VMware
Netwrix Auditor relies on native logs for collecting audit data. Therefore, successful change and access auditing requires a certain configuration of native audit settings in the audited environment and on the Auditor console computer. Configuring your IT infrastructure may also include enabling certain built-in Windows services, etc. Proper audit configuration is required to ensure audit data integrity, otherwise your change reports may contain warnings, errors or incomplete audit data.
CAUTION: Folder associated with Netwrix Auditor must be excluded from antivirus scanning. See the Antivirus Exclusions for Netwrix Auditor knowledge base article for additional information.
You can configure your IT Infrastructure for monitoring automatically through a monitoring plan. No manual configurations are required.
Review a full list of object types and attributes Netwrix Auditor can collect on VMware server (standalone host or vCenter server).
| Object type | Attributes |
|---|---|
| Virtual Machine | - Annotation - Check and upgrade Tools - Connect at power on - Connected - Current Snapshot - Disable Acceleration - Enable Logging - Force BIOS Setup - Guest OS - Guest OS Version - Guest Power Management - Guest State - Hardware Page Table Virtualization - Hyper-threaded Core Sharing - Memory Size (M) - Notes - Number of virtual processors - Operation mode of guest OS - Power Off Type - Power On - Power State - Power-on Boot Delay - Record Debugging Information - Reset Type - Resource Pool - Run VMware Tools Scripts After Powering On - Run VMware Tools Scripts After Resuming - Run VMware Tools Scripts Before Powering Off - Run VMware Tools Scripts Before Suspending - Snapshot Description - Snapshot Name - Suspend Type - Synchronize guest time with host - Swap file Location - Template - Virtual Machine Name - VirtualCdrom Device Type - VirtualCdrom Mode - VirtualDisk Capacity(K) - VirtualDisk Datastore - VirtualDisk Disk Mode - VirtualDisk Share Level - VirtualDisk Unit Number - VirtualFloppy Device Type - VirtualParallelPort Connection - VirtualPCNet32 MAC Address Type - VirtualPCNet32 MAC Address - VirtualPCNet32 Wake on LAN - VirtualSerialPort Connection - VirtualSerialPort Far End - VirtualSerialPort Near End - VirtualSerialPort Yield CPU on poll - VirtualSCSIController Controller Type - VirtualSCSIController Bus Sharing - VirtualSCSIController Bus Number |
| Authorization Manager | - Authorization Manager Name - Privilege |
| Cluster Resource | - Available CPU - Available Hosts - Available Memory - Name - Swap Policy for Virtual Machines - VMware DRS - VMware DRS Automation Level - VMware DRS Migration threshold - VMware DRS Power Management - VMware DRS 'Keep Virtual Machines Together' Rule Name - VMware DRS 'Keep Virtual Machines Together' Rule Enabled - VMware DRS 'Keep Virtual Machines Together' Rule Status - VMware DRS 'Keep Virtual Machines Together' Rule Virtual Machine - VMware DRS 'Separate Virtual Machines' Rule Name - VMware DRS 'Separate Virtual Machines' Rule Enabled - VMware DRS 'Separate Virtual Machines' Rule Status - VMware DRS 'Separate Virtual Machines' Rule Virtual Machine - VMware DRS Virtual Machine Automation Mode - VMware HA - VMware HA Admission Control - VMware HA Isolation Response - VMware HA Restart Priority - VMware HA Number of host failures allowed - VMware HA Advanced Option - VMware HA Isolation Response - VMware HA Restart Priority |
| Computer Resource | - Name |
| Datacenter | - Name |
| Data Store | - Accessible - Name |
| Distributed Port Group | - Name - Distributed Virtual Switch - Ports Number - Uplink |
| Distributed Switch | - Name - Port Group - Uplink Port |
| Folder | - Folder Name |
| Host System | - Configuration Status - CPU Expandable Reservation - CPU Limit - CPU Reservation - CPU Shares Level - CPU Shares - Datastore accessible to Host - Memory Expandable Reservation - Memory Limit - Memory Reservation - Memory Shares Level - Memory Shares - NTP required - NTP uninstallable - NTP running - NTP policy - NTP Servers - Overall Status - Port Group Allow Promiscuous - Port Group MAC Address Changes - Port Group Forged Transmits - Port Group VLAN ID - Port Group Attached uplink adapter - Service Console IP Address of port - Virtual Switch Allow Promiscuous - Virtual Switch MAC Address Changes - Virtual Switch Forged Transmits - Virtual Switch Number of Ports - Virtual Switch Attached uplink adapter - VMkernel IP Address of port |
| Resource Pool | - Name |
| VirtualApp | - Name - Child - Parent Folder |
Users and groups
Starting with the version 10.5, Netwrix Auditor for VMware collects data on VMware users and groups.
To audit users and groups, vCenter 6.5 and above required.
The following objects are monitored:
-
vCenter Single Sign-On (SSO) Users. The product collects data from vCenter.
-
Localos users. For these users, the product collects data from ESXi and vCenter.
the Who value is reported as “Not Applicable” for the localos users if the data was collected from the entire vCenter.
-
VMware groups. The product collects data from vCenter.
| Object type | Actions | Attributes |
|---|---|---|
| SSO User | - Added - Modified - Removed | - Description - Email - FullName - Disabled |
| Localos user | - Added - Modified - Removed | - Disabled - FullName - Locked - Member Of - Name |
| Group | - Added - Modified - Removed | - Member - Description |
Netwrix Auditor may report on several changes with who reported as system due to the native VMware audit peculiarities
Considerations and Limitations
The following considerations refer to VMware infrastructure monitoring with Netwrix Auditor:
- A VM that was moved from one resource pool to another (within the same VMware host) will be reported as Modified.
- If an ESXi host was specified as a monitored item in the corresponding monitoring plan, but a virtual machine was created using the vCenter Server (not this ESXi host) management facilities, information about this VM creation will not be collected. To work around, specify the vCenter Server as a monitored item in the monitoring plan.
- For ESXi host permission changes, the "What" field in the Activity Records (and, therefore, reports and search results) will report \root.
- Netwrix Auditor will not collect data on Failed Logon event in case of incorrect logon attempt through VMware vCenter Single Sign-On.
- Also, data on the logon attempts performed using SSH will not be collected.
- For custom role creation event, initiator will be reported as System.
Permissions for VMware Server Auditing
Before you start creating a monitoring plan to audit your VMware hosts, plan for the account that will be used for data collection – it should meet the requirements listed below. Contact your virtual infrastructure administrator if necessary.
On the target VMware hosts:
- To collect state-in-time data, and auditing SSO users, local users, and groups, the account must be included in the Administrators group for the vCenter SSO domain. (If you have assigned the Read-only role to that account, it should be removed.)
- To collect activity data, the account must have at least Read-only role on the audited hosts.
See the following VMware article for additional information: Add Members to a vCenter Single Sign-On Group.
Then you will provide this account in the monitoring plan wizard — it will be used as default account to process all items (VMware servers) included in the monitoring plan. However, if you want to use specific settings for each of your VMware servers, you can provide custom account when configuring a corresponding monitored item.
See also:
- Create a New Monitoring Plan step of the monitoring plan wizard