Chat now with support
Chat with Support

InTrust 11.4.1 - Preparing for Auditing VMware vCenter and ESX or ESXi

Collecting Events and Reporting

By now, you have configured the connection between InTrust and the virtualization servers. To fine-tune the configuration of auditing and reporting, you can do the following:

What you want to do

What you should configure

Change the event gathering schedule

Edit the schedule in the properties of the task you are using.

Redirect events to different data stores

In the properties of the gathering job inside the task, change the audit database or repository.

Browse gathered events directly

Use InTrust Repository Viewer.

Make reports

In the task, add a final reporting job. Configure the properties of the job, such as the reports you want and report delivery settings.

View interactive reports

Use InTrust Knowledge Portal. To start working with Knowledge Portal, it is required to specify some of the security settings and data source properties.

Before you can view reports, configure the data source to connect to the product database. Data sources are databases that store the information used in the reports.

It is also required to configure access rights to provide the report users with access to reports they need. These rights are assigned through specifying appropriate SQL Reporting Services role to a user or group account.

After Knowledge Portal is properly configured, open InTrust Manager and launch the task that includes a reporting job with the reports you need. Then in Knowledge Portal use the Reports tab.

For detailed information, see the InTrust Deployment Guide.

Tweak the scope of events that are collected to filter out unnecessary data

Edit the repository of database filter in the properties of the data source or the policy that includes the data source. Policy filters are applied after data source filters.

Remember to commit the changes you make to InTrust configuration.

For details about the procedures suggested, see the InTrust Auditing Guide.

Use Scenarios

This topic describes typical situations in a production environment and how InTrust helps handle them. For more details, see the following:

For information about specific procedures, such as creating tasks and jobs, see the InTrust Auditing Guide.

Tracking Pool Access Privileges

Suppose you have a single vCenter server, and your vCenter resources have been carefully rationed. The workload is currently approaching capacity. You need to make sure that only the current resource pool administrators make changes that affect vCenter performance, and these administrators make their changes responsibly.

For that purpose, prepare an auditing and reporting workflow that includes the following:

  1. Daily gathering of events from the virtualization servers.
  2. Reports on permission changes after each gathering session.

To set up event gathering

  1. Make sure you have completed the steps outlined in the GettingStarted topic.
  2. Change the schedule of the auditing task you have configured so that the task runs daily, preferably at a time when the load on the vCenter server is at its lowest. Rename the task accordingly.
  3. Commit your changes.

To set up reporting

  1. In the task, add a reporting job that is a successor of the gathering job.
  2. While configuring the reporting job, select the "VMware Permission Changes" report, and specify your preferred delivery method.
  3. Commit your changes.

For more details about reporting jobs, see the InTrust Auditing Guide.

Tracking Virtual Machine Removal

Removal of virtual machines is understandably a highly important action to watch out for. Such activity should be tracked very closely.

To set up event gathering

  1. Make sure you have completed the steps outlined in the GettingStarted topic.
  2. Change the schedule of the auditing task you have configured so that the task runs daily, preferably at a time when the load on the vCenter server is at its lowest. Rename the task accordingly.
  3. Make sure that the gathering job inside the task gathers events to a repository.
  4. Commit your changes.

To track virtual machine removal in Repository Viewer

  1. Connect to the repository that contains events from the VMware environment.
  2. Navigate to the events you need in the left-pane treeview.
  3. In the column label row above the event list, click the leftmost icon to open the Field Chooser dialog box.
  4. In the drop-down menu of the dialog box, select Named Insertion Strings.
  5. In the list below, select VM: EventType. This insertion string contains textual information about the VMware-specific event type, so it is very useful for analyzing events from VMware systems.
  6. Underneath the VM: EventType column name, change the operator to Contains, and type removed in the filter box.
  7. View the filtered results and their details; sort and group them as necessary.
Related Documents