VMware Cloud Community
erikjohnsen
Enthusiast
Enthusiast

Cannot "locally disable" a symptom definition

Hi

I created a new policy that inherits from the vSphere 5.5 Hardening Guide Policy.

On some of the symptom definitions I want them disabled, e.g. that the DCUI service is running on an ESXi host.

I press locally disable on the symptom and save. When I open the policy again, it has been set to locally ENABLE! This happens for any symptom definitions I want to alter for my new policy.

Am I doing something wrong?

Reply
0 Kudos
7 Replies
aaghabekyan
VMware Employee
VMware Employee

Hi, what version of vRops are you using? has it been set to locally ENABLE  or ENABLE (forced)

Reply
0 Kudos
greco827
Expert
Expert

That symptom definition is disabled in the base settings, and is therefore inherited as disabled for all policies below it.  Setting it to locally disable, when it is disabled based on inheritance may result in it reverting back to disabled by inheritance rather than disabled locally.

In other words, there is no reason to disable something locally which is already disabled in base settings.

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
greco827
Expert
Expert

Also, is there any integration with vCM in your environment?

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
erikjohnsen
Enthusiast
Enthusiast

No vCM integration.

My ambition is this: A custom policy based on vSphere 5.5 Hardening that has different threshold for certain items (ESXi Console/SSH timeout to 300 instead of 900, for instance) and disables certain items in the hardening policy.

What is the best method of accomplishing this? Do I need to make or edit the alert- and symptom definitions?

Thanks

Reply
0 Kudos
erikjohnsen
Enthusiast
Enthusiast

It got set to enable (forced) after re-entering the policy. But it seems it's because it's activated again if it's enabled in an enabled alert definition.

Reply
0 Kudos
erikjohnsen
Enthusiast
Enthusiast

OK, so I made custom alert definitions, recommendations and cloned two symptom definitions (timeout for ssh and console). I set this to 500 and added them to the alert definition for esxi hosts. However, now it seems that a new value isn't collected by vROps anymore. Even after I changed the timeout value to verify the new configuration for the ESXi hosts to greater than 500, it is complaining that it's still set to 1000 (a value I tested with earlier). It seems it's not updating the value from the ESXi host. Any other value/metric seems to be updating though. Ugh. Any pointers?

So basically:

Old ESXi timeout value: 1000

New symptom definition: 500:

New ESXi timoeut value: 500

vROps is still seeing 1000 as the ESXi timeout value after it was changed, ie. it says "not compliance, 1000 > 500".

If I change any other value on the ESXi host, e.g. the syslog folder, it will update the alert with the new metric/config.

It's the Non-Compliant idle time and non-compliant timeout value symptom definitions. UserVars.ESXISHellTimeout and UserVars.ESXiShellInteractiveTimeout.

Reply
0 Kudos
erikjohnsen
Enthusiast
Enthusiast

Nobody? Smiley Sad

Reply
0 Kudos