On a high level, data collection process for VMware servers works as follows:
- VMware administrator prepares a dedicated service account with sufficient permissions to collect data from VMware servers. This account must have at least Read Only role on those servers. For more information on VMware vSphere roles and permissions assignment, refer to this VMware article.
- Netwrix administrator does the following:
- Creates a monitoring plan in Netwrix Auditor, specifying the service account (prepared at step 1) as a data collecting account in the Monitoring Plan wizard. Then s/he adds items to the monitoring plan – these are VMware servers to collect data from.
- Configures alerts related to VMware data source. Current version does not include predefined alerts for that data source, so follow the instructions to create and configure the necessary alerts.
NOTE: Remember to set the filter to “Data Source equals VMware”.
- Netwrix Auditor Data Collection Service starts periodic (every 15 min) data collection sessions. The results of each session include:
- VMware infrastructure snapshot collected from the monitored items, i.e. VMware vCenter or ESX(i) host
- VMware events that occurred since the previous data collection. Data is retrieved via VMware web services API using HTTPS protocol.
- Netwrix Auditor Data Collection Service processes collected data into the proprietary format (Activity Records). Each Activity Record contains initiator’s account, time, action, and other details.
- To determine what has changed in the configuration, it compares a state snapshot from VMware server with the previously taken.
- To get ‘Who’ (initiator) and ‘When’ (date and time) information for the detected changes, the product uses VMware events data.
- Netwrix Auditor Server then writes the Activity Records to the audit database (default retention – 180 days) and long-term archive (default retention – 120 months).
- Users can work with collected data in Netwrix Auditor client UI: run search, view reports, and so on. If you have configured alerting in Netwrix Auditor, then the activities that match the certain criteria will trigger the alerts. Recipients will be notified by email, and response actions will be taken, if configured.
- Netwrix Auditor also generates an Activity Summary once a day (by default, at 3 AM) and sends it to the specified recipients. This email lists VMware infrastructure changes and activities collected by Netwrix Auditor during the last 24 hours.