In VMware Workspace ONE you can opt to send Console events, Device events, or both. Any events generated by the Workspace ONE UEM console are sent to chronicle according to the scheduler settings. Syslog can be configured for both on-premises and SaaS deployments.
Configuring VMware Workspace ONE
- Navigate to Monitor > Reports & Analytics > Events > Syslog.
- If necessary, set the Syslog Integration to Enabled to display the settings table.
- On the General tab, configure the following syslog settings,
- Enable Syslog Integration
- Enter the URL for the chronicle in the Host Name text box
- Select the required protocol from available options UDP, TCP, or Secure TCP.
- Enter the port number to communicate with the Chronicle forwarder in the Port (no reserved ports) text box.
- Select the format for your Syslog formatting.
- Select the facility level for the feature from the Syslog Facility menu (Informational).
- Enter a descriptive tag to identify events from the Workspace ONE UEM console in the Message Tag text box.
- On the Advanced tab, configure the following settings.
- Select whether to enable or deactivate the reporting of Console events.
- Select Console Events to Send to Syslog
- Select whether to enable or deactivate the reporting of Device events.
- Select Device Events to Send to Syslog.
5. Repeat the process for each device which needs to be onboarded to chronicle.
6. Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.