In this blog, I will be showing new content pack for Log Intelligence “Audit Events for VMware Cloud on AWS”. It provides powerful insight into audit events generated in the VMware Cloud on AWS SDDCs allowing admins to audit, monitor and troubleshoot activity in their environment

Value of Content Pack – Audit Events for VMware Cloud on AWS

It provides the following benefits

Use Case Benefit
Security Auditing Admin can view details of the user activity in the SDDC deployed in VMWonAWS such as successful login/logout & failed login attempts
Infrastructure Monitoring and Visibility Admin can monitor and get visibility of events for the Virtual Machines deployed in the SDDC such as Creation, Deletion, Power On/Off, and unregistered can also give list of unique VMs in the environment help identify VM’s experiencing high activity
Troubleshoot SDDC Connectivity Issues Admin can view Gateway policy creation and update events to triage connectivity issues
Alerts & Notifications Admins can configure Alerts and get notified authentication events, Proactive Infrastructure Visibility and Monitoring

 

How to enable the content pack

Navigate to left navigation menu for Content Pack

Click on the tile “VMware – Audit Events for VMware Cloud on AWS”

It will prompt you to “Enable” content pack

 

Verify it is successfully enabled

 

 

 

What does the Content Pack Include?

Once the content pack is enabled you will get OOTB queries and alert definitions. Additionally, you can also create Dashboard Charts for the queries to visualize and examine the logs

OOTB Queries

Following are the OOTB queries which you get when the content pack is enabled. It is divided into 3 categories

Sr. No Category Query Description
1 User Activity Audit Events for VMware Cloud on AWS | User Session Bad Username Displays login attempts with an invalid user name grouped by SDDC and source IP
2 Audit Events for VMware Cloud on AWS | User Session Failed Login Displays failed login attempts grouped by SDDC and source IP
3 Audit Events for VMware Cloud on AWS | User Session Login Displays user login events grouped by SDDC and source IP
4 Audit Events for VMware Cloud on AWS | User Session Logout Displays user logout events grouped by SDDC and source IP
5 Virtual Machine Activity Audit Events for VMware Cloud on AWS | Virtual Machine Count by SDDC Displays count of unique virtual machines for which events have been captured during the selected time frame.
6 Audit Events for VMware Cloud on AWS | Virtual Machine Created Displays virtual machine creation and clone events grouped by SDDC and user.
7 Audit Events for VMware Cloud on AWS | Virtual Machine Deleted Displays virtual machine delete events grouped by SDDC and user.
8 Audit Events for VMware Cloud on AWS | Virtual Machine Log Events Event counts grouped by the virtual machine. Use to identify vm’s experiencing high activity and then drill down to details.
9 Audit Events for VMware Cloud on AWS | Virtual Machine Powered Off Displays virtual machine power off events grouped by SDDC and user.
10 Audit Events for VMware Cloud on AWS | Virtual Machine Powered On Displays virtual machine power-on events grouped by SDDC and user.
11 Audit Events for VMware Cloud on AWS | Virtual Machine Unregistered Displays virtual machine unregister events grouped by SDDC and user.
12 Gateway Policy Rules Audit Events for VMware Cloud on AWS | Gateway Policy Created/Updated Displays gateway policy create and update events grouped by user.

 

Alert Definitions

Following are the OOTB alert definitions which you get when the content pack is enabled. It is divided into 3 categories

Sr. No Category Alert Definition Description
1 User Activity Audit Events for VMware Cloud on AWS | User Session Bad Username This alert will trigger when a login is attempted with an invalid username.
2 Audit Events for VMware Cloud on AWS | User Session Failed Login This alert will trigger when a login attempt fails.
3 Audit Events for VMware Cloud on AWS | User Session Login This alert will trigger when a user logs into VMC SDDC environment.
4 Audit Events for VMware Cloud on AWS | User Session Logout This alert will trigger when a user logs out of VMC SDDC environment.
5 Audit Events for VMware Cloud on AWS | Virtual Machine Created This alert will trigger when a new virtual machine is created or cloned
6 Audit Events for VMware Cloud on AWS | Virtual Machine Deleted This alert will trigger when a virtual machine is deleted.
7 Audit Events for VMware Cloud on AWS | Virtual Machine Powered Off This alert will trigger when a virtual machine is powered off.
8 Audit Events for VMware Cloud on AWS | Virtual Machine Powered On This alert will trigger when a virtual machine is powered on
9 Audit Events for VMware Cloud on AWS | Virtual Machine Unregistered This alert will trigger when a virtual machine is unregistered.
10 Gateway Policy Rules Audit Events for VMware Cloud on AWS | Gateway Policy Created/Updated This alert will trigger when a VMWonAWS gateway policy is created or updated

 

Dashboard Chart

You can create Dashboard Widgets for the queries to visualize and examine the logs

Navigate to Dashboard left navigation menu and click on Add Chart

Search for the Audit Events Content Pack OOTB query and click it

You should see message popup “Chart successfully added to dashboard”

Sample Dashboards

Here I have added all the OOTB queries into a Dashboard which will help you visualize the same

Conclusion

VMware Log Intelligence gives you unified visibility into VMware Cloud on AWS environments which allows admins/application owners to troubleshoot/application monitoring along with security monitoring

Getting Started with Log Intelligence

For a free trial, you can click here or reach out to your account team

To learn more about Log Intelligence please visit here