vSphere 6.5 – enhanced logging
vSphere 6.5 introduces audit logging, before vSphere 6.5 logs were more focused on finding root causes of a problem – not releate deep to IT operations or security use cases. For example, if a virtual machine was reconfigured from one storage adapter to another in logs we would find only “Virtual Machine <name> reconfigured”.
But now logs which are coming from vCenter via Syslog will contain data from vCenter Events. These logs will clearly show “Before” and “After” setting changes. This enhances the ability of IT and Security administrators to troubleshoot issues by providing information what was exactly changed in the vSphere environment.
Enhanced logging summary:
- Improved vCenter/ESXi event logs quality
- Informative auditing without having to enable verbose mode
- Structured vCenter Events SysLog Stream
- Minimal VC overhead
- Simplified deployment
- Enables upper level intelligence
- Customer auditing examples:
- VM was moved to a wrong network
- VM disk was deleted by accident
- VM was under/over provisioned
Now let’s see how to enable streaming VC events to remote syslog server :
NOTE!!! This feature is not available on Windows VC
1. Enable event syslog:
2. Configure connection parameters:
And finally let’s look at some examples of vCenter events audit quality: