In this blog, I will be showing new content pack for Log Intelligence “Audit Events for VMware Cloud on AWS”. It provides powerful insight into audit events generated in the VMware Cloud on AWS SDDCs allowing admins to audit, monitor and troubleshoot activity in their environment
Value of Content Pack – Audit Events for VMware Cloud on AWS
It provides the following benefits
| Use Case | Benefit |
| Security Auditing | Admin can view details of the user activity in the SDDC deployed in VMWonAWS such as successful login/logout & failed login attempts |
| Infrastructure Monitoring and Visibility | Admin can monitor and get visibility of events for the Virtual Machines deployed in the SDDC such as Creation, Deletion, Power On/Off, and unregistered can also give list of unique VMs in the environment help identify VM’s experiencing high activity |
| Troubleshoot SDDC Connectivity Issues | Admin can view Gateway policy creation and update events to triage connectivity issues |
| Alerts & Notifications | Admins can configure Alerts and get notified authentication events, Proactive Infrastructure Visibility and Monitoring |
How to enable the content pack
Navigate to left navigation menu for Content Pack
Click on the tile “VMware – Audit Events for VMware Cloud on AWS”
It will prompt you to “Enable” content pack
Verify it is successfully enabled
What does the Content Pack Include?
Once the content pack is enabled you will get OOTB queries and alert definitions. Additionally, you can also create Dashboard Charts for the queries to visualize and examine the logs
OOTB Queries
Following are the OOTB queries which you get when the content pack is enabled. It is divided into 3 categories
| Sr. No | Category | Query | Description |
| 1 | User Activity | Audit Events for VMware Cloud on AWS | User Session Bad Username | Displays login attempts with an invalid user name grouped by SDDC and source IP |
| 2 | Audit Events for VMware Cloud on AWS | User Session Failed Login | Displays failed login attempts grouped by SDDC and source IP | |
| 3 | Audit Events for VMware Cloud on AWS | User Session Login | Displays user login events grouped by SDDC and source IP | |
| 4 | Audit Events for VMware Cloud on AWS | User Session Logout | Displays user logout events grouped by SDDC and source IP | |
| 5 | Virtual Machine Activity | Audit Events for VMware Cloud on AWS | Virtual Machine Count by SDDC | Displays count of unique virtual machines for which events have been captured during the selected time frame. |
| 6 | Audit Events for VMware Cloud on AWS | Virtual Machine Created | Displays virtual machine creation and clone events grouped by SDDC and user. | |
| 7 | Audit Events for VMware Cloud on AWS | Virtual Machine Deleted | Displays virtual machine delete events grouped by SDDC and user. | |
| 8 | Audit Events for VMware Cloud on AWS | Virtual Machine Log Events | Event counts grouped by the virtual machine. Use to identify vm’s experiencing high activity and then drill down to details. | |
| 9 | Audit Events for VMware Cloud on AWS | Virtual Machine Powered Off | Displays virtual machine power off events grouped by SDDC and user. | |
| 10 | Audit Events for VMware Cloud on AWS | Virtual Machine Powered On | Displays virtual machine power-on events grouped by SDDC and user. | |
| 11 | Audit Events for VMware Cloud on AWS | Virtual Machine Unregistered | Displays virtual machine unregister events grouped by SDDC and user. | |
| 12 | Gateway Policy Rules | Audit Events for VMware Cloud on AWS | Gateway Policy Created/Updated | Displays gateway policy create and update events grouped by user. |
Alert Definitions
Following are the OOTB alert definitions which you get when the content pack is enabled. It is divided into 3 categories
| Sr. No | Category | Alert Definition | Description |
| 1 | User Activity | Audit Events for VMware Cloud on AWS | User Session Bad Username | This alert will trigger when a login is attempted with an invalid username. |
| 2 | Audit Events for VMware Cloud on AWS | User Session Failed Login | This alert will trigger when a login attempt fails. | |
| 3 | Audit Events for VMware Cloud on AWS | User Session Login | This alert will trigger when a user logs into VMC SDDC environment. | |
| 4 | Audit Events for VMware Cloud on AWS | User Session Logout | This alert will trigger when a user logs out of VMC SDDC environment. | |
| 5 | Audit Events for VMware Cloud on AWS | Virtual Machine Created | This alert will trigger when a new virtual machine is created or cloned | |
| 6 | Audit Events for VMware Cloud on AWS | Virtual Machine Deleted | This alert will trigger when a virtual machine is deleted. | |
| 7 | Audit Events for VMware Cloud on AWS | Virtual Machine Powered Off | This alert will trigger when a virtual machine is powered off. | |
| 8 | Audit Events for VMware Cloud on AWS | Virtual Machine Powered On | This alert will trigger when a virtual machine is powered on | |
| 9 | Audit Events for VMware Cloud on AWS | Virtual Machine Unregistered | This alert will trigger when a virtual machine is unregistered. | |
| 10 | Gateway Policy Rules | Audit Events for VMware Cloud on AWS | Gateway Policy Created/Updated | This alert will trigger when a VMWonAWS gateway policy is created or updated |
Dashboard Chart
You can create Dashboard Widgets for the queries to visualize and examine the logs
Navigate to Dashboard left navigation menu and click on Add Chart
Search for the Audit Events Content Pack OOTB query and click it
You should see message popup “Chart successfully added to dashboard”
Sample Dashboards
Here I have added all the OOTB queries into a Dashboard which will help you visualize the same
Conclusion
VMware Log Intelligence gives you unified visibility into VMware Cloud on AWS environments which allows admins/application owners to troubleshoot/application monitoring along with security monitoring
Getting Started with Log Intelligence
For a free trial, you can click here or reach out to your account team
To learn more about Log Intelligence please visit here
