The latest release of vRealize Log Insight Cloud has some exciting updates to alert management and additional public cloud support. Take alerting to the next level with new alert classifications and add up to four trigger condition values with multiple notification types at each level. You can send alerts to a dashboard, email, instant message, or use webhooks for 3rd party integration. You can include information in the alert notification so administrators can follow instructions or remediate with steps provided within the alert. This release also includes support for Google Cloud Platform (GCP) logs as we round out our public cloud support to monitor AWS, Azure, and GCP instances along with on-prem and VMC on AWS environments.
We’ve been hearing from security teams that they need additional methods to detect attacks before they are compromised. Monitoring failed login activity is one way to ensure admins are notified of suspicious login activity before systems are exposed to cybercriminals. We can also monitor account activity for privileged accounts, including successful logins.
We know that everyone mistypes their password at times, so alerting on every failed logon attempt would be a nuisance. You can set a notification criterion to only trigger after x number of failed attempts. A single failed log-in attempt is not an issue, but after say 10 invalid attempts you may want to send an informational alert to the console. If you notice 20 bad attempts in a specific period of time, perhaps you want to change the notification severity and send an email, instant message, or both to alert admins of the activity.
We can create an alert for this critical use case and the best part is how easy it is to add these alerts to monitor access to your infrastructure. I will create an alert on failed login attempts to both Active Directory and vCenter. I’ll set different notifications if attempts exceed specific thresholds. I can simply enter criteria in a text query and I can also fine-tune my filter using extracted fields. I am using the fields already extracted by Log Insight to set my criteria. I could also create this alert for a specific account, but for this example, it is alerting based on total failure events from all user accounts.
For Active Directory I’m using the field ms_win_security_account_failed_reason contains password. (You can view all the details for extracted field values under Content Packs or within a specific log message in Explore Logs). I also want to include failed vCenter logins in the event count, so I am also filtering on vc_event_type contains LoginFailure and choosing any as my operator, thus including failed attempts to either system. I’m assigning an alert level based on the number of bad attempts: 10, 20, 30, or 40.
Click on the Alert to Review Log Details
If you want to review the specific log messages that triggered the alert, you simply click on the alert.
Review Detailed Log Messages
This is where you’ll find the accounts that triggered the alert.
Monitoring log activity is a key feature of Log Insight Cloud. We can monitor log events for failures, errors, corruption, or monitor access to systems like the scenario we just covered. vRealize Log Insight also comes with a wide range of content packs that include pre-defined alerts you can enable.
Alert management has four alert classifications: info, warning, immediate, and critical. You can classify alerts accordingly and change your notification methods as required. You can filter triggered alerts by severity, type, origin, and tags for quick review and prioritization. The new alert notifications include chart visualizations of triggered alerts over a specified time range.
Many companies are taking advantage of the flexibility Public Clouds provide. vRealize Log Insight Cloud was designed with this in mind and supports Private, Hybrid, and Multi-Cloud deployments. Last year we added support for native AWS and Azure and with this release, we have support for Google Cloud Platform (GCP). Log Insight can monitor workloads anywhere so you can have a unified view for apps that span clouds, such as large data warehouses. How beneficial would it be to have the ability to correlate events across the entire stack? IT teams can easily search logs and configure notifications on activity from a multitude of applications and public cloud providers.
Google Cloud Platform (GCP) Support
The latest release adds support for 11 GCP log sources.
The detailed configuration steps are included in the in-product documentation under Log Sources. The steps include creating a Topic; a Topic forwards messages from publishers to subscribers. Once you have created the topic you create a ‘sink’ in Logs Explorer with the appropriate filter based on the resource type you are monitoring, and you’ll select the Pub/Sub topic you created earlier. Once you have the Sink configured you create a subscription using push delivery with the target being the Log Insight Cloud URL with your secure access token (API Key).
Once you enable the GCP content pack you’ll have access to 30 GCP dashboards with numerous queries. (Stayed tuned for an upcoming blog on monitoring GCP Logs.)
Learn more about Log Insight Cloud with Pathfinder. Pathfinder is a collection of educational material from VMware. In Pathfinder you’ll be able to review product overviews and targeted feature demos such as exploring logs and using the dashboard workbench.