KBI 310561 New Feature: ESX Host Log and VMware Event Log Monitoring and Archiving
Version
Argent Advanced Technology 3.1A-1307-A or above
Date
Tue, 25 Jun 2013
Summary
Argent for Compliance has the ability to monitor and archive VMware Infrastructure (VI) Events and ESX host logs.
ESX host logs contain OS-level messages. The built-in ones include hostd, message, vmkernel, vmksummary, vmkwarning etc.
When these logs are retrieved, the log lines are unstructured, as follows:
[2013-06-15 17:29:52.693 2B8CEB90 info 'DiskLib'] DISKLIB-VMFS : "/vmfs/volumes/50ac4ade-cf6d479e-00a7-0024e875f449/W2008R2/W2008R2-000001-delta.vmdk" : open successful (21) size = 64424509440, hd = 0. Type 8 Informational.
Argent for Compliance is capable of parsing the timestamp in the log line and monitor and/or archive accordingly.
Technical Background
Both vCenter and ESX hosts generate VI events for various conditions.
Less sophisticated than the familiar Windows events, VI events are simply presented as formatted message text, which is exactly what users see in the ‘Task & Events’ in vSphere.
VI events do not have built-in severities and categories; instead it has hundreds of pre-defined event types, which can almost tell you what the event is about. VMware programmatically groups the event types into Error, Warning and Informational categories.
Licensing the VMware Object
In order to monitor and archive VI Events or ESX host logs, customers must first license the ESX host, and specify the logon credentials for the object.
vCenter is a Windows server and generally a VM. After licensing the machine, customers need to explicit set the node as a vCenter. For most cases, vCenter uses the domain account to logon. As a result, customers may be able to leave the logon credential fields empty so that the Argent AT service account is assumed.
ESX hosts are a different story. Customers generally require entering the ESX-explicit account in order to communicate:
The property ‘Minutes To Advance For Reading VI Events’ is exactly what is stated in the text. The default 60 minutes is generally adequate.
For extremely busy VMware environments, the number can be smaller. If there are too many events for each read, the read operation can timeout. If there are too few events, it is inefficient with too many PowerCLI calls.
Defining ESX Log Rules
The ESX Log Rule is very similar to a File Log Rule. It can do monitoring and/or archiving. The most important portion is the time format string and UTC setting. ESX hosts are generally configured using UTC time.
One important setting is the ‘VM Log Key’. Customers can use ‘Refresh’ button to query the ESX host for the possible value.
Note: It is possible to read ESX logs from vCenter as well. Unfortunately vCenter VI logs are simply cascaded message strings without a timestamp, and the same log lines can repeat over and over. As a result, when they are archived, duplicated log entries might be archived.
Defining VI Event Rules
The VI Event Rule is very similar to Windows Event Log Rules, and can be monitored and/or archived. The Rule can filter on VI event types, event category and keywords in the event message.
Customers can select the VI event type from the built-in combo list, or use ‘*’ for everything, or specify multiple types separated by a comma. This can be useful for monitoring specific VI events.
After defining the Rules, customers can use them in Relators as usual.
ESX Host Log Summary Reports
The built-in ESX Host Log Summary report can be used to read the archived ESX host logs. The most important setting in the report is the Log Type must be set as ‘VILog’. The ‘Refresh’ button can be used if the log type ‘VILog’ is not in the list.
Customers can use the advanced filter to list specific events.
VI Event Summary Reports
The built-in Event Log Summary report can be used to read the archived VI events. The most important setting in the report is the Log Type must be set as ‘VIEvent’. The ‘Refresh’ button can be used if the log type ‘VIEvent’ is not in the list.
Customers can use advanced filters to list specific events.
Resolution
Upgrade To Argent Advanced Technology 3.1A-1307 or later