Re: Query or Alarm for adding reconfiguring VM

JimKnopf99 · ‎04-24-2017

Hi,

i have a question about how to create a alarm when a user change, for example, the memory size of a vm.

I could create a alarm when a vm is reconfigured, but i didn´t see exactly what the user does. I think i am doing something wrong the way i try to get that information out of loginsight.

Any help is much appreciated

Frank

If you find this information useful, please award points for "correct" or "helpful".

admin · ‎04-24-2017

Look for events like this: where vc_event_type field contains com.vmware.vim25.vmreconfiguredevent

2017-04-24 17:47:42.112 HOSTNAME vcenter-server: Reconfigured VM_NAME on VCENTER_SERVER_NAME in North America Remote Sites.

Modified:

config.hardware.device(1000).device: (2000, 2001, 2002) -> (2000, 2001, 2002, 2003);

Added:

config.hardware.device(2003): (key = 2003, deviceInfo = (label = "Hard disk 4", summary = "1,310,720,000 KB"), backing = (fileName = "ds:///vmfs/volumes/58f5ded1-0b831a8c-2eed-ecb1d79d3200/VM_NAME/VM_NAME4_3.vmdk", datastore = 'vim.Datastore:1088664C-8D55-4361-99E5-2EDEA6Z1X838:datastore-39958', backingObjectId = "", diskMode = "persistent", split = false, writeThrough = false, thinProvisioned = false, eagerlyScrub = <unset>, uuid = "6000C299-a1e6-355c-bdzc-31cc6fa65bc4", contentId = "cacfc4fc6f44ea830785b146fffffffe", changeId = <unset>, parent = null, deltaDiskFormat = <unset>, digestEnabled = false, deltaGrainSize = <unset>, deltaDiskFormatVariant = <unset>, sharing = "sharingNone", keyId = null), connectable = null, slotInfo = null, controllerKey = 1000, unitNumber = 3, capacityInKB = 1310720000, capacityInBytes = 1342177280000, shares = (shares = 1000, level = "normal"), storageIOAllocation = (limit = -1, shares = (shares = 1000, level = "normal"), reservation = 0), diskObjectId = "1-2003", vFlashCacheConfigInfo = null, iofilter = <unset>, vDiskId = null);

Deleted:

These events tell you what changed in the reconfig. Once you fine tune your query ( in your case for memory size of vm ; you would look for text like - config.hardware.memoryMB: 1024 -> 4096; ) then you can use the Create Alert from Query option to create the alarm.

Hope this helps.

Thanks,

-Yogita.

JimKnopf99 · ‎04-25-2017

Hi,

i found those events for vmreconfiguredevent. But then i am lost. Nothing from the other fields contains something about hardware changes.

I am running the vCenter included version of loginsight. Maybe it is not possible to find that information there?

Frank

If you find this information useful, please award points for "correct" or "helpful".

Texiwill · ‎04-25-2017

Hello,

I use this in my Security Operations Dashboard (aac-lib/vli at master · Texiwill/aac-lib · GitHub) and it represents the changes made to virtual hardware either by hand or by script. You usually end up seeing quite a few of these events during backup for example. This really has nothing to do with 'adding' a VM. But changes to the VM. The issue is that for any vmreconfigureevent you see, you may see multiple events grouped together or only one. There are also 2 layers to any event... vCenter and ESXi. The ones you listed there are vCenter and it does not say much, but if you look for vmreconfigureevent you end up with those coming from vpxd that show the real changes.

What were you expecting to see?

The best way to catch everything you want is to make the change or add something you want to track in loginsight. Then search for the name of the item (i.e VM-Name) and see what shows up. Then you can create a general rule/search for that item/element.

Best regards,
Edward L. Haletky aka Texiwill
VMware Communities User Moderator, VMware vExpert 2009-2017

Virtualization and Cloud Security Analyst: TVP Strategy

Blue Gears Blog: vSphere Upgrade Saga
Podcast: Virtualization and Cloud Security Round Table Podcast
GitHub: https://github.com/Texiwill

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill