3 Replies Latest reply on Apr 25, 2017 5:11 AM by Texiwill

    Query or Alarm for adding reconfiguring VM

    JimKnopf99 Master

      Hi,

      i have a question about how to create a alarm when a user change, for example, the memory size of a vm.

      I could create a alarm when a vm is reconfigured, but i didn´t see exactly what the user does. I think i am doing something wrong the way i try to get that information out of loginsight.

       

      Any help is  much appreciated

      Frank

        • 1. Re: Query or Alarm for adding reconfiguring VM
          Hot Shot

          Look for events like this: where vc_event_type field contains com.vmware.vim25.vmreconfiguredevent

           

          2017-04-24 17:47:42.112 HOSTNAME vcenter-server: Reconfigured VM_NAME on VCENTER_SERVER_NAME in North America Remote Sites.

           

          Modified:

           

          config.hardware.device(1000).device: (2000, 2001, 2002) -> (2000, 2001, 2002, 2003);

           

          Added:

           

          config.hardware.device(2003): (key = 2003, deviceInfo = (label = "Hard disk 4", summary = "1,310,720,000 KB"), backing = (fileName = "ds:///vmfs/volumes/58f5ded1-0b831a8c-2eed-ecb1d79d3200/VM_NAME/VM_NAME4_3.vmdk", datastore = 'vim.Datastore:1088664C-8D55-4361-99E5-2EDEA6Z1X838:datastore-39958', backingObjectId = "", diskMode = "persistent", split = false, writeThrough = false, thinProvisioned = false, eagerlyScrub = <unset>, uuid = "6000C299-a1e6-355c-bdzc-31cc6fa65bc4", contentId = "cacfc4fc6f44ea830785b146fffffffe", changeId = <unset>, parent = null, deltaDiskFormat = <unset>, digestEnabled = false, deltaGrainSize = <unset>, deltaDiskFormatVariant = <unset>, sharing = "sharingNone", keyId = null), connectable = null, slotInfo = null, controllerKey = 1000, unitNumber = 3, capacityInKB = 1310720000, capacityInBytes = 1342177280000, shares = (shares = 1000, level = "normal"), storageIOAllocation = (limit = -1, shares = (shares = 1000, level = "normal"), reservation = 0), diskObjectId = "1-2003", vFlashCacheConfigInfo = null, iofilter = <unset>, vDiskId = null);

           

          Deleted:

           

           

          These events tell you what changed in the reconfig. Once you fine tune your query ( in your case for memory size of vm ; you would look for text like - config.hardware.memoryMB: 1024 -> 4096; ) then you can use the Create Alert from Query option to create the alarm.

           

          Hope this helps.

          Thanks,

          -Yogita.

          • 2. Re: Query or Alarm for adding reconfiguring VM
            JimKnopf99 Master

            Hi,

            i found those events for vmreconfiguredevent. But then i am lost. Nothing from the other fields contains something about hardware changes.

            I am running the vCenter included version of loginsight. Maybe it is not possible to find that information there?

            Frank

             

            memory.JPG

            memory2.JPG

            • 3. Re: Query or Alarm for adding reconfiguring VM
              Texiwill Guru
              User ModeratorsvExpert

              Hello,

               

              I use this in my Security Operations Dashboard (aac-lib/vli at master · Texiwill/aac-lib · GitHub) and it represents the changes made to virtual hardware either by hand or by script. You usually end up seeing quite a few of these events during backup for example. This really has nothing to do with 'adding' a VM. But changes to the VM. The issue is that for any vmreconfigureevent you see, you may see multiple events grouped together or only one.  There are also 2 layers to any event... vCenter and ESXi. The ones you listed there are vCenter and it does not say much, but if you look for vmreconfigureevent you end up with those coming from vpxd that show the real changes.

               

              What were you expecting to see?

               

              The best way to catch everything you want is to make the change or add something you want to track in loginsight. Then search for the name of the item (i.e VM-Name) and see what shows up. Then you can create a general rule/search for that item/element.

               

              Best regards,
              Edward L. Haletky aka Texiwill
              V
              Mware Communities User Moderator, VMware vExpert 2009-2017

              Virtualization and Cloud Security Analyst: TVP Strategy

              Blue Gears Blog: vSphere Upgrade Saga
              Podcast: Virtualization and Cloud Security Round Table Podcast
              GitHub: https://github.com/Texiwill