Deploy and Configure Aria Operations for Logs Agent on Workspace ONE (vIDM) for Auditing

I’ve been hearing questions from my customers regarding how to audit logs on Vmware Workspace One Access (vIDM). vIDM used for Directory integration to authenticate users agains customer’s directory such as Active Directory or LDAP. Also, SSO to other Vmware products where those products support the SSO compatibility such as Aria Automation, Aria Operations or Aria Operations for Logs.

In this article you’ll find a step by step guide on how to integrate vIDM and Aria Operations for Logs to collect Audit logs and more from Workspace ONE Access nodes (vIDM nodes).

  • Go Management –> Agents and download current Aria Operations for Logs Linux Agent. File name would be like VMware-Log-Insight-Agent-8.16.0-23229978.noarch_192.168.233.246.rpm
  • Upload rpm package under /tmp/ on the WorkspaceONE nodes,
  • Connect WorkspaceONE node with SSH using root account,
    • Run below command to install Aria Operations for Logs agent,
      rpm -i /tmp/VMware-Log-Insight-Agent-version-build.noarch_192.168.31.10.rpm
    • If you get an error message that there is already another version of deployed run the below command to update it instead of install,
      rpm -Uhv /tmp/VMware-Log-Insight-Agent-version-build.noarch_192.168.31.10.rpm
  • Once agent is installed successfully edit the liagent.ini file on the Workspace ONE nodeby using the text editor such as vi.
    vi /var/lib/loginsight-agent/liagent.ini
  • Locate the [server] section, remove the comments for the following parameters and instert the values. Example is below,
    • Hostname=
    • Proto=cfapi
    •  Port=9000
    • SSL=no
  • Save and exit with entering :wq!
  • Restart Aria Operations for Logs agent on the node using below command,
    /etc/init.d/liagentd restart
  • Run the command below to verify that the Aria Operations for Logs agent is running.
    /etc/init.d/liagentd status
  • Import/Enable VMware Workspace ONE Access Content Pack on Aria Operations for Logs,
    • If Log Insight can access to the internet you can easly find and install from the Marketplace section under Content Packs menu.
  • Apply above steps to rest of Workspace ONE Access nodes,
  • Go to Management–> Agents page
  • Open All Agents drop down at the top, click Workspace ONE Access (on-prem installation) copy link, and give a name to the new template like Workspace ONE Access – Audit
  • Use filters section to add, WorkspaceONE Access nodes with IP addresses and/or FQDNs,
  • Click on Save Agent Group button to save the agent template and sync with the agent on Workspace ONE Access nodes.
  • You should monitor Events, Sent, Events Dropped, and Last Active columns.
  • On Aria Operations for Logs Query screen you should able to see audit logs as examples below,



You may also like...