Monitoring vCenter privelage reassignment with Nagios XI

During a restart of the ‘VMware VirtualCenter Server’ service, if a user or group assigned to the Administrator Role at the root folder level could not be verified during the restart the user privelages are revoked.

As part of security hardening on the vCenter server, I created a Nagios Remote Plugin Executor (NRPE) to search for the event created in the application log and create a service status. 

Firstly, we will only require to query the application log after the ‘VMware VirtualCenter Server’ service has started, we can retrieve this information as a date format by using the Get-Process cmdlet to return the ‘StartTime’ value of the process ‘vxpd’.

$Start= (Get-Process vpxd).StartTime

Now that we have retrieved a date value to query the application log after, we will need to filter the application log further using the ‘Get-EventLog’ cmdlet to retrieve an event, which is similar to the below:

Log Name: Application
Source: VMware VirtualCenter Server
Date: M/DD/YYYY H:MM:SS PM
Event ID: 1000
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: [vCenter Server]
Description:  Removing permission for entity ""<group name>"", group ""DOMAIN\Account"", role -1.  Reason: User or group not found."

We will now create a filter to pass to the ‘Get-EventLog’ cmdlet to retrieve the any results like the above and store this is a variable so that we may use the results as a count. The below will filter for the Souce ‘VMware VirtualCenter Server’, the EntryType  ‘Warning’ and where the message text is like ‘Removing permission*User or group not found’.

The ‘ErrorAction’ preference is required as if zero counts of the below filter are returned, an error will be passed to the console output.

$Query = Get-EventLog -LogName Application -Source "VMware VirtualCenter Server" -EntryType "Warning" -After $Start-ErrorAction SilentlyContinue | Where-Object {$_.Message -like "Removing permission*User or group not found"}  

Conditional Logic will then be used to create a service status message based on the count of results returned in the above query. If zero results are returned the service status will be set to ‘OK’ with a status information stating that no instances of privelage reassignment since the process start time have been retrieved

If one or more results are returned, the service status will be set to ‘Critical’ with the status information message that a number of instances of privelage assignment since the process start time have been retrieved.

If ($Query.Count -eq "0") 
    { 
    "No instances of privelage reassignment since " + ($Start).ToString("dd/MM/yyyy HH:mm")
    $returncode="0"
    } 
ElseIf ($Query.Count -ge "1") 
    { 
    "" + $Query.Count + " instances of privelage reassignment since " + ($Start).ToString("dd/MM/yyyy HH:mm")
    $returncode = "2"
    }

The powershell session will now exit and return an exit code.

exit $returncode

Once you have configured the external script to run within Nagios (http://wp.me/p15Mdc-eC), for a service status of ‘OK’ you should receive something similar to the below:

CountVMUPR

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s