I see loginsight will literally ingest anything from any ip as long as its sent to it.
How can I prevent this happening, and only allow ingestion from a selected list of machines/ip addresses?
Would I have to somehow edit the firewall on the appliance manually?
Thanks
How did you integrate your vSphere environment with the VRLI server!? You should setup the vCenter server , so I didn't understand what do you mean: "rogue hosts". Did you have some ESXi hosts in your virtual infrastructure that you don't need to capture their syslog?!
I think there is no way to prevent the sources from the UI. But anyways is a Virtual Appliance and it has iptables configured in it so what you can try is to create a deny all firewall rule and start allowing the sources that you want.
I am not exactly sure that this is fully supported or if this change will be maintained after an upgrade for example. Also you need to make sure to create your outbound and inbound rules. You won't find this information in any VMware document you will need to review a pure Linux guide but is no big deal to configure it.