vSphere 6.5 – enhanced logging

vSphere 6.5 – enhanced logging

 

vSphere 6.5 introduces audit logging, before vSphere 6.5  logs were more focused on finding root causes of a problem – not releate deep  to IT operations or security use cases. For example, if a virtual machine was reconfigured from one storage adapter to another in logs we would find only “Virtual Machine <name> reconfigured”.

 But now logs which are coming from vCenter via Syslog will contain data from vCenter Events. These logs will clearly show “Before” and “After” setting changes.  This enhances the ability of IT and Security administrators to troubleshoot issues by providing information what was exactly changed in the vSphere environment.

 security1

Enhanced logging summary:

  • Improved vCenter/ESXi event logs quality
    • Informative auditing without having to enable verbose mode
  • Structured vCenter Events SysLog Stream
    • Minimal VC overhead
    • Simplified deployment
    • Enables upper level intelligence
  • Customer auditing examples:
    • VM was moved to a wrong network
    • VM disk was deleted by accident
    • VM was under/over provisioned

Now let’s see how to enable streaming VC events to remote syslog server :

security2

security3

NOTE!!! This feature is not available on Windows VC

1. Enable event syslog:

security4

2. Configure connection parameters:

security5

And finally let’s look at some examples of vCenter events audit quality:

security6

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *