Chat now with support
Chat with Support

InTrust 11.4.2 - Preparing for Auditing VMware vCenter and ESX or ESXi

Installation

The VMware vCenter and ESX/ESXi Knowledge Pack must be installed on top of an existing InTrust installation.

Getting Started

Specifying What Computers to Use for Event Processing

Specifying Where to Look

Collecting Events and Reporting

Specifying What Computers to Use for Event Processing

The choice of event-processing computers depends on whether you expect the InTrust server to have any trouble allocating enough system resources to process events from VMware systems. The workload of processing the other platforms may be such that you may want to consider a dedicated InTrust server for VMware environment auditing.

You have only a few virtualization servers

In this case, all of the event processing can be done by the InTrust server that also performs auditing activity for other platforms. This means that you will later need to specify this server as the hosting server for your gathering jobs.

You have a lot of virtualization servers

In this case, consider setting up an additional InTrust server, as described in the InTrust Deployment Guide, in Installing Servers into Existing InTrust Organization. Later, you will specify this server as the hosting server for your gathering jobs.

Specifying Where to Look

This topic describes how to specify the vCenter and ESX (ESXi) servers for auditing. This step involves using InTrust Manager to include the servers you want to audit in InTrust sites. Note the following specifics:

  • vCenter servers must be members of sites in the Configuration | Sites | Microsoft Windows Network container.
  • ESX and ESXi servers must be members of sites in the Configuration | Sites | Unix Network container.

This topic describes the following configuration options:

  • For vCenter servers:
    • Single server
    • Multiple servers
  • For ESX and ESXi servers:
    • Single server
    • Multiple servers

See the option or options that fit your environment, and take the suggested steps.

Single vCenter Server

To audit a single vCenter server, take the following steps in InTrust Manager:

  1. Include the server in the predefined "VMware vCenter Servers" site.
  2. Make a copy of the predefined "VMware vCenter weekly event collection" task, and give it a suitable name.
  3. Set and enable the schedule for the new task as necessary.
  4. In the properties of the "VMware vCenter Servers" site, specify the credentials to use for connecting to the vCenter server in the To access site objects, use option group. Make sure that the account you use is a member of at least the Read-only role on the vCenter server.
  5. Commit your changes.

Note: This procedure assumes that the InTrust objects related to vCenter auditing have default configurations. If the configuration of the "VMware vCenter events" data source has been edited, make sure that the Use Integrated Windows Authentication parameter of this data source is set to 1. This setting is located in the data source properties, on the Parameters tab.

A value of 1 means that the data source will inherit access credentials from the site for which they are set (see step 4). Generally, credentials are passed on along the following path: InTrust server | task | job | site | data source, and can be overridden at the level of any of these objects if the object supports it.

If the Use Integrated Windows Authentication parameter is enabled while a gMSA is used as the InTrust server account, make sure the gMSA is not inherited as the access account for site objects. Instead, override the access credentials with an explicitly specified account. This can be done at site level (in the site properties) or at job level, and so on.

Multiple vCenter Servers

If access credentials are shared by all vCenter servers

To audit multiple vCenter servers that accept the same access credentials, take the following steps in InTrust Manager:

  1. Include all the servers in the predefined "VMware vCenter Servers" site.
  2. Make a copy of the predefined "VMware vCenter weekly event collection" task, and give it a suitable name.
  3. Set and enable the schedule for the new task as necessary.
  4. In the properties of the "VMware vCenter Servers" site, specify the credentials to use for connecting to the vCenter server in the To access site objects, use option group. Make sure that the account you use is a member of at least the Read-only role on the vCenter server.
  5. Commit your changes.

Note: This procedure assumes that the InTrust objects related to vCenter auditing have default configurations. If the configuration of the "VMware vCenter events" data source has been edited, make sure that the Use Integrated Windows Authentication parameter of this data source is set to 1. This setting is located in the data source properties, on the Parameters tab.

A value of 1 means that the data source will inherit access credentials from the site for which they are set (see step 4). Generally, credentials are passed on along the following path: InTrust server | task | job | site | data source, and can be overridden at the level of any of these objects if the object supports it.

If the Use Integrated Windows Authentication parameter is enabled while a gMSA is used as the InTrust server account, make sure the gMSA is not inherited as the access account for site objects. Instead, override the access credentials with an explicitly specified account. This can be done at site level (in the site properties) or at job level, and so on.

If access credentials differ across the vCenter servers

To audit multiple vCenter servers for which access credentials differ, take the following steps in InTrust Manager:

  1. Create copies of the predefined "VMware vCenter Servers" site so that there is one site for each vCenter server access account. Name the sites accordingly.
  2. Populate the sites as necessary. Include multiple vCenter servers in a site only if these servers share the same access credentials.
  3. Make a copy of the predefined "VMware vCenter weekly event collection" task, and give it a suitable name.
  4. Set and enable the schedule for the new task as necessary.
  5. Inside the task, create copies of the predefined gathering job so that there is one job for each vCenter server access account. Name the jobs accordingly.

Then, do the following for each of the jobs you have created:

  1. In the job properties, on the Gathering tab, select the correct site to gather events from.
  2. Make sure that the Use agents to execute this job on target computers option is turned off.
  3. Open the properties of the site that the job uses, and in the To access site objects, use option group, supply the account to use for the vCenter connection.

After you have completed the configuration, commit your changes.

Note: This procedure assumes that the InTrust objects related to vCenter auditing have default configurations. If the configuration of the "VMware vCenter events" data source has been edited, make sure that the Use Integrated Windows Authentication parameter of this data source is set to 1. This setting is located in the data source properties, on the Parameters tab.

A value of 1 means that the data source will inherit access credentials from the site for which they are set. Generally, credentials are passed on along the following path: InTrust server | task | job | site | data source, and can be overridden at the level of any of these objects if the object supports it.

Single ESX or ESXi Server

To audit a single ESX or ESXi server, take the following steps in InTrust Manager:

  1. Include the server in the predefined "VMware ESX and ESXi Servers" site.
  2. In the properties of the predefined "VMware ESX and ESXi events" data source, on the Parameters tab, use the User Name and Password parameters to specify the credentials for connecting to the virtualization server. Make sure that the account you use is a member of at least the Read-only role on the virtualization server.
  3. Make a copy of the predefined "VMware ESX and ESXi weekly event collection" task, and give it a suitable name.
  4. Set and enable the schedule for the new task as necessary.
  5. Commit your changes.

Multiple ESX or ESXi Servers

If access credentials are shared by all ESX and ESXi servers

To audit multiple ESX or ESXi servers that accept the same access credentials, take the following steps in InTrust Manager:

  1. Include all the servers in the predefined "VMware ESX and ESXi Servers" site.
  2. In the properties of the predefined "VMware ESX and ESXi events" data source, on the Parameters tab, use the User Name and Password parameters to specify the shared credentials for connecting to the virtualization servers. Make sure that the account you use is a member of at least the Read-only role on the virtualization servers.
  3. Make a copy of the predefined "VMware ESX and ESXi weekly event collection" task, and give it a suitable name.
  4. Set and enable the schedule for the task as necessary.
  5. Commit your changes.
If access credentials differ across the ESX and ESXi servers

To audit multiple ESX and ESXi servers for which access credentials differ, take the following steps in InTrust Manager:

  1. Create copies of the predefined "VMware ESX and ESXi Servers" site so that there is one site for each server access account. Name the sites accordingly.
  2. Create copies of the predefined "VMware ESX and ESXi events" data source so that there is one site for each virtualization server access account. Name the data sources accordingly.
  3. Create copies of the predefined "VMware ESX and ESXi" gathering policy so that there is one policy for each virtualization server access account. Name the policies accordingly. Remove the predefined data source from the cloned policies.
  4. Populate the sites as necessary. Include multiple ESX and ESXi servers in a site only if these servers share the same access credentials.
  5. Make a copy of the predefined "VMware ESX and ESXi weekly event collection" task, and give it a suitable name.
  6. Set and enable the schedule for the task as necessary.
  7. Inside the task, create copies of the predefined gathering job so that there is one job for each server access account. Name the jobs accordingly.

Do the following for each of the data sources you have created:

  1. In the data source properties, on the Parameters tab, use the User Name and Password parameters to specify the credentials for connecting to the virtualization server or servers. Make sure that the account you use is a member of at least the Read-only role on the virtualization server or servers.
  2. Find the corresponding gathering policy that you have created, and add this data source to it.

Then, do the following for each of the jobs you have created:

  1. In the job properties, on the Gathering tab, select the correct site to gather events from.
  2. Select the correct gathering policy to use.
  3. Make sure that the Use agents to execute this job on target computers option is turned off.

After you have completed the configuration, commit your changes.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating