Logging, Indicator Removal	TTP
ESXi Bulk VM Termination	Virtual Machine Discovery, System Shutdown/Reboot, Endpoint Denial of Service	TTP
ESXi Download Errors	Patch System Image, Disable or Modify Tools	Anomaly
ESXi Encryption Settings Modified	Impair Defenses	TTP
ESXi External Root Login Activity	Valid Accounts	Anomaly
ESXi Firewall Disabled	Disable or Modify System Firewall	TTP
ESXi Lockdown Mode Disabled	Impair Defenses	TTP
ESXi Loghost Config Tampering	Impair Defenses	TTP
ESXi Malicious VIB Forced Install	vSphere Installation Bundles	TTP
ESXi Reverse Shell Patterns	Command and Scripting Interpreter	TTP
ESXi Sensitive Files Accessed	/etc/passwd and /etc/shadow, Data from Local System	TTP
ESXi Shared or Stolen Root Account	Valid Accounts	Anomaly
ESXi Shell Access Enabled	Remote Services	TTP
ESXi SSH Brute Force	Brute Force	Anomaly
ESXi SSH Enabled	SSH	TTP
ESXi Syslog Config Change	Impair Command History Logging	TTP
ESXi System Clock Manipulation	Timestomp	TTP
ESXi System Information Discovery	System Information Discovery	TTP
ESXi User Granted Admin Role	Account Manipulation, Valid Accounts	TTP
ESXi VIB Acceptance Level Tampering	Impair Defenses	TTP
ESXi VM Discovery	Virtual Machine Discovery	TTP
ESXi VM Exported via Remote Tool	Data from Local System	TTP

Supported Apps

Add-on for VMware ESXi Logs (version 4.2.2)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">Message</span>
  
</div>

Example Log

1Jul  1 14:30:23 192.168.8.233 2025-07-01T14:29:11.508Z localhost.localdomain shell[1627100]: [root]: esxcli system auditrecords local set
2Jul  1 14:30:21 192.168.8.233 2025-07-01T14:29:09.506Z localhost.localdomain shell[1627100]: [root]: esxcli system auditrecords local delete

Required Output Fields

dest

Source: GitHub | Version: 2

Data Source: VMWare ESXi Syslog

Description

Details

Related Detections

Supported Apps

Event Fields

Example Log

Required Output Fields