VMware vCenter Server is advanced server management software that provides a centralized platform for controlling your VMware vSphere environments, allowing you to automate and deliver a virtual infrastructure across the hybrid cloud. This search will help you to control access to the VMWare environment, including reviewing who has accessed the system and how frequently or infrequently they do so.
- VMware. This procedure depends on data primarily obtained from the Splunk Add-on for VMware Metrics; however, log and event data from the VMWare environment can also provide additional insights into general VMWare environment health. Therefore, for best performance, you should also download and install Splunk Add-on for VMware ESXi Logs and Splunk Add-on for vCenter Logs.
- Ensure that you have installed the IT Essentials Work app to onboard VMware data and provide the various VMware entity type configurations and dashboards.
- Ensure that you are collecting VMware data through one or more Data Collection Nodes, which are essentially Splunk heavy forwarders with specific VMware collection configurations.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
index=vmware-taskevent sourcetype="vmware_inframon:events" | stats count BY userName eventClass ipAddress userAgent _time
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|index=vmware-taskevent sourcetype="vmware_inframon:events"||Search the event index where VMware vCenter task data is collected.|
|| stats count BY userName eventClass ipAddress userAgent _time||Display a count of results, grouped by the fields shown.|
Knowing what modifications are made to the VMware environment, when they were made, and who made them can help you identify or isolate the origin of a problem or incident. To prevent accidental misconfigurations, it might be safer to revoke access for users who access VMware infrequently. This procedure might also surface accounts created for employees who are no longer with the company or no longer in the organization where VMware access is needed.
Finally, you might be interested in other processes associated with the Monitoring VMware virtual machine performance use case.