VCenter Parser: Hostname not being extracted

[kevintamlsWork]

Describe the bug
The vCenter parser does not extract the hostname of the vCenter Syslog.

To Reproduce
Steps to reproduce the behavior:

1. Execute KQL search
   vCenterV2
2. See error

Expected behavior
Hostname (in the example below, VDIVCSA-P-01-01) should be extracted with a field name "Hostname"

Screenshots

Desktop (please complete the following information):

• OS: Windows 11
• Browser: Google Chrome
• Version: 131.0.6778.205

Additional context
We have had a modified version of the parser provided from issue#11542. If any modifications are required, please use the latest version of the modified parser from that issue.

Modified Parser Code

 let vCenter_Login =() {
        vcenter_CL
        | where Message has ("UserLoginSessionEvent")
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " DomainName:string "\\" Username:string "@" SourceIP " logged in as " UserAgent:string "]" *
        | extend DomainName = iff(isnull(DomainName), "", DomainName)
        | extend Username = iff(isnull(Username), DomainName, Username)
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " Username:string "@" SourceIP " logged in as " UserAgent:string "]" *
        | extend Username = iff(isnull(Username), DomainName, Username)
    };
    let vCenter_Logout =() {
        vcenter_CL
        | where Message has ("UserLogoutSessionEvent")
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " DomainName:string "\\" Username:string "@" SourceIP " logged out (login time:" LoginTime:string ", number of API invocations: " APIInvocationCount:dynamic ", user agent:" UserAgent:string ")]" *
        | extend DomainName = iff(isnull(DomainName), "", DomainName)
        | extend Username = iff(isnull(Username), DomainName, Username)
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " Username:string "@" SourceIP " logged out (login time:" LoginTime:string ", number of API invocations: " APIInvocationCount:dynamic ", user agent:" UserAgent:string ")]" *
        | extend Username = iff(isnull(Username), DomainName, Username)
    };
    let vCenter_Role=() {
        vcenter_CL
        | where Message has_any("RoleAddedEvent","RoleRemovedEvent")
        | parse Message with * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "[New role " RoleName:string " " Operation:string  "]" *
    };
    let vCenter_RoleModified=() {
        vcenter_CL
        | where Message has ("RoleUpdatedEvent")
        | parse Message with * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "Previous name: " OldRoleName:string ", new name "NewRoleName:string " Added privileges: " AddedPriviledges:string " Removed privileges: " RemovedPriviledges:string "]" *
    };
    union vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified
    | extend ClientIP = SourceIP

Syslog Message Example

Jan 8 11:56:13 VDIVCSA-P-01-01 vpxd[7058] Event [50736315] [1-1] [2025-01-08T11:56:13.977736Z] [vim.event.UserLogoutSessionEvent] [info] [VDIP.LOCAL\Administrator] [] [50736315] [User VDIP.LOCAL\[email protected] logged out (login time: Wednesday, 08 January, 2025 11:56:13 AM, number of API invocations: 1, user agent: Apache-CXF/3.4.10)]

[v-sudkharat]

Hi @kevintamlsWork, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[v-sudkharat]

@kevintamlsWork, Updated the Parser by adding the Hostname in it, Could you please test and let us know is it working for you :

 let vCenter_Login =() {
        vcenter_CL
        | where Message has ("UserLoginSessionEvent")
        | parse Message with * " " * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " DomainName:string "\\" Username:string "@" SourceIP " logged in as " UserAgent:string "]" *
        | extend DomainName = iff(isnull(DomainName), "", DomainName)
        | extend Username = iff(isnull(Username), DomainName, Username)
        | parse Message with * " " * " " * " " Hostname:string "vpxd" *  "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " Username:string "@" SourceIP " logged in as " UserAgent:string "]" *
        | extend Username = iff(isnull(Username), DomainName, Username)
    };
    let vCenter_Logout =() {
        vcenter_CL
        | where Message has ("UserLogoutSessionEvent")
        | parse Message with * " " * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " DomainName:string "\\" Username:string "@" SourceIP " logged out (login time:" LoginTime:string ", number of API invocations: " APIInvocationCount:dynamic ", user agent:" UserAgent:string ")]" *
        | extend DomainName = iff(isnull(DomainName), "", DomainName)
        | extend Username = iff(isnull(Username), DomainName, Username)
        | parse Message with * " " * " " * " " Hostname:string "vpxd" *  "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " Username:string "@" SourceIP " logged out (login time:" LoginTime:string ", number of API invocations: " APIInvocationCount:dynamic ", user agent:" UserAgent:string ")]" *
        | extend Username = iff(isnull(Username), DomainName, Username)
    };
    let vCenter_Role=() {
        vcenter_CL
        | where Message has_any("RoleAddedEvent","RoleRemovedEvent")
        | parse Message with * " " * " " * " " Hostname:string "vpxd" *  "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "[New role " RoleName:string " " Operation:string  "]" *
    };
    let vCenter_RoleModified=() {
        vcenter_CL
        | where Message has ("RoleUpdatedEvent")
        | parse Message with * " " * " " * " " Hostname:string "vpxd" *  "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "Previous name: " OldRoleName:string ", new name "NewRoleName:string " Added privileges: " AddedPriviledges:string " Removed privileges: " RemovedPriviledges:string "]" *
    };
    union vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified
    | extend ClientIP = SourceIP

Thanks!

[kevintamlsWork]

@v-sudkharat Working well for most events, except for selected events in the form.

Jan 15 10:25:12 10.174.7.138 192.168.21.138 1 2025-01-15T10:25:12.099386+00:00 extserv-vc-01 vpxd 6331 - - Event [4100669] [1-1] [2025-01-15T10:25:12.097588Z] [vim.event.UserLoginSessionEvent] [info] [VSPHERE.EXTSERV.LOCAL\vpxd-extension-88bd2731-10b0-4902-8133-717424793612] [] [4100669] [User VSPHERE.EXTSERV.LOCAL\[email protected] logged in as cl/1.0.0]

Working fine log format:

Jan 15 10:29:52 CR1VAVC vpxd[7332] Event [292530013] [1-1] [2025-01-15T10:29:52.86856Z] [vim.event.UserLoginSessionEvent] [info] [XXX\s_VMC_HCXAdmin] [] [292530013] [User XXX\[email protected] logged in as ]

The parser is capturing everything after the initial timestamp as the hostname, where expected behaviour is to capture the string value before "vpxd". In this case, it's "extserv-vc-01".

Screenshot:

[v-sudkharat]

@kevintamlsWork, actually, the RAW message format you shared is different from the following formats:
Jan 15 10:25:12 10.174.7.138 192.168.21.138 1 2025-01-15T10:25:12.099386+00:00 extserv-vc-01 vpxd 6331 - - Event [4100669] [1-1] [2025-01-15T10:25:12.097588Z] [vim.event.UserLoginSessionEvent] [info] [VSPHERE.EXTSERV.LOCAL\vpxd-extension-88bd2731-10b0-4902-8133-717424793612] [] [4100669] [User VSPHERE.EXTSERV.LOCAL\[email protected] logged in as cl/1.0.0]

is in a different format compared to the following:

a. Jan 15 10:29:52 CR1VAVC vpxd[7332] Event [292530013] [1-1] [2025-01-15T10:29:52.86856Z] [vim.event.UserLoginSessionEvent] [info] [XXX\s_VMC_HCXAdmin] [] [292530013] [User XXX\[email protected] logged in as ]

b. Jan 8 11:56:13 VDIVCSA-P-01-01 vpxd[7058] Event [50736315] [1-1] [2025-01-08T11:56:13.977736Z] [vim.event.UserLogoutSessionEvent] [info] [VDIP.LOCAL\Administrator] [] [50736315] [User VDIP.LOCAL\[email protected] logged out (login time: Wednesday, 08 January, 2025 11:56:13 AM, number of API invocations: 1, user agent: Apache-CXF/3.4.10)]

We checked the RAW message format of A and B to extract the hostname, which is located after the Date & Timestamp in the third position of the RAW message (e.g., Jan 8 11:56:13 VDIVCSA-P-01-01). In the recent RAW message, the IP addresses are added before the hostname along with the timestamp values. This inconsistency is causing the parser to fail in extracting the correct hostname field.

It appears that in the recent RAW message, from the Date & Timestamp (e.g., Jan 15 10:25:12) to the Hostname (e.g., extserv-vc-01), the format is inconsistent for the parser. As a result, the parser is mistakenly identifying the IPs (10.174.7.138 192.168.21.138) and timestamp values (2025-01-15T10:25:12.099386+00:00) as part of the hostname.

So, if we proceed with making changes to extract the hostname from the RAW message :

Jan 15 10:25:12 10.174.7.138 192.168.21.138 1 2025-01-15T10:25:12.099386+00:00 extserv-vc-01 vpxd 6331 - - Event [4100669] [1-1] [2025-01-15T10:25:12.097588Z] [vim.event.UserLoginSessionEvent] [info] [VSPHERE.EXTSERV.LOCAL\vpxd-extension-88bd2731-10b0-4902-8133-717424793612] [] [4100669] [User VSPHERE.EXTSERV.LOCAL\[email protected] logged in as cl/1.0.0]

then the parser may fail to extract the hostname from the following raw message format:

Jan 15 10:29:52 CR1VAVC vpxd[7332] Event [292530013] [1-1] [2025-01-15T10:29:52.86856Z] [vim.event.UserLoginSessionEvent] [info] [XXX\s_VMC_HCXAdmin] [] [292530013] [User XXX\[email protected] logged in as ]

Hope this information helps. Thanks!

[v-sudkharat]

Hi @kevintamlsWork, Waiting for your response on above comment, if nothing for us, please let us know for issue closer. Thanks!

[kevintamlsWork]

@v-sudkharat Apologies for the delayed response. Please keep the issue opened, we will be discussing your comment today.

[kevintamlsWork]

@v-sudkharat Could you try to proceed with making the change encapsulating the hosts of both types of messages? Thanks

[v-sudkharat]

@kevintamlsWork, It depends on the RAW message types, but tried to parse the Hostname from the above scenario motioned here -#11642 (comment)

Please check and confirm the below updated parser helps to resolves the issue. and will check this scenario with our team to finalize the Parser so the update can be made globally with required corrections.

 let vCenter_Login =() {
        vcenter_CL
        | where Message has ("UserLoginSessionEvent")
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " DomainName:string "\\" Username:string "@" SourceIP " logged in as " UserAgent:string "]" *
        | extend DomainName = iff(isnull(DomainName), "", DomainName)
        | extend Username = iff(isnull(Username), DomainName, Username)
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " Username:string "@" SourceIP " logged in as " UserAgent:string "]" *
        | extend Username = iff(isnull(Username), DomainName, Username)
        | extend Hostname = extract(@'\s(\S+)\svpxd', 1, Message)
    };
    let vCenter_Logout =() {
        vcenter_CL
        | where Message has ("UserLogoutSessionEvent")
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " DomainName:string "\\" Username:string "@" SourceIP " logged out (login time:" LoginTime:string ", number of API invocations: " APIInvocationCount:dynamic ", user agent:" UserAgent:string ")]" *
        | extend DomainName = iff(isnull(DomainName), "", DomainName)
        | extend Username = iff(isnull(Username), DomainName, Username)
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " Username:string "@" SourceIP " logged out (login time:" LoginTime:string ", number of API invocations: " APIInvocationCount:dynamic ", user agent:" UserAgent:string ")]" *
        | extend Username = iff(isnull(Username), DomainName, Username)
        | extend Hostname = extract(@'\s(\S+)\svpxd', 1, Message)
    };
    let vCenter_Role=() {
        vcenter_CL
        | where Message has_any("RoleAddedEvent","RoleRemovedEvent")
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "[New role " RoleName:string " " Operation:string  "]" *
        | extend Hostname = extract(@'\s(\S+)\svpxd', 1, Message)
    };
    let vCenter_RoleModified=() {
        vcenter_CL
        | where Message has ("RoleUpdatedEvent")
        | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "Previous name: " OldRoleName:string ", new name "NewRoleName:string " Added privileges: " AddedPriviledges:string " Removed privileges: " RemovedPriviledges:string "]" *
        | extend Hostname = extract(@'\s(\S+)\svpxd', 1, Message)
    };
    union vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified
    | extend ClientIP = SourceIP

Thanks!

[v-sudkharat]

@kevintamlsWork, Did you get a change to check on above comment. Thanks!

[kevintamlsWork]

@v-sudkharat I've passed it along to my colleagues for testing. Will update the ticket when it has been completed. Thanks!