VMware Cloud Community
fgl
Enthusiast
Enthusiast
‎04-14-2011 08:51 AM

VM power on/off auditing?

Hello,

I have a question in the way vcenter logs who a power on/off task is initiated by. I've noticed that no matter which admin initiate a VM power on/off the task log shows that it was initiated by "system".  I'm assuming it's because after the admin initiate a power on/off the task is handed off to vcenter (ie. system) therefore it's the system that does the actual power on/off.  This makes it hard to truely indentify who actually initiated a power of/off.  Is there another way to do this for better auditing?

Tags (3)
Reply
0 Kudos
6 Replies
MauroBonder
VMware Employee
VMware Employee
‎04-14-2011 08:58 AM

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=100434...

*Please, don't forget the awarding points for "helpful" and/or "correct" answers. *Por favor, não esqueça de atribuir os pontos se a resposta foi útil ou resolveu o problema.* Thank you/Obrigado
Reply
0 Kudos
Troy_Clavell
Immortal
Immortal
‎04-14-2011 09:00 AM

you can check you tasks and events at the vCenter  level.  There you will get a more detailed view as to who initiated what task.

Reply
0 Kudos
fgl
Enthusiast
Enthusiast
‎04-14-2011 09:14 AM

Maybe I'm not explaining it right (see screenshot).  Even at the vcenter level it shows 'system'.

That KB is not what I'm asking as I'm not having problem powering off a VM.  I want to audit who is powering on and off VM normally.

Preview file
20 KB
Reply
0 Kudos
Troy_Clavell
Immortal
Immortal
‎04-14-2011 09:19 AM

below that power on virtual machine task, you should also see a Initialize powering on and who/what initiated the task. You are looking at the vCenter level, correct, not the guest level?

Reply
0 Kudos
fgl
Enthusiast
Enthusiast
‎04-14-2011 09:47 AM

The 'initalize powering on' task does show the correct user info but the target is the name of the data center and not the VM, so if say 3 people each initiate a power on of 3 separate VMs there will be 3 entries of 'initialize powering on' task associated with the target of 'data center' each with the correct user info but then there will also be 3 entries of 'power on virtual machine' all with initiated by 'system'.  Yes I can tell that 3 different people initiated a power on but I can't tell who powered on which VM.

I just noticed something different.  I have 1 vsphere data center level with 2 separate cluster level and it seems that above issue only happens to 1 of the cluster and not the other one as on the second cluster for 'power on virtual machine' it does show the username and not 'system'.

Hmmm I'm going to have to compare the 2 clusters and see what's different but since I'm the one that originally set them up I'm 99% sure they were set up the same with only one exception and that is on cluster 1 I have all 'enterprise' licenses and on cluster 2 I have all 'standard' licenses. One would think it's a license feature option but in this case it's reverse meaning I am getting the correct user info on the 'standard' license cluster and generic 'system' user info on the 'enterprise' license cluster.

And yes I am doing this at the vsphere level and I'm tried at the data center level, the cluster level, and the VM guest level.

Reply
0 Kudos
fgl
Enthusiast
Enthusiast
‎04-14-2011 04:54 PM

Ok. I've figured out the problem.  It's DRS that is causing it when DRS is enabled on the cluster any power on task will show initiated by 'system' whereas when DRS is disabled it shows initiated by the user account.  This is I suppose kinda makes sense since with DRS enable when a VM is powered on you hand control over to DRS to determine which host to allocate the resources to the VM.  This just causes a auditing issue when you want to find out who powered on a VM.  I'm going to submit a feature request to see if something can be done about it.

Reply
0 Kudos