GitHub Repo

Data Source: VMWare ESXi Syslog

Date: 2026-05-13

ID: f91c5ad1-2a44-4be3-93df-43150fa243e5

Author: Raven Tait, Splunk

Description

Data source object for syslog data from VMWare ESXi

Details

Property Value
Source vmware:esxlog
Sourcetype vmw-syslog
Name ▲▼ Technique ▲▼ Type ▲▼
ESXi Syslog Config Change Prevent Command History Logging TTP
ESXi Shared or Stolen Root Account Valid Accounts Anomaly
ESXi Bulk VM Termination Endpoint Denial of Service, System Shutdown/Reboot, Virtual Machine Discovery TTP
ESXi Lockdown Mode Disabled Disable or Modify Tools TTP
ESXi Loghost Config Tampering Disable or Modify Tools TTP
ESXi Encryption Settings Modified Disable or Modify Tools TTP
ESXi Firewall Disabled Disable or Modify System Firewall TTP
ESXi SSH Brute Force Brute Force Anomaly
ESXi Sensitive Files Accessed /etc/passwd and /etc/shadow, Data from Local System TTP
ESXi Shell Access Enabled Remote Services TTP
ESXi SSH Enabled SSH TTP
ESXi External Root Login Activity Valid Accounts Anomaly
ESXi Account Modified Valid Accounts, Account Manipulation, Local Account Anomaly
ESXi User Granted Admin Role Valid Accounts, Account Manipulation TTP
ESXi Reverse Shell Patterns Command and Scripting Interpreter TTP
ESXi System Clock Manipulation Timestomp TTP
ESXi VM Discovery Virtual Machine Discovery TTP
ESXi VIB Acceptance Level Tampering Disable or Modify Tools TTP
ESXi Malicious VIB Forced Install vSphere Installation Bundles TTP
ESXi System Information Discovery System Information Discovery TTP
ESXi Audit Tampering Indicator Removal, Prevent Command History Logging TTP
ESXi VM Exported via Remote Tool Data from Local System TTP
ESXi Download Errors Patch System Image, Disable or Modify Tools Anomaly

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">Message</span>
  
</div>

Example Log

1Jul  1 14:30:23 192.168.8.233 2025-07-01T14:29:11.508Z localhost.localdomain shell[1627100]: [root]: esxcli system auditrecords local set
2Jul  1 14:30:21 192.168.8.233 2025-07-01T14:29:09.506Z localhost.localdomain shell[1627100]: [root]: esxcli system auditrecords local delete

Required Output Fields

  • dest

Source: GitHub | Version: 3