We help IT Professionals succeed at work.

Audit of vcenter and hosts

pma111
pma111 used Ask the Experts™
on
We have an ambition to create an audit and monitoring system specific to vmware systems to identify

a) unauthorised access
b) data theft

Specific to esxi hosts and vcenter, is there perhaps a "top 10" events/actions that you'd (or perhaps you do) audit, and are there built in tools within esxi and vcenter to report on these events? I appreciate with IT administration you need a degree of trust but thats where I see the audit / monitoring system to fill the gap to ensure nobody is abusing that trust. I know guests i.e. guest OS/ guest apps also need considering, but based on how easy you told me it is to just pick up a server from within vcenter or within the host, then I'd like to focus on that area..
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017
Commented:
Firstly, limit the number of Administrators access to vCenter Server.

Secondly, all tasks and events are logged in the vCenter database.

To report on these events, you would need to use SQL Queries on the database and use Crystal Reports.

Author

Commented:
Re:

>>Secondly, all tasks and events are logged in the vCenter database.

1) Does this mean all events logged within vcenter, or by accessing the host directly? I.e. you dont need to use vcenter to access the host.

2) And in terms of "events" are there a top 10 that would indicate potential misuse or data theft that reports could be created on, as some events wont be of interest based on the reasons behind the auditing policy....
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
1. all events when connecting to vCenter are logged. You should NOT allow direct connection to the host, because events are over written. Unless you setup additional logging. But vCenter access is what should be setup. Access can be controlled better with vCenter, that is what it is designed to do.

2. I think the events displayed are self evident, user has deleted a virtual machine is this misuse?

adding a floppy drive or usb drive, is this an example of data theft, although it would track devices have been added, you would need auditing enabled in the OS to track data copy.

this is outside Virtual vCenter software

Author

Commented:
How long are events maintained for by default?

Are logins/connections to vcenter logged?

Author

Commented:
>>You should NOT allow direct connection to the host, because events are over written

Via documented policy? or can you enforce this technically, if so can you provide details on how..
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
you can enforce this, do not create any other accounts, document the root accounts password, leave in the safe, and no admin should connect as root, unless allowed by policy.

logins to vCenter are recorded.

All events and tasks are recorded and stored in the database.