From OSSEC Wiki

Configuring VMware ESX for OSSEC Agent

VMware ESX runs under Linux, so very little is necessary to have OSSEC running in there.
By default, the installation will find the appropriate log files and monitor them by default (including hostd.log, /var/log/secure, etc).

• Log samples from VMware ESX here.

• ESX by default will block the connections from the agent to the server, so to open it run:

# /usr/sbin/esxcfg-firewall -o 1514,udp,out,OSSEC

Example of alerts from Vmware ESX

** Alert 1219935068.17450: - ossec,rootcheck,
2008 Aug 28 10:51:08 qa-esxlab2->rootcheck
Rule: 516 (level 3) -> 'System Audit event.'
Src IP: (none)
User: (none)
System Audit: VMware ESX - VM settings - Data Flow from the Virtual Machine to the Datastore not limited - 
Guests allowed to write SetInfo data to config. 
File: /vmfs/volumes/485a72e0-dd49e4f1-796c-001517761286/bart-RHEL5-build/bart-RHEL5-build.vmx. 
Reference: http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX .



OSSEC HIDS Notification.
2008 Aug 28 15:53:11

Received From: enigma->/var/log/messages
Rule: 19120 fired (level 8) -> "Virtual machine state changed to OFF."
Portion of the log(s):

[2008-07-26 10:09:56.601 'vm:/vmfs/volumes/485a72e0-dd49e4f1-796c-001517761286/Nostalgia/Nostalgia.vmx' 
123898800 info] State Transition (VM_STATE_RECONFIGURING -> VM_STATE_OFF)