vCenter audits: who did what and when

As companies virtualize more, vCenter becomes more critical to the business. With a software-defined data center, changes can be made quite to the data center. Right click is essentially what it takes. No downtime required. With such a fluid environment, changes have to be tracked. Changes made in vCenter need to be tracked, so we know what changes are made and when.

vCenter tracks changes via its Tasks and Events. The problem is it is hard to query the history. It’s not like a big data, where we can treat it like a giant database. This is where Log Insight comes in.

A simple query below got me all the changes made in vCenter. In fact, this is across multiple vCenter servers.

[Note: notice in the query panel, I’ve deliberately omitted a task called “recompute virtual disk digest. There is a bug which results in excessive log entries]

All vCenter events and tasks

From the result above, looks like the main change is “reconfigure VM”. Let’s click on it to drill down, and see Who made the changes. In my case, it is root. So let’s see which VM did the user root change.

[Note: I need to figure out why it is root. I thought I did not really use it].

Who reconfigure VM - root

I drilled down on the above, filtered it to only show Root. I then group the result by VM.

Who reconfigure VM - root - on what VM

If I want to know the time the change made to a specific VM, I can drill down to that VM. In the example below, I drilled down to a given VM. Notice the queries are all shown below the chart, so we always know exactly what filters we use.

Who reconfigure VM - root - on what VM - when - zoom

For more Log Insight tips, I highly recommend Steven Flander’s blog.