Audit VMware vSphere changes with Netwrix Auditor
Auditing is one of those challenging areas in IT that has always been a sore thumb subject to most administrators. Auditing has traditionally not been an easy thing to do. Sure it is easy to enable all the audit switches to actually audit activities in a Windows environment, but how do you gather and add intelligence to that information? Also, in other environments such as a VMware environment, how can you know what users are doing? What did they change and when did they change it? These are questions that can require a lot of heavy lifting, scripting, and so forth to accomplish. We have covered several Netwrix products in the past, including the free tools such as Netwrix Log Manager and Password Lockout utilities which are great resources for free. Recently, we covered the Netwrix Auditor tool in the realm of Active Directory changes. However, this is a powerful utility that covers many other products, including VMware environments. We can audit VMware vSphere changes with Netwrix Auditor to intelligently see changes being made.
System Requirements
The system requirements for Netwrix Auditor are as follows:
| Hardware | Minimum | Recommended |
| Processor | Intel or AMD 64 bit, 2 GHz or any similar | Intel Core 2 Duo 2x or 4x 64 bit, 3 GHz or any similar, preferably a virtual machine |
| RAM | 2 GB | 8 GB – Required size highly depends on number of changes per day |
| Disk Space | 500 for product install, 30 GB for long-term archive, 500 MB for local SQL Server-based Audit Database | Up to 32 GB (approximately 3 million changes per day) |
| OS | Windows Desktop OS (64-bit): Windows 7 SP1, Windows 8.1, and Windows 10, Server OS: Windows Server 2008 R2 SP1, Windows Server 2012/2012 R2, and Windows Server 2016 | |
| .NET Framework | 3.5 SP1, 4.0, 4.5, or 4.6 depending on OS | |
| Installer | Windows Installer 3.1 and above |
Audit VMware vSphere changes with Netwrix Auditor Monitor setup
The auditor for VMware is one of the monitors that is included when you install Netwrix Auditor. Â To add the VMware monitor, click on the All Data Sources button in the Dashboard.
Then we can select VMware from the New Monitoring Plan configuration screen.
Next, we specify the Audit Database, which here, I am leaving the default DB that was created during the installation as well as credentials.
On the Recipients configuration screen, we setup the recipients for alerting/reporting purposes.
Next, we name the new VMware Monitor.
Since the monitor itself is really just a container of the monitoring we want to do, we now get into the configuration of the actual vCenter server connection.
After selecting the VMware ESX/ESXi/vCenter option, we are taken to the configuration screen to actually enter the host URL or vCenter Server URL.
After adding the connection, the monitor will begin its first query of the VMware environment.  You will see the Working status displayed for a couple of minutes while the connection is established and the first data gathering is completed.
Reports
One of the first things that most will be interested in is the Reports section.  The below listing shows all of the default VMware reports that are available to subscribe to out of the box.  Additionally, you can add custom reports to fit your needs if the default reports are not sufficient.
When you click on a report, you can choose to subscribe to the report.  By default you will see no recipients listed.  You can click this link and add recipients.
Once you add a recipient, you will see the new subscription added.
Email Alerts
The really nice thing about Netwrix Auditor for VMware is that we can view reports through the reports interface or have these sent to us via email. Â To start simulating changes in my lab enviroment, I disconnected a network adapter from a VM in my datastore.
When running the VMware Virtual Machine Changes report, as we can see below, Netwrix VMware Auditor picks up the changes.
Also, the email functionality shows the same information. Â Below is an example of the report that is sent through that I received via Gmail.
Intelligent Search feature
Netwrix Auditor also provides an intelligent search feature that allows you to search across all of your monitors for events related to a who, action, what, when, or where.  Below, I searched for the name of my vCenter server and quickly had a hit on the network card disconnect action that was performed.
Thoughts
If you are looking for a powerful way to monitor and audit your VMware vSphere environment to have complete visibility into actions that are taken, you can audit VMware vSphere changes with Netwrix Auditor. Â The interface is intuitive and extremely powerful to quickly and easily see changes being made. Â The reporting and alerting features are also powerful to give you the alerting needed when not inside the console. Â Check out Netwrix Auditor for VMware where you can download a trial version to take it for a spin in your environment. Â Also, check out the quick start guide which has all the details to get up and running quickly.
