Create a Shortcut connect to VM

We have three option to create a shortcut on Windows 10 to connect a Virtual Machine running on ESXi:

  • Use VMware Workstation
  • Use VMware Player
  • Use VMRC Console

In all of that options, we need have installed the correspondent application. With Workstation and Player, we can open the session with remote VM on FULL-Screen mode.

First, we need to recover the MOID identification of VM, connect with SSH to ESXi where is running the VM and launch this command:

[root@viESXi0:~] vim-cmd vmsvc/getallvms

The output show the VM inventory  on the ESXi and the relative MOID

In this example is 35

So we are ready to connect:

VMware Workstation

“C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe” -f -H -M 35

VMware Player

“C:\Program Files (x86)\VMware\VMware Workstation\vmplayer.exe”  -X -H -M 35


“C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe” vmrc://root@

Where is IP or FQDN of ESXi and MOID or M the identification of VM (found with this command on ESXi Host vim-cmd vmsvc/getallvms

Create a Shortcut connect to VM

Ingest your VMware ESXi logs into Azure Sentinel

The VMware ESXi connector is currently in PREVIEW

What is Azure Sentinel?

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel ingests data from services and apps by connecting to the service and forwarding the events and logs to Azure Sentinel. For physical and virtual machines, you can install the Log Analytics agent that collects the logs and forwards them to Azure Sentinel. For Firewalls and proxies, Azure Sentinel installs the Log Analytics agent on a Linux Syslog server, from which the agent collects the log files and forwards them to Azure Sentinel.

How connect  VMware ESXi to Azure Sentinel?

Integration between VMware ESXi and Azure Sentinel makes use of a Syslog server with the Log Analytics agent installed. It also uses a custom-built log parser based on a Kusto function.

For the onboarding of ESXi on Azure Sentinel, these are the step:

  • Have up and running a  Azure Sentinel service.
  • Prepare a Linux Syslog Server
  • Install Log Analytics Agent
  • Create the VMwareESXi Kusto function
  • Configure your ESXi Hosts to forward log to Syslog server

Create a Azure Sentinel Service 

This example is related to a basic configuration of the Azure Sentinel infrastructure, for more information and details for sizing and costs check in the respective guides from Microsoft.

Login to Azure Portal (How to get an Azure subscription?)

Prepare Linux Syslog

I have installed a virtual machine with Ubuntu Guest OS

I have checked if rsyslog is installed and running

if rsyslog is not installed run the following installation command

 apt-get install rsyslog

Configure rsyslog

Verify the tcp port used from syslog server

Cat  /etc/rsyslog.conf

Configure Kusto function alias

On log analytics workspace

 create this function:

/ Title:           VMWare ESXi
// Author:          Microsoft
// Version:         1.0
// Last Updated:    11/13/2020
// Comment:         Inital Release
// This parser takes raw VMWare ESXi logs from a Syslog stream and parses the logs into a normalized schema.
// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window. 
// 2. In the query window, on the second line of the query, enter the hostname(s) of your VMWare ESXi device(s) and any other unique identifiers for the logstream. 
//    For example: | where Computer in ("server1", "server2")
// 3. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name.
//    It is recommended to name the Function Alias, as VMwareESXi
// 4. Kusto Functions can typically take up to 15 minutes to activate. You can then use Function Alias for other queries.
// Using functions in Azure monitor log queries:
// This parser assumes the raw log are formatted as follows:
// info vpxa[D089B70] [Originator@6876 sub=vpxLro opID=HB-host-89929@3678594-5d55f348-40] [VpxLRO] -- BEGIN session[52908bc7-673e-dc2f-8726-70d13fe8ef72]521881cd-707e-cf9b-01c4-f0fd16d7444d -- vpxa -- vpxapi.VpxaService.retrieveChanges -- 52908bc7-673e-dc2f-8726-70d13fe8ef72
// warning hostd[191C2B70] [Originator@6876 sub=VigorStatsProvider(409264032)] AddVirtualMachine: VM '67' already registered
// cpu25:1040586)WARNING: vmw_psp_rr: psp_rrSelectPathToActivate:1101: Could not select path for device "Unregistered Device".
let LogHeader = Syslog
| where Computer in ("ESXiserver1", "ESXiserver2") // ESXiserver1 and ESXiserver2 are examples, replace this list with your ESXi devices
| extend Parser = extract_all(@"^(\w+)?\s?(\w+)\[(\w+)\]\s([\s\S]+)", dynamic([1,2,3,4]), SyslogMessage)
| mv-expand Parser
| extend Substring = tostring(Parser[3])
| project-away Parser;
| extend Sub = extract(@"sub=([\w\d\(\)\-\.]+)\]?",1, Substring),
	 OpId = extract(@"opID=([\w\d\(\)\-@]+)\s?\]?",1, Substring),
         UserName = extract(@"\suser=([\w\d\(\)\-]+)\]",1, Substring)
| extend Message = extract(@"\[([\S\s]+)\]\s([\S\s]+)",2, Substring)
| extend Message = iif(isempty(Message),SyslogMessage,Message)
| extend Message = trim(@"^-- ", Message)
| project-away Substring

Install Log Analytics Agent

Go to Vmware ESXi Connector on Azure Sentinel

Go to linux syslog server and paste it the code for onboard agent to sentinel

For troubleshooting


In my installation was missing :

And i have installed it

apt-get install gdb

If the installation is ok

now we set which logs the linux agent must send to our workspace

And add local4 e auth

automatically this information will be sent to our agent

Configure ESXi to send data to Linux Syslog Gateway (Where is installed the Log Analytics Agent)

We configure our esxi hosts to send logs to our linux syslog with this powercli script:

$vmHosts = Get-VMHost
$remoteSyslog = 'tcp://<linuxlogserver>'
$syslogport = '514'
# Show current config
$vmHosts | ForEach-Object {
    Write-Host $_.Name
    Get-VMHostSysLogServer -VMHost $_
# Set syslog config in hypervisors
$vmHosts | ForEach-Object {
    Write-Host $_.Name
    Set-VMHostSysLogServer -SysLogServer $remoteSyslog":"$syslogPort -VMHost $_
# Restart syslog and set the allow rules in the ESXi
$vmHosts | ForEach-Object {
    Write-Host $_.Name
    (Get-Esxcli -v2 -VMHost $_).system.syslog.reload.Invoke()
    (Get-Esxcli -v2 -VMHost $_).network.firewall.ruleset.set.Invoke(@{rulesetid='syslog'; enabled=$true})
    (Get-Esxcli -v2 -VMHost $_).network.firewall.refresh.Invoke()
# Show current config
$vmHosts | ForEach-Object {
    Write-Host $_.Name
    Get-VMHostSysLogServer -VMHost $_

Check if ESXi Sentinel Connector is UP

Query to view log

Ingest your VMware ESXi logs into Azure Sentinel

vSphere 7u2 – LifeCycle Manager Parallel Remediate

Let’s see one of the new functions of vSphere 7u2 and precisely the possibility of parallelizing the remediation function with LifeCycle Manager

We must use the new version of vCenter 7u2 and once we have performed the stage on all the nodes of a cluster we can proceed to remediate by putting first the nodes we want to update in maintenance mode manually

In my case we put three hosts in maintenance mode

Among the additional options, of the remediate phase, we enable parallelism and we can choose whether the number of contemporary hosts on which the update will be made is managed automatically….

… or we manually specify how many to do

And then off….

vSphere 7u2 – LifeCycle Manager Parallel Remediate

Hardening VMware vSphere 7

Non sono certo io a dover spiegare che parlare di security è ormai entrato nel day by day dei consulenti dei manager IT. Anche VMware da alcuni anni sta rilasciando  guide di come rafforzare l’hardening degli ambienti vSphere. Ormai è da diffidare di chi considera l’installazione  di ESXi e vCenter come dei semplici avanti avanti avanti ….

Riporto qui sotto il link alla guida di VMware per l’hardening degli ambienti vSphere 7 comprensivo anche dei dettagli dei parametri da configurare e  dei comandi per modificarli.
Hardening VMware vSphere 7

Integrazione VMware Unified Access Gateway con autenticazione Azure MFA

 Per procedere all’integrazione  con Azure MFA è necessario eseguire delle configurazioni su Azure Active Directory  (non entrerò nel dettaglio di queste configurazioni) ma per procedere nell’abilitazione dell’autenticazione a più fattori sull’UAG è necessario accedere all’Enterprise Application creata e scarica il file XML con i metadata. Inoltre verificare che nella Basic SAML Configuration ci siano i riferimenti alla mia infrastruttura UAG pubblica.


Scarico il file XML con i metadata da utilizzare per configurare l’UAG

Importo il file XML nella infrastruttura UAG nelle configurazioni manuali in Identity Bridging Settings


Importo il file XML contenente i metadata selezionado Select


Una volta caricato sull’UAG il file XML con i metadata vado negli edge service settings ed entro nei nelle configurazioni

E configuro l’Auth Methods e l’identity Provider (che mi compare in automatico dopo aver caricato il file XML)


A questo punto posso procedere ad accedere e testare l’accesso con MFA.

Integrazione VMware Unified Access Gateway con autenticazione Azure MFA

Upgrade Standalone ESXi 7.0 to 7.0b

 Check ESXi version:

Check on if there are new patches

There is a new patch (7.0b), download it

After download upload file to ESXi host

Create a SSH connection to ESXi Host

Put in maintenance mode

esxcli system maintenanceMode set --enable true

Update Host 

esxcli software vib update -d /vmfs/volumes/5ed278ae-6001ab57-ac5b-1c697a61ab69/ISO/

and finally

After reboot the version is:
exit to maintenance mode….

or update from internet

esxcli software profile update -p ESXi-7.0b-16324942-standard -d

Upgrade Standalone ESXi 7.0 to 7.0b

Copy file to VMware Datastore using Powercli

#Mi collego all’Host ESXi dove devo copiare la ISO
Connect-ViServer <hostname>
#Visualizzo l’elenco dei datastore
#Seleziono il datastore che mi interessa
$datastore = Get-Datastore “<nome del datastore>”
#Eseguo il mount del PSDrive sotto ds:
New-PSDrive -Location $datastore -Name ds -PSProvider VimDatastore -Root “”
#Lancio la copia
Copy-DatastoreItem -Item c:……Windows2016.iso -Destinatiom ds:ISO

Copy file to VMware Datastore using Powercli