VMware Cloud Community
hennish
Hot Shot
Hot Shot
‎12-02-2013 12:56 AM

How can we (sys)log all attempts to mount virtual devices in VMs?

Hi. We're doing a PCI DSS project, and we would like to get centralized logging (syslog, that is) for all attempts where users/admins mount virtual devices to the VMs, such as CD/DVD/ISO. I've tried looking in the local ESXi logs (vmkernel.log, vobd.log and such), but I can't see any log entries when mounting an ISO to a VM.

vCenter Server writes in its log "a ticket of type device has been acquired", but how do we get that to syslog?

0 Kudos
2 Replies
MKguy
Virtuoso
Virtuoso
‎12-10-2013 03:52 AM

Unfortunately vCenter, at least the Windows one, does not support sending it's logs to a syslog server. I think it's not available out-of-the-box in the Linux-based vCenter Appliance either, but you can certainly configure the underlying Linux OS to send logs to some syslog destination.

You closest you can get would be configuring SNMP traps for specific events in vCenter and have the SNMP trap destination deal with logging that or forwarding it to a syslog host.

There are 3rd party Windows syslog agents too, which you could configure to monitor the relevant vCenter logfiles.

I've tried looking in the local ESXi logs (vmkernel.log, vobd.log and such), but I can't see any log entries when mounting an ISO to a VM.

The hostd log file actually contains some information regarding such events:

Mounting an ISO:

2013-12-10T11:40:21.136+01:00 Hostd [2AFE1B90 info 'Vmsvc.vm:/vmfs/volumes/4fd988f2-654fcafae-97ab-03215ac67b3d/vm33/vm33.vmx' opID=87c4e3

6a-a9] Ticket issued for device service to user: vpxuser


Console Connection:

2013-12-10T11:38:14.396+01:00 Hostd [FFCE5B90 info 'Vmsvc.vm:/vmfs/volumes/4fd988f2-654fcafae-97ab-03215ac67b3d/vm33/vm33.vmx'  opID=e5b881

c4-60] Ticket issued for mks service to user: vpxuser

This doesn't identify the actual user, but it should be possible to correlate it with the vCenter logs if needed.

-- http://alpacapowered.wordpress.com
hennish
Hot Shot
Hot Shot
‎12-13-2013 05:19 AM

Hi. Thanks for the detective work! Too bad that the actual user is being abstracted by the vpxuser account. The funny thing is that it's the exact same thing that vCloud Director does to vCenter Server, and the exact same thing vCAC does to vCloud Director. Good thing I'm not PCI DSS securing an environment that has all those three. Smiley Happy

I just learned that the customer has an agent that we can place on the vCenter Windows server that can send Windows Event logs and/or specific text files to a "syslog" central logging server.

Unfortunately, I can't see these mount events (nor successful/failed login events) in any of these places, only in the vCenter Server internal "Events" tab, which is written to its database only, not to file. Smiley Sad

The chase goes on. How is everyone else passing PCI DSS, when vCenter Server can't fulfill these demands?

0 Kudos