Integrate VMware ESX/ESXi and vCenter Server Flex Reports ... 4. In the Advanced Settings, select...

Integrate VMware ESX/ESXi and vCenter Server

Publication Date: March 04, 2016

1


Abstract This guide provides instructions to configure VMware to send the event logs to EventTracker. Once events

are configured to send to EventTracker Manager, alerts, dashboard and reports can be configured into

EventTracker.

Scope The configurations detailed in this guide are consistent with EventTracker version 7.X and later, and VMware

ESX 3, ESXi 5.5 and vCenter 6.0 and later.

Audience VMware users, who wish to forward event logs to EventTracker Manager and monitor events using Event

Tracker.

The information contained in this document represents the current view of EventTracker. on the

issues discussed as of the date of publication. Because EventTracker must respond to changing

market conditions, it should not be interpreted to be a commitment on the part of EventTracker,

and EventTracker cannot guarantee the accuracy of any information presented after the date of

publication.

This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,

EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, this paper may be freely distributed without permission from

EventTracker, if its content is unaltered, nothing is added to the content and credit to

EventTracker is provided.

EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from EventTracker, the furnishing of this document does not give you

any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious.

No association with any real company, organization, product, person or event is intended or

should be inferred.

© 2017 EventTracker Security LLC. All rights reserved. The names of actual companies and

products mentioned herein may be the trademarks of their respective owners.

2


Table of Contents Abstract ................................................................................................................................................................. 1

Overview ................................................................................................................................................................ 3

Prerequisites .......................................................................................................................................................... 3

Log Forward Configuration .................................................................................................................................... 3

Configure syslog to send VMware ESX/ESXi event logs to EventTracker ......................................................... 3

Log Severity Configuration ................................................................................................................................ 7

Host Agent Log .............................................................................................................................................. 7

vCenter Agent Log ......................................................................................................................................... 7

vCenter Server Log ........................................................................................................................................ 8

Configure LFM to send VMware vCenter Single Sign-On event logs to EventTracker ...................................... 9

Configure LFM-VMWare API to send VMware vCenter Server event logs to EventTracker .......................... 12

EventTracker Knowledge Pack (KP) ..................................................................................................................... 14

Categories ........................................................................................................................................................ 14

Alerts ............................................................................................................................................................... 15

Reports ............................................................................................................................................................ 16

Import VMware Knowledge Pack into EventTracker .......................................................................................... 17

Import Category .............................................................................................................................................. 18

Import Alerts ................................................................................................................................................... 18

Import Token Value ......................................................................................................................................... 19

Import Flex Reports ......................................................................................................................................... 20

Import Template .............................................................................................................................................. 21

Verify VMware knowledge pack in EventTracker ............................................................................................... 22

Verify categories .............................................................................................................................................. 22

Verify alerts ..................................................................................................................................................... 22

Verify Token Values ......................................................................................................................................... 24

Verify Flex Reports .......................................................................................................................................... 25

Verify Template ............................................................................................................................................... 26

Sample Reports ................................................................................................................................................... 27

3


Overview VMware is a virtualization and cloud computing software provider for x86-compatible computers. VMware

virtualization is based on the ESX/ESXi bare metal hypervisor, supporting virtual machines. The term

"VMware" is often used in reference to specific VMware Inc. products such as VMware vCenter, VMware

Workstation, VMware View, VMware Horizon Application Manager and VMware vCloud Director.

Prerequisites

EventTracker v7.x and later should be installed.

VMware ESX/ESXi and vCenter Server should be installed.

Log Forward Configuration

Configure syslog to send VMware ESX/ESXi event logs to

EventTracker 1. Login to VMware vSphere Client machine.

Figure 1

1. In the vSphere Client Inventory, Select the ESXi host and click on Configuration tab.

http://searchservervirtualization.techtarget.com/definition/virtualization

http://searchcloudcomputing.techtarget.com/definition/cloud-computing

http://searchwinit.techtarget.com/definition/x86

http://searchservervirtualization.techtarget.com/definition/hypervisor

http://searchvmware.techtarget.com/definition/VMware-Workstation

http://searchvmware.techtarget.com/definition/VMware-Workstation

http://searchvmware.techtarget.com/What-is-VMware-View

http://searchconsumerization.techtarget.com/definition/VMware-Horizon-Application-Manager

http://searchvmware.techtarget.com/tutorial/What-is-VMware-vCloud-Director

4


Figure 2

2. In the Software panel select Advanced Setting.

Figure 3

3. Displays following screen.

5


Figure 4

4. Select Syslog in the tree control.

5. In Syslog.global.LogHost option enter the IP address for syslog server (EventTracker machine).

Figure 5

6


6. To set up logging globally, click global under syslog option and make changes to the fields on the right.

Option Description

Syslog.global.defaultRotate Sets the maximum number of archives to keep. You can set this number globally and for individual subloggers.

Syslog.global.defaultSize Sets the default size of the log, in KB, before the system rotates logs. You can set this number globally and for individual subloggers.

Syslog.global.LogDir Directory where logs are stored. The directory can be located on mounted NFS or VMFS volumes. Only the /scratch directory on the local file system is persistent across reboots. The directory should be specified as [datastorename] path_to_file where the path is relative to the root of the volume backing the datastore. For example, the path [storage1] var/log/messages maps to the path /vmfs/volumes/storage1/var/log/messages. If no path is specified, all log files are sent to /var/log.

Syslog.global.logDirUnique Selecting this option creates a subdirectory with the name of the ESXi host under the directory specified by Syslog.global.LogDir. A unique directory is useful if the same NFS directory is used by multiple ESXi hosts.

Syslog.global.LogHost Remote host to which syslog messages are forwarded and port on which the remote host receives syslog messages. You can include the protocol and the port, for example, ssl://hostName1:514. UDP (default), TCP, and SSL are supported. The remote host must have syslog installed and correctly configured to receive the forwarded syslog messages. See the documentation for the syslog service installed on the remote host for information on configuration.

Table 1

7. (Optional) To overwrite the default log size and log rotation for any of the logs.

Click loggers.

Click the name of the log you that want to customize and enter the number of rotations and log

size you want.

8. Click on OK button, the changes to the syslog options take effect immediately.

7


Log Severity Configuration

Host Agent Log

This contains information of the agent that manages and configures the ESX host and its virtual machines. Steps to change severity of hostd.log are as follows:

1. Connect the vSphere Client to the vCenter Server 5.0 2. Select the ESXi 5.0 host > Configuration

3. Under Software, select Advanced Settings 4. In the Advanced Settings, select Config > HostAgent > log 5. Update the config.HostAgent.log.level setting with info logging level

Figure 6

vCenter Agent Log

This contains information of the agent that communicates with VirtualCenter. Steps to change severity of vpxa.log are as follows:

1. Connect the vSphere Client to the vCenter Server 5.0 2. Select the ESXi 5.0 host > Configuration

3. Under Software, select Advanced Settings 4. In Advanced Settings, select Vpx > Vpxa > config > log

5. Update the Vpx.Vpxa.config.log.level setting with info logging level

8


Figure 7

vCenter Server Log

This contains information of all vSphere Client and WebServices connections, internal tasks and events, and communication with the vCenter Server Agent (vpxa) on managed ESX/ESXi hosts. Steps to change severity of vpxd.log are as follows:

1. Connect the vSphere Client to the vCenter Server. 2. Select Administration > vCenter Server Settings > Logging options 3. Select the Information logging option from the drop down menu.

Figure 8

9


Configure LFM to send VMware vCenter Single Sign-On event logs

to EventTracker Before LFM configuration, deploy the EventTracker agent on vCenter Server machine, please refer

EventTracker Agent installation guide. After installation of the agent follow below mentioned steps to

configure LFM.

1. Select the Start button, select Prism Microsystems, and then select EventTracker Control Panel.

2. Select EventTracker Agent Configuration, select systems vCenter Single Sign-On machine name, and then select Logfile Monitor tab.

3. Select Logfile Monitor option.

EventTracker recommends to add the following two log files for vCenter Single Sign-On that you

would like to monitor.

a. C:\ProgramData\VMware\vCenterServer\logs\vmdird\vmdir.log

b. C:\ProgramData\VMware\vCenterServer\logs\sso\vmware-sts-idmd.log

Figure 9

http://www.eventtracker.com/wp-content/support-docs/How-to-Install-EventTracker-and-Change-Audit-Agent.pdf

10


4. Click the Add File Name button.

Enter File Name window displays.

Figure 10

5. Select Get All Existing Log Files option.

6. In Select Log File Type drop down, select the TEXTLINE option.

7. Enter the path of the vCenter SSO logs.

Figure 11

11


8. Click the OK button.

Figure 12

9. Click the Save button.

12


Configure LFM-VMWare API to send VMware vCenter Server

event logs to EventTracker 1. Open the Agent Configuration window.

2. Select the system from the Select System drop-down list.

3. Click the Logfile Monitor tab.

EventTracker displays the Logfile Monitor tab.

4. Click Add File Name.

EventTracker displays the Enter File Name dialog box.

5. Select the logfile type as VMWARE from the Select Logfile Type drop-down list.

EventTracker displays the Enter File Name dialog box.

Figure 13

Field Description

VMware URL Type a valid URL, e.g. https://esxvcserver/sdk/vimService.

You can also replace the server name with the IP address.

User Name Type valid user name.

Password Type valid password.

Timeout Time connection timeout.

Table 2

https://esxvcserver/sdk/vimService

13


6. Type appropriately in the relevant fields.

7. Click Test Connection to check if configuration parameters have been entered correctly.

8. Click OK.

EventTracker displays the Agent Configuration Window

Figure 14

9. Click Save.

14


EventTracker Knowledge Pack (KP) Once logs are received in EventTracker Categories, alerts, reports and dashboards can be configured in

EventTracker.

The following Knowledge Packs are available in EventTracker v7and later to support VMware ESX/ESXi and

vCenter Server monitoring:

Categories

VMware ESX: Permission changed - This category based report provides information related to

permission changes made for user on VMware ESX.

VMware ESX: Permission rule added - This category based report provides information related to

permission rule added on VMware ESX server.

VMware ESX: Permission rule removed - This category based report provides information related to

permission rule removed on VMware ESX server.

VMware ESX: Alarm created - This category based report provides information related to resource

usage alarm created.

VMware ESX: Alarm removed - This category based report provides information related to resource

usage alarm is removed.

VMware ESX: High resource usage alarm - This category based report provides information related to

status of resource usage alarm changed to red or yellow.

VMware ESX: Failed user login - This category based report provides information related to user login

failed on VMware ESX server.

VMware ESX: Remote console connected - This category based report provides information related

to remote console connections made to virtual machine.

VMware ESX: Remote console disconnected - This category based report provides information

related to remote connections disconnected from VMware ESX server.

VMware ESX: Successful user login - This category based report provides information related to

user(s) logon to VMware server.

VMware ESX: User logout - This category based report provides information related to user(s) logout

from VMware ESX server.

VMware ESX: Datacenter created -This category based report provides information related to

datacenter created on virtual center server.

VMware ESX: Datacenter removed - This category based report provides information related to

datacenter removed from virtual center server.

VMware ESX: Datacenter renamed - This category based report provides information related to

existing datacenter in virtual center server renamed.

15


VMware ESX: Host added - This category based report provides information related to VMware ESX

host added to virtual center server.

VMware ESX: Host removed - This category based report provides information related to VMware

ESX host removed from virtual center server.

VMware ESX: Resource configuration updated - This category based report provides information

related to resource configuration updated.

VMware ESX: Task failed - This category based report provides information related to tasks failed or

canceled by user.

VMware ESX: Virtual center started - This category based report provides information related to

virtual center server is started.

Alerts

VMware ESX: High resource usage alarm - This alert is generated when status of resource usage

alarm changed to red or yellow.

VMware ESX: Task failed - This alert is generated when tasks failed or canceled by user.

VMware ESX: Virtual machine created - This alert is generated when virtual machine is created.

VMware ESX: Virtual machine reconfigured - This alert is generated when Virtual machine

reconfigured.

VMware ESXi: Account deleted - This alert is generated when account deleted.

VMware ESXi: User authentication failed - This alert is generated when user authentication failure

event occurs.

VMware ESXi: Host added - This alert is generated when host added.

VMware ESXi: User authentication success - This alert is generated when user authentication success

event occurs.

VMware vCenter: User permission removed - This alert is generated when user permission removed.

VMware vCenter: User role modified - This alert is generated when user role has been modified.

VMware vCenter: Virtual machine created - This alert is generated when virtual machine created.

VMware vCenter: Virtual machine removed - This alert is generated when virtual machine removed.

VMware vCenter: User role deleted - This alert is generated when user role has been deleted.

VMware vCenter: Virtual disk download - This alert is generated when virtual disk download.

VMware vCenter: SSH access enabled - This alert is generated when SSH access enabled.

VMware vCenter: Lockdown mode enabled - This alert is generated when lockdown mode enabled.

VMware: Firewall configuration change - This alert is generated when firewall configuration changed.

VMware: SCSI error - This alert is generated when SCSI error occurs.

VMware: SCSI high IO latency - This alert is generated when IO latency is high.

16


Reports

VMware vCenter-Virtual disk download: This report provides information about, from where virtual

disk has been downloaded. It also gives disk volume, file name and virtual machine name.

VMware vCenter-Virtual disk copy: This report provides information about source and destination of

virtual disk copy and hostname.

VMware vCenter-Bypass attempt details: This report provides information related to bypass attempt

details.

VMware vCenter-Host added or removed: This report provides information related to host addition

or removal from datacenter which includes host address, status and datacenter name fields.

VMware vCenter-Server tasks status: This report provides information about task status.

VMware vCenter-Virtual machine created or removed: This report provides information related to

virtual machine creation or removal which includes virtual machine name, datacenter name, host

address and status fields.

VMware vCenter-User role management: This report provides information related to user role

added, deleted and modified.

VMware vCenter-Successful logins: This report provides information related to successful logins with

username, source IP address and logon type fields.

VMware ESXi-Failed login attempts: This report provides information related to failed login attempts

with hostname, username and source IP address.

VMware ESXi-Firewall configuration change: This report provides information related to firewall

configuration changed with firewall operation, rulset and hostname.

VMware ESXi-Account created or removed: This report provides account creation or removal on ESXi

which includes host address account name, status and activity performed by fields.

VMware-Host CPU usage: This report provides information related to high CPU usage with host IP

address and status (color code).

VMware-Host memory usage: This report provides information related to host memory usage with

host IP address and status (color code).

VMware-SSO user created: This report provides information related to SSO user created with

username which is created and action.

VMware-SSO user deleted: This report provides information related to SSO user deleted with

username which is deleted and action.

VMware-SSO user authentication failure: This report provides information related to SSO user

authentication failure with username and hostname.

17


Import VMware Knowledge Pack into EventTracker 1. Launch EventTracker Control Panel.

2. Double click Export/Import Utility, and then click the Import tab.

Figure 15

Import Category/Alert/Tokens/Flex Reports as given below.

18


Import Category

1. Click Category option, and then click the browse button.

2. Locate VMware ESX-ESXi-vCenter.iscat file, and then click the Open button.

3. To import categories, click the Import button.

EventTracker displays success message.

Figure 16

Click OK, and then click the Close button.

Import Alerts

1. Click Alert option, and then click the browse button.

2. Locate VMware ESX-ESXi-vCenter.isalt file, and then click the Open button.

3. To import alerts, click the Import button.


Figure 17

4. Click OK, and then click the Close button.

19


Import Token Value

1. Click Token Value option, and then click the browse button.

2. Locate VMware ESX-ESXi-vCenter.istoken file, and then click the Open button.

Figure 18

3. To import token value, click the Import button.


Figure 19


20


Import Flex Reports

1. Click Scheduled Reports option, and then click the browse button.

2. Locate VMware ESX-ESXi-vCenter.issch file, and then click the Open button.

Figure 20

3. To import scheduled reports, click the Import button.


Figure 21


21


Import Template 1. Click the Admin menu, and then click Parsing rule.

2. Select Template tab, and then click on option

Figure 22

3. Click on Browse button and import .ettd file

Figure 23

4. Now select the check box and then click on option


22


Figure 24

5. Click on OK button.

Verify VMware knowledge pack in EventTracker

Verify categories 1. Logon to EventTracker Enterprise.

2. Click the Admin menu, and then click Categories.

3. To view the imported categories, in the Category Tree, expand VMWare ESX group folder.

Figure 25

Verify alerts 1. Logon to EventTracker Enterprise.

2. Click the Admin menu, and then click Alerts.

3. In the Search box, type ‘VMware ESX’, and then click the Go button.

Alert Management page will display all the imported alerts.

23


Figure 26

4. To activate the imported alerts, select the respective checkbox in the Active column.

EventTracker displays message box.

Figure 27

5. Click OK, and then click the Activate Now button.

24


Verify Token Values 1. Logon to EventTracker Enterprise.

2. Click the Admin menu, and then click Parsing Rules.

3. In Token Value Group Tree to view imported token values, scroll down and click VMware group

folder. Token values are displayed in the token value pane.

Figure 28

25


Verify Flex Reports 1. Logon to EventTracker Enterprise.

2. Click the Reports menu, and then Configuration.

3. Select Defined in report type.

4. In Report Groups Tree to view imported Scheduled Reports, scroll down and click VMware group

folder. Scheduled Reports are displayed in the Reports configuration pane.

Figure 29

26


Verify Template 1. Click the Admin menu, and then click Parsing rule.

2. Select Template tab. It displays the templates

Figure 30

27


Sample Reports VMware vCenter - Virtual Disk Download

Figure 31

VMware vCenter – Successful Logins

Figure 32

28


VMware vCenter – Virtual machine created or removed

Figure 33

VMware ESXi-Account created or removed

Figure 34

Integrate VMware ESX/ESXi and vCenter Server Flex Reports ... 4. In the Advanced Settings, select...

Documents

Transcript of Integrate VMware ESX/ESXi and vCenter Server Flex Reports ... 4. In the Advanced Settings, select...