Tag Archives: Audit

Monitoring changes to VMware vSphere Template

Template is a common features used by many VMware Administrators. There are articles such as this on how to manage the version. So I will cover something that I could not find in google, which is how you prove to auditor that your templates have not been modified by unauthorised person. If a template has been modified, you want to know who did it.

The good thing is there are only a few things you can change to a template. The bulk of the changes require the template to be converted into a VM. The changes you can make to the templates are shown below:

0 what vCenter captures

You can see that you can rename the template, change the permission, and convert it into a VM. All these are tracked in vCenter. This means a log analysis tool can visualise it better for you.

Let’s see who rename it. Perform a text search on template and renamed. You can see an example below.

1

As most changes on template require the conversion into a VM, let’s see who converted a template into a VM, and vice versa. Log Insight already has a field for it, so it’s a matter of specifying it. Choose the field, and specify that it should contain mark*

summary of changes

In the above, I only have 1 template that I changed. You can see that it captures information such as who did it, what time, to what template and in which cluster.

If you want to see only the changes to VM, you can filter the field further, as shown below.

who made the VM a template

Hope you find it useful in entertaining, I mean assuring, your auditor team.

Who powered off/on what VM and when in vSphere

The answer to the above question can be answered easily with Log Insight. I used the 2 built-in variables, which will ensure the log entry has user name and VM name. To filter all non power activity, I specify the string “power”. This will include both power on and power off.

Apparently, the log entry included irrelevant entry. That was easy to filter. Just click on the entry and filter the text out, like what I did below.

The result is a table showing who powered on or powered off which VM and when. You get the host, cluster, data center, vCenter also. I hide the time stamp. You can easily bring it back by clicking the Columns link. Notice I hide 11 columns, so there are other info that Log Insight can show.

1

I grouped the above chart by the VM Name. You can easily change it. Below is how to do it. Notice I’ve grouped it by user name. This is just a lab, as I used root a lot (not a good discipline!). I should have used proper AD name.

2

For more Log Insight tips, I highly recommend Steven Flander’s blog.

vCenter audits: who did what and when

As companies virtualize more, vCenter becomes more critical to the business. With a software-defined data center, changes can be made quite to the data center. Right click is essentially what it takes. No downtime required. With such a fluid environment, changes have to be tracked. Changes made in vCenter need to be tracked, so we know what changes are made and when.

vCenter tracks changes via its Tasks and Events. The problem is it is hard to query the history. It’s not like a big data, where we can treat it like a giant database. This is where Log Insight comes in.

A simple query below got me all the changes made in vCenter. In fact, this is across multiple vCenter servers.

[Note: notice in the query panel, I’ve deliberately omitted a task called “recompute virtual disk digest. There is a bug which results in excessive log entries]

All vCenter events and tasks

From the result above, looks like the main change is “reconfigure VM”. Let’s click on it to drill down, and see Who made the changes. In my case, it is root. So let’s see which VM did the user root change.

[Note: I need to figure out why it is root. I thought I did not really use it].

Who reconfigure VM - root

I drilled down on the above, filtered it to only show Root. I then group the result by VM.

Who reconfigure VM - root - on what VM

If I want to know the time the change made to a specific VM, I can drill down to that VM. In the example below, I drilled down to a given VM. Notice the queries are all shown below the chart, so we always know exactly what filters we use.

Who reconfigure VM - root - on what VM - when - zoom

For more Log Insight tips, I highly recommend Steven Flander’s blog.