Scribd
Upload
88 views

VMware Auditing Quick Reference Guide

This document provides information on auditing events in a VMware environment using vCenter Server, vSphere Client, and PowerCLI. It lists some common VMware events like VM power on/off, account changes, and permissions changes. It also describes how to view events in the vCenter Events view, vSphere Events view, and through PowerCLI commands like Get-VIEvent to retrieve events from the past 120 days filtered by event type and time range. The document promotes a free trial of Netwrix Auditor for comprehensive event monitoring and visibility into all VMware environment activity.

Uploaded by

FIRAT
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
88 views

VMware Auditing Quick Reference Guide

This document provides information on auditing events in a VMware environment using vCenter Server, vSphere Client, and PowerCLI. It lists some common VMware events like VM power on/off, account changes, and permissions changes. It also describes how to view events in the vCenter Events view, vSphere Events view, and through PowerCLI commands like Get-VIEvent to retrieve events from the past 120 days filtered by event type and time range. The document promotes a free trial of Netwrix Auditor for comprehensive event monitoring and visibility into all VMware environment activity.

Uploaded by

FIRAT
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Quick Reference Guide

VMware Auditing
VMware vCenter Server 4.1-6.0

VCenter Events View


Common VMware
Events:
 Run vSphere Web Client on your vCenter server > Navigate to  VmPoweredOffEvent – VM powered
“Events” Tab > Event Console will open where you can find all off
events happened with your virtual machines  VmPoweredOnEvent – VM powered
on

vSphere Events View VmSuspendedEvent – VM
suspended
 AccountCreatedEvent – Account
 Run vSphere Client on your computer > Select a Host > Navigate to created
“Events” Tab > “Event Console” will open where you can find all  AccountRemovedEvent – Account
removed
events happened with your virtual environment
 AccountUpdatedEvent – Account
updated

PowerCLI Events View  EnteredMaintenanceModeEvent –


Entered maintenance mode
 ExitMaintenanceModeEvent – Exit
 Run VMware PowerCLI connect to your vCenter using command: maintenance mode
 Connect-VIServer –server servername  PermissionAddedEvent –
Permission added
 Execute command Get-VIEvent  PermissionRemovedEvent –
 You can get more information by executing: Get-Help Get-VIEvent Permission removed
 You can specify parameters by adding the monitored event from  PermissionUpdatedEvent –
Permission updated
the Common VM Events list into this script (save this script in txt  UserLoginSessionEvent – User login
file with .ps1 extension) and run this script in PowerCLI console:  UserLogoutSessionEvent – User
Get-VIEvent -Start (Get-Date).adddays(-120) | ` logout
 UserPasswordChanged – User
where {$_.gettype().Name -eq "add event here” - password changed
and $_.CreatedTime -lt (Get-Date).adddays(1)} | `  AlarmAcknowledgedEvent – Alarm
acknowledged
select @{N="VMname"; E={$_.Vm.Name}},
 BadUsernameSessionEvent –
@{N="OccuredTime"; E={$_.CreatedTime}}, Invalid user name
 ClusterCreatedEvent – Cluster
@{N="Hostname"; E={$_.Host.Name}}, created
 ClusterDestroyedEvent – Cluster
@{N="Username"; E={$_.UserName}} deleted
 You can find full list of events here –
 You can also select different date range by changing “adddays” url2open.com/vmevents
parameter.

Gain #completevisibility into all activity in your VMware environment


for free with Netwrix Auditor for VMware: netwrix.com/go/trial-vm

Corporate Headquarters: Toll-free: 888-638-9749 Int'l: 1-949-407-5125


300 Spectrum Center Drive, Suite 1100, EMEA: 44 (0) 203-318-0261 netwrix.com/social
Irvine, CA 92618

You might also like