WilliamLam.com

How to audit VM reconfigurations and see what exactly changed?

by // 27 Comments

A question that I almost always see come up on a regular basis is around the topic of auditing or understanding what configuration changes were made to a given Virtual Machine. Today, the process of identifying this information is actually quite difficult at least without resorting to a custom built solution which allows you to compare the configuration changes over time. This is definitely an area that VMware is investing heavily in and although I can not go into specific details, believe me when I say they are taking this very seriously both from a data completeness standpoint as well as simplifying the user experience.

Having said that, what options exists for customers today?

  1. Custom Solution - A system that could periodically snapshot your VM configurations into some type of data warehouse or CMDB platform. There are many challenges here but the biggest one is efficiently capturing the changes and ensuring you do not impact the overall performance of your vCenter Server, especially with larger inventories.
  2. vRealize Air Compliance - This is a new VMware SaaS offering which provides both compliance and remediation for your VM Configurations. I had a chance to preview this awhile back and I have to say it is a pretty slick solution. You can easily step back in time to see exactly what has changed for a given set of VMs, very intuitive UI. You can also add additional configurations to monitor and be alerted on when you are out of compliance. Definitely something worth checking out, especially for customers who must go through regular audit reviews.
  3. vCenter Configuration Manager - I have not personally used this tool before, but I have been told it would also be possible to detect configuration changes for your VMs.
  4. Enabling "Trivia" Logging in vCenter Server - Though this is an option, it is not one that I recommend for variety of reasons. The "Trivia" logging mode is very verbose and will generate huge amounts of data which will causes your logs to quickly rotate out if you are not forwarding to a remote syslog server. There's also additional overhead cost for this type of logging and more importantly, it may not capture all of the required data. This is an approach that some customers have tried but is not really a practical solution.

This topic has always been interesting to me and with several recent inquiries from the field, it got me thinking about this area again. While working on a completely different project, I ended up on Luc Dekens awesome blog and came across his Events Part 3: Auditing VM Device Changes article. If you take a look at the article, you will see that Luc shows you how you can easily audit changes to a VM's devices (e.g. Virtual Disk, CD-ROM, etc). What Luc demonstrated in his script is just a specific type of configuration, but the point is that this type of information has always been available, just not easily consumable.

The secret is to key off of the VmReconfiguredEvent which includes a configSpec property that captures the exact set of configuration changes for a given VM. Below is an example of the configSpec dump of one of these events. We can clearly see that this VM had its vCPUs modified to 4 and its vMEM modified to 20GB.

what-changed-when-vm-is-reconfigured-2
With this information, we can now easily query the configuration changes for a given VM by looking through its past events. Leveraging the awesome work that Lud has already done with his script, I slightly enhanced it to cover more than just device changes but overall VM configuration changes. With that, here is a PowerCLI script/function that I created called Get-VMConfigChanges.ps1

Note: The amount of historical events that you will be able to search through will purely depend on your Center Server DB's retention period of Tasks/Events. For VMs which have been deleted, you will not be able to retrieve any events as they must be associated with an object in the database.

Below is an example of how to use this function which accepts a VM object and the number of hours (default to 8) to search through the VM's events:

$vcserver = "192.168.1.150"
$vcusername = "*protected email*"
$vcpassword = "VMware1!"

Connect-VIServer -Server $vcserver -User $vcusername -Password $vcpassword

$vm = Get-VM "Test-VM"

Get-VMConfigChanges -vm $vm -hours 12

Disconnect-VIServer -Server $vcserver -Confirm:$false

From the output below, we can clearly see the following configuration changes have been applied:

  1. Change vCPU to 2
  2. Change vMEM to 4GB
  3. Change vMEM to 5GB and Edited Virtual Disk (you can of course get further details by dumping more information)

what-changed-when-vm-is-reconfigured-1
Although this solution is not as clean as the vRealize Air Compliance offering, it does allow anyone to quickly pull out the relevant configuration changes for a given VM along with the user and time the configurations was performed. Hopefully this goes to show how powerful the vSphere Platform APIs really are and it is definitely worth while in learning how they work.

vCenter Server 6.0 Tidbits Part 11: Automate SSO Admin password change

by // 3 Comments

After publishing my last article around the topic of Automating SSO Admin configurations using some simple LDAP commands which is applicable for both vSphere 5.5 and 6.0. It was pointed out to me by my buddy G. Blair Fritz who works over in our GSS Organization that another handy operation to share with customers is the ability to easily and quickly change an SSO Administrator password across multiple Platform Services Controllers (PSC). This is especially important for customers who have a password rotation policy set fourth by their Security team which most Enterprise customers have and are require to update their admin passwords every N-number of days.

Though you will not be able to query for an existing SSO Administrator's password (it is encrypted), you can however modify the password and this will require you to provide a valid SSO Administrator's account to connect with. To modify an LDAP entry, we will need to first create a file that contains the change, in the example here we are going to name it change.ldif and it should contain the following where the "replace" keyword shows which property is getting modified and the next line after shows the value that it will be changed to. Make sure to also replace the dc=vghetto with the name of your SSO Site Name

dn: cn=administrator,cn=users,dc=vghetto,dc=local
changetype: modify
replace: userpassword
userpassword: VMware1!

To apply the change, we will now run the following ldapmodify command and specifying our change.ldif configuration file:

/opt/likewise/bin/ldapmodify -f change.ldif -h 192.168.1.60 -D "cn=administrator,cn=users,dc=vghetto,dc=local" -w 'VMware1!!'

automate-sso-admin-password-change
The really nice thing about this is that you can quickly change the password for your SSO Administrators across multiple Platform Services Controller and across multiple SSO Domains with a couple slight modifications to the command. How cool is that!? Thanks to Blair for sharing this awesome tidbit!

vCenter Server 6.0 Tidbits Part 6: Customizing VCSA's DCUI

by // Leave a Comment

For those of you who have deployed the latest VCSA 6.0, you may have noticed that it now includes a DCUI interface similar to that of ESXi. Just like ESXi, it provides some basic functionality such as network configuration, restarting of the management interface, enabling SSH/Shell access and viewing support logs. For some customers, there is a mandatory requirement in terms of compliance to be able to display a security or warning banner prior to logging into a system which can also include interactive console UI's like the DCUI.

With ESXi, it was possible to customize the DCUI as seen in the screenshot below (more serious customizations are used in customer environments of course). For more details, please take a look at this blog post here.

[Read more...]