Audit VMware vSphere changes with Netwrix Auditor

0

Auditing is one of those challenging areas in IT that has always been a sore thumb subject to most administrators. Auditing has traditionally not been an easy thing to do. Sure it is easy to enable all the audit switches to actually audit activities in a Windows environment, but how do you gather and add intelligence to that information? Also, in other environments such as a VMware environment, how can you know what users are doing? What did they change and when did they change it? These are questions that can require a lot of heavy lifting, scripting, and so forth to accomplish. We have covered several Netwrix products in the past, including the free tools such as Netwrix Log Manager and Password Lockout utilities which are great resources for free. Recently, we covered the Netwrix Auditor tool in the realm of Active Directory changes. However, this is a powerful utility that covers many other products, including VMware environments. We can audit VMware vSphere changes with Netwrix Auditor to intelligently see changes being made.

System Requirements

The system requirements for Netwrix Auditor are as follows:

Hardware Minimum Recommended
Processor Intel or AMD 64 bit, 2 GHz or any similar Intel Core 2 Duo 2x or 4x 64 bit, 3 GHz or any similar, preferably a virtual machine
RAM 2 GB 8 GB – Required size highly depends on number of changes per day
Disk Space 500 for product install, 30 GB for long-term archive, 500 MB for local SQL Server-based Audit Database Up to 32 GB (approximately 3 million changes per day)
OS Windows Desktop OS (64-bit): Windows 7 SP1, Windows 8.1, and Windows 10, Server OS: Windows Server 2008 R2 SP1, Windows Server 2012/2012 R2, and Windows Server 2016
.NET Framework 3.5 SP1, 4.0, 4.5, or 4.6 depending on OS
Installer Windows Installer 3.1 and above

 

Audit VMware vSphere changes with Netwrix Auditor Monitor setup

The auditor for VMware is one of the monitors that is included when you install Netwrix Auditor.  To add the VMware monitor, click on the All Data Sources button in the Dashboard.

netwvm01b Audit VMware vSphere changes with Netwrix Auditor
Then we can select VMware from the New Monitoring Plan configuration screen.

netwvm02 Audit VMware vSphere changes with Netwrix Auditor

Next, we specify the Audit Database, which here, I am leaving the default DB that was created during the installation as well as credentials.

netwvm03 Audit VMware vSphere changes with Netwrix Auditor

On the Recipients configuration screen, we setup the recipients for alerting/reporting purposes.

netwvm04 Audit VMware vSphere changes with Netwrix Auditor

Next, we name the new VMware Monitor.

netwvm05 Audit VMware vSphere changes with Netwrix Auditor

Since the monitor itself is really just a container of the monitoring we want to do, we now get into the configuration of the actual vCenter server connection.

netwvm06 Audit VMware vSphere changes with Netwrix Auditor

After selecting the VMware ESX/ESXi/vCenter option, we are taken to the configuration screen to actually enter the host URL or vCenter Server URL.

netwvm07 Audit VMware vSphere changes with Netwrix Auditor

After adding the connection, the monitor will begin its first query of the VMware environment.  You will see the Working status displayed for a couple of minutes while the connection is established and the first data gathering is completed.

netwvm08 Audit VMware vSphere changes with Netwrix Auditor

Reports

One of the first things that most will be interested in is the Reports section.  The below listing shows all of the default VMware reports that are available to subscribe to out of the box.  Additionally, you can add custom reports to fit your needs if the default reports are not sufficient.

netwvm09 Audit VMware vSphere changes with Netwrix Auditor

When you click on a report, you can choose to subscribe to the report.  By default you will see no recipients listed.  You can click this link and add recipients.

netwvm10 Audit VMware vSphere changes with Netwrix Auditor

Once you add a recipient, you will see the new subscription added.

netwvm11 Audit VMware vSphere changes with Netwrix Auditor

Email Alerts

The really nice thing about Netwrix Auditor for VMware is that we can view reports through the reports interface or have these sent to us via email.  To start simulating changes in my lab enviroment, I disconnected a network adapter from a VM in my datastore.

When running the VMware Virtual Machine Changes report, as we can see below, Netwrix VMware Auditor picks up the changes.

netwvm13 Audit VMware vSphere changes with Netwrix Auditor

 

Also, the email functionality shows the same information.  Below is an example of the report that is sent through that I received via Gmail.

netwvm14 Audit VMware vSphere changes with Netwrix Auditor

Intelligent Search feature

Netwrix Auditor also provides an intelligent search feature that allows you to search across all of your monitors for events related to a whoactionwhatwhen, or where.  Below, I searched for the name of my vCenter server and quickly had a hit on the network card disconnect action that was performed.

netwvm15 Audit VMware vSphere changes with Netwrix Auditor

Thoughts

If you are looking for a powerful way to monitor and audit your VMware vSphere environment to have complete visibility into actions that are taken, you can audit VMware vSphere changes with Netwrix Auditor.  The interface is intuitive and extremely powerful to quickly and easily see changes being made.  The reporting and alerting features are also powerful to give you the alerting needed when not inside the console.  Check out Netwrix Auditor for VMware where you can download a trial version to take it for a spin in your environment.  Also, check out the quick start guide which has all the details to get up and running quickly.