Hi LucD​ thanks for this useful script! Question, after creating this alarm, should I be seeing this under the vCenter-level alarms.... or host-level alarms?

Thanks

The alarm is created with the MoRef $si.Content.RootFolder, that means it is defined on the vCenter level. or the Datacenters folder.

I found it, thanks!!

I tested login to one host, however, all other hosts in the cluster got the alarm as well. How do I specify the trigger to trip and to show only on the particular host were root login occurred?

Instead of the rootfolder ($si.Content.RootFolder) use the MoRef of that ESXi node (Get-VMHost -Name MyEsx).ExtensionData.MoRef

Yep, it's working! However, I can't create the same alarm for other hosts. I'm getting the error below:

Exception calling "CreateAlarm" with "2" argument(s): "The name 'ESXi Root Logon' already exists."

At line:40 char:1

+ $alarmMgr.CreateAlarm((Get-VMHost -Name $TargetVMhost).ExtensionData. ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

    + FullyQualifiedErrorId : VimException

It seems to work when I create different names of the same alarm per host. So every host has a unique $alarm.Name value. If one has tons of hosts, the alarm would have be to unique to each individual host.

I'm thinking if this could be be implemented on the vCenter-level without triggering all the alarms when there is only one login event for one particular host...

Not sure what you are trying to do.

The Alarm is defined on the vCenter root level, and it reacts to HostSystem events.

The Alarm will only be fired for the specific ESXi node where the trigger happened.

You will "see" the triggered alarm under Triggered Alarms on the vCenter, but it will in reality be fired for one specific ESXi node.

These triggered alarms are visible all the way up to where the Alarm was defined.

And yes, Alarms need a unique name, system wide.

Hello LucD

Can this alarm definition be modified so it alarms not login to ESXi but to vCenter? 

Regards

oli4

Yes, change the account name and drop the ObjectType.
Something like this.

If you want to monitor access to the VCSA itself, you will have to look for SSO events.

$$user = 'VSPHERE.LOCAL\Administrator'

$si = Get-View ServiceInstance
$alarmMgr = Get-View -Id $si.Content.AlarmManager

# AlarmSpec
$alarm = New-Object VMware.Vim.AlarmSpec
$alarm.Name = "Test vCenter Logon"
$alarm.Description = "Administrator logon to vCenter"
$alarm.Enabled = $true

# Transition - green --> red
$trans = New-Object VMware.Vim.AlarmTriggeringActionTransitionSpec
$trans.StartState = "green"
$trans.FinalState = "red"

# Expression - Login
$expression = New-Object VMware.Vim.EventAlarmExpression
$expression.EventType = 'UserLoginSessionEvent'
$expression.status = "red"

# Root login
$comparison = New-Object VMware.Vim.EventAlarmExpressionComparison
$comparison.AttributeName = 'userName'
$comparison.Operator = 'equals'
$comparison.Value = $user
$expression.Comparisons += $comparison
$alarm.expression = New-Object VMware.Vim.OrAlarmExpression
$alarm.expression.expression += $expression

$alarm.setting = New-Object VMware.Vim.AlarmSetting
$alarm.setting.reportingFrequency = 0
$alarm.setting.toleranceRange = 0

$alarmMgr.CreateAlarm($si.Content.RootFolder, $alarm)

LuCD as usually on TOP level. 

Thx, I will take that script too

Many Thanks, this worked perfectly 🙂