Virtualization Adapted Adapting Business Processes for Virtual Infrastrcuture (and vice-versa)

2010/03/25

List of log files VMware vSphere ESX Classic version 4

Filed under: virtualization — Tags: , , , , , , , , — iben @ 11:02
The following log files contain information that needs to be track on a VMware vSphere ESX 4 Classic Host to be in compliance with many security standards and best practices such as CIS Benchmark, PCI-DSS, SOX section 404, HIPPA, CPNI, COSO, ISO 20001, COBIT, and so on.
You can use syslog or splunk lightweight forwarders for this purpose.

/var/log/vmkernel

/var/log/secure

/var/log/vmkwarning

/var/log/vmksummary

/var/log/vmksummary.txt

/var/log/messages

/var/log/vmware/*.log

/var/log/vmware/aam/*.log

/var/log/vmware/aam/*.err

/var/log/vmware/webAccess/*.log

/var/log/vmware/vpx/vpxa.log

/vmfs/volumes/*/*/*.log

 

Table with Explanation of files to log for VMware vSphere ESX Classic version 4

Component

Location

Purpose

 VMkernel

 /var/log/vmkernel

 Records activities related to the virtual machines and ESX

VMkernel warnings

/var/log/vmkwarning

Records activities with the virtual machines

VMkernel summary

/var/log/vmksummary

Used to determine uptime and availability statistics for ESX; comma separated

VMkernel summary human readable

/var/log/vmksummary.txt

Used to determine uptime and availability statistics for ESX; human‐readable summary

ESX host agent log

/var/log/vmware/hostd.log

Contains information on the agent that manages and configures the ESX host and its virtual machines

vCenter agent

 

/var/log/vmware/vpx/vpxa.log

Contains information on the agent that communicates with vCenter

Web access

Log all the files in the directory /var/log/vmware/webAccess/*.log
client.log, proxy.log, unitTest.log, viewhelper.log, objectMonitor.log, timer.log, updateThread.log

Records information on Web-based access to ESX
(service vmware-webAccess start on ESX host to enable this)

Authentication log

/var/log/secure

Contains records of connections that require authentication, such as VMware daemons and actions initiated by the xinetd.

Service Console

/var/log/messages

Contain all general log messages used to troubleshoot virtual machines or ESX

Virtual machines

The same directory as the affected virtual machine’s configuration files; named vmware.log and vmware‐*.log

/vmfs/volumes/<DS>/<VM>/vmware.log

/vmfs/volumes/<DS>/<VM>/vmware-*.log

Contain Virtual Machine Power Events, system crashes, Tools status and activity, Time Sync, Virtual Hardware changes, VMotion Migrations, Machine Clones,

Table  – List of ESX Host Files to Log

 

 

2010/03/19

Number of ports to use for standard and distributed virtual switches

Filed under: virtualization — Tags: , , , , , , , , , , , , , , , , , — iben @ 14:30

VMware just updated their KB: Reserved or overhead ports for virtual switches (http://kb.vmware.com/kb/1008040) and we’ve run into this issue a number of times since upgrading to vSphere ESX 4. These new high memory hardware architectures allow an unprecedented number of virtual machine guests to be consolidated on a single ESX host.

By default a vswitch may not have enough ports to support the consolidation ratio your equipment can support. New ESX hosts can have 256 GB of RAM with 4 hex core processors and easily support 100 or more virtual machines. These virtual machines might have 1, 2, or more vNICs configured and each would need a port on the vswitch. One might imagine the need for 500 to 1000 ports needed per esx host. Why not just make it 2000 so we don’t have to worry about it later on?

Once you run out of vswitch ports you cannot power on any more vms on that host and even get errors about unplugged network cable.  Increasing the vSwitch port allocation seems easy enough, vmotion all workload off the host, put it in maintenance mode, change the vswitch config, reboot. Some system administrators run into this issue and decide to make the number of ports allocated to the vswitch really high to prevent this from ever being an issue. This can cause problems though.

There’s a limit of how many vswitch ports in total an ESX host has to hand out to it’s various vswitches. In addition, if security is a concern, you may start running firewall virtual appliances like vShield Zones or Catbird. WAN Accerators and Performance Monitoring tools like AppSpeed also require additional vSwitches to be created. Ports used on these vSwitches all take away from the total bucket of available ports.

Once 4096 ports are allocated to existing vSwitches you will not be able to add additional hosts to a vNetwork Distributed Switch either.

We also have the following Security Recommendation:

Only allocate vswitch ports to virtual machines on demand and as needed.

This will make it difficult if not impossible to “plug” a VM into the wrong network by accident. Testing for this can be done manually through the vSphere Client. If there are no ports available on a vSwitch then this is a positive test.

1. While connected to the vCenter Server Navigate to Home – Inventory – Networking in the vSphere Client and click on the vDS in question.
2. Click on the Ports Tab
3. If all of the ports in the list have a VM associated with it in the “connected”column then this is a positive test.

Deployment scenarios where a very large number of uplinks are teamed together on a single virtual switch might significantly impact the number of  ports on that virtual switch available for virtual machine use, and the overall size of the virtual switch might need to be adjusted accordingly.
 
The current port utilization data for virtual switches can be reviewed by using the esxcfg-vswitch –list command.
 
The current overhead utilization on a given virtual switch can be calculated by subtracting the Used Ports value for all PortGroups from the Used Ports value for that virtual switch.

Recommendation: Use VNDS vNetwork distributed Switches for all Virtual Machine traffic and limit the number of ports assigned to each standard vSwitch used for vmkernel and service console.

Standard vSwitch Procedure:

Note: A server reboot is required to apply the following configuration change.  Migrate the virtual machines off the ESX host to prevent any downtime.   On the vswitch there is an option to specify the number of ports the vswitch supports.  

To view this setting:

  1. Click the Configuration tab of the ESX host in the Virtual Infrastructure Client (VI Client).
  2. Click Networking.
  3. Click Properties.

  4. Click on vSwitch.
  5. Click Edit.

  6. On the General tab select the number of ports you want and click OK.

 

  • Reboot the ESX host for changes to take effect.

    • Reference Links

    2009/04/28

    VMware Security Compliance Tools

    Filed under: virtualization — Tags: , , , , , , , , , — iben @ 10:37
    This is a short list of Tools and Documents concerning security in a Virtual Infrastructure.
    Tools – page 1
    Documents – page 2

    Tools

    Configuresoft

    • Configuresoft’s Center for Policy and Compliance (CP&C) has led the industry in forming opinion and bringing together published security and compliance information to build a rich library of compliance toolkits that are available for download by Configuresoft customers from www.configuresoft.com. These CP&C Compliance Toolkits include:
    • VMware Infrastructure 3 Security Hardening Guidelines and VMware Virtual Center Best Practices
    • FISMA Compliance Toolkit for Virtual Computing
    • GLBA Compliance Toolkit for Virtual Computing
    • HIPAA Compliance Toolkit for Virtual Computing
    • Sarbanes-Oxley (404) Compliance Toolkit for Virtual Computing
    • DISA STIG Compliance Toolkit for Virtual Computing
    • http://vmblog.com/archive/2008/04/08/configuresoft-expands-security-and-compliance-coverage-to-include-cis-vmware-esx-3-x-server-benchmark.aspx

    HyTrust

    HyTrust Appliance – http://www.hytrust.com/product/overview

    • The HyTrust™ Appliance offers IT managers and administrators of virtual
      infrastructure a centralized, single point of control and visibility for:
    • configuration management
    • compliance auditing
    • access management
    • best practices
    • process workflow
    • security controls

    TripWire

    http://www.tripwire.com/solutions/virtualization/

    ConfigCheck

    • ConfigCheck rapidly assesses the security of ESX 3.0 and 3.5 hypervisors compared to the Virtual Infrastructure 3 Security Hardening Guidelines.
    • ConfigCheck assesses nearly 100 configurations of the ESX server, and most VI professionals who run the test find significant vulnerabilities. ConfigCheck’s remediation report provides detailed, step-by-step guidance to bring your virtual environment into a state that is secure. ConfigCheck helps you:
      • Ensure recommended ESX configurations
      • Discover possible vulnerabilities
      • Deploy virtualization safely and securely
      • Increase security posture of the entire enterprise
      • Reduce configuration drift
    • http://www.vwire.com/free-tools/configcheck/

    VMinformer

    • VMinformer is a security tool designed to check the security posture of your VMware environment. The tool comes with pre-defined policies that can be customized to suit your specific requirements and are based on industry best practices such as ‘VMware’s Security best practice hardening guide’ and the ‘DISA ESX STIG’ hardening guide. The policies also contain rules that have been based on extensive research and industry experience.
    • Features:
    • Connects to your ESX hosts or Virtual Center (v3.0, 3.5 and VC 2.5)
    • Pre-defined policies based on industry best practices (VMware security hardening guide)
    • Policies can be customized for your environment
    • Provides full visibility and monitoring of your ESX hosts and Virtual machines
    • Dashboard – Provides a graphical overview of VM’s and Security Posture
    • Reporting
    • Remediation guidance

    (more…)

    Powered by WordPress