One of the key tasks of IT administrators is to keep track of all platform interactions such as user logins and logouts, capability checks and configuration modifications happening within the VCF or the vSphere Foundation stack.
In this blog, let us look at the new Audit events feature and see how it can help get insights into platform changes, detect suspicious access events, and policy violations and increase user accountability as each action is registered as events within VMware Cloud Foundation Operations.
Audit Events is an all-new framework that provides improved transparency, control and accountability across your vCenter resources including vSphere, vSAN and NSX core components.
The Objective of introducing the new Audit Events feature was to help SaaS customers migrate to on-prem. So there was an events feature in vSphere+ that gave customers a sneak peek into all the events generated across various vSphere resources. The feature was further refined to provide more business value in terms of Security use cases and also improve overall Compliance posture.
Audit events can also be a complimenting feature for Configuration Drift, which will help admins with configuration management where admins can trace back who did the configuration changes providing more information around auditing use cases for config drift management as well.
So this release focuses on providing Audit events for vSphere, vSAN and NSX resources only and will be applicable for both VCF and vSphere Foundation customers.
So, login to VMware Cloud Foundation Operations Home Page and access Audit Events by navigating to Operations -> Audit Events section.
Now, there are certain prerequisites to get this feature to work. All of the Audit events are collected for those vCenters that are registered with VMware Cloud Foundation Operations Log Management instance.
This is tracked under the Details section. Here you can view how many vCenters we are collecting from. You see how many of them are collecting and how many of them are not collecting. There is a link to external documentation/instructions to help with the prerequisites that the admins need to take care of and to start reporting audit-related events.
You get the flexibility to choose the time range.
There are certain Presets that are made available so that you can browse through the audited events that are of interest to you. Also, the custom range picks a range within 48 hours.
There is a detailed Filtering section to filter events by Severity, vCenter Server, Object type, Object ID and Event category.
Now, let us look at certain scenarios and use cases the Audit events can be useful.
You want to see all the user logins and logout sessions and if any invalid user account is trying to access restricted resources. You can simply filter by Access Control category and get a view of all such events.
The Related-events tab list all the sub-events that got executed as part of one particular action.
This is a great set of information to pass on to IDP systems to understand if there are any attack vectors and if any unauthorised users are trying to gain access to your system. So definitely, it’s going to help in those security scenarios.
A Second use case is about learning the login and logout user patterns.
So you can simply filter by Session and get a view of the various user logins and logouts.
So this information is important for traceability and accountability. You will also see all sub-events that were executed as part of one particular action.
Let’s look at one more use case where you experience a Security or Compliance incident and you identify that Firewall configuration were changed at a particular moment in time.
And now that you are investigating, you want to understand, who made those changes so you can simply filter by firewall and get to the list of all the firewall changes, and you can also search by the object name and get to the details of those configuration changes. You can understand what the object was, who updated that particular event, and what caused that change. And eventually why that resulted in compliance or security incidents.
Similarly, you can detect if there were any passwordpolicy changes.
We have also provided a tab for showcasing the related events which list all sub-events that got executed as part of one particular action which is searched based on the unique CHAIN ID.
Conclusion:
This post should give you a good understanding of how the new Audit events feature can improve the overall security and compliance posture and operational effectiveness of the VCF and vSphere Foundation deployments.
Now the Network Operations Centre (NOC) teams, the SREs and IT administrations can quickly be aware of what going on, and what changes are happening in your environments along with:
Improved visibility into platform interaction changes across the VCF infrastructure
Visibility into suspicious access events and policy violations
Increased user accountability as each action getting registered in these events
