Category Archives: Monitoring

Compliance and security with vRealize Operations.

VMware has been working hard to add new features to vRealize Operations (vROps), the management tool is unrecognisable from it’s origins as vCops… One of the most overlooked areas for me is compliance. It is very powerful and easy to setup.

Since I talked about vCOps … let’s get back some years to around 2012 when VMware was still actively selling a product called Configuration manager (vCM). It was a product they inherited from EMC with a heavy Windows background… It WAS a Windows program, but extremely powerful. You could make your own rule sets for testing, use the built-in ones (vSphere hardening guidelines) or buy additional ones (SoX, HIPAA, PCI,…). So it was not limited to vSPhere environments. You could for example make a rule to check anti-virus was installed on all your desktops. Or check your MS AD. or…. But it was very complex to setup… I demoed it a lot, especially in the financial world.

The last GA version of vCM is 5.8.5 which is supported until 1/2021 (sse KB), but VMware stopped bundling it with vRops Advanced and Enterprise with version 6.7. They started developing a SaaS version called vRealize Air Compliance, but with the sales of vRealize Air to OVH in 2017 the product stopped. At least I cannot find it anymore.

The good news is that Vmware started adding compliance testing to vROps 6.7 and with each version the possibilities keep improving!

Compliance dashboard in vROps 8.01

Compliance is based on alert symptoms. In previous releases you had to edit the default policy to enable them… But now Compliance finally has a full-blown dashboard where you can edit the benchmarks and activate them in the policy of your choice. By default vROps includes the vSphere, NSX and vSAN hardening guidelines as benchmarks. Can you imagine ? You can enable them with one click and check your whole SDDC for security weaknesses! I cannot emphasise enough how important this is, can you keep an eye on all settings of hundreds of virtual machines with pen and paper ? Of course not. Use vROps ! On top of that you can create up to 5 of your own benchmarks (or parts of the others) to check. This is the custom benchmark pane in the middle. I will sit back down now…

Of course my homelab reflects the real world .. with a lot of compliance issues! if you click a benchmark you get to the details with triggered symptoms. From their you can decide action. What I still miss here is a ‘remedy’ or ‘action’ button like we had in vCM. Now you have to go through a lot of messages and decide on corrective action. But knowing the team this is probably coming !

Benchmark details screen.

And for the ‘piece de rĂ©sistance’ VMware now includes all the important industry benchmarks like PCI or HIPAA for free ! You just need to download them from the dashboard and enable them. You see in my example that I enabled ISO on my SDDC.

ISO benchmark details dashboard.

These used to be expensive extras in Configuration Manager and now you just need to download… I hope with the new services discovery and Telegraf agents that more benchmarks are coming, operating systems for example. Maybe partners will provide the too on the Exchange.

And if all of this is not enough, you can unleash these benchmarks on your VMware Managed Cloud (VMC SDDC) environment as well of course. All from the same interface.

I hope this blog post has inspired you to test this out for yourself. Let me know how it goes and I am available for consulting if you need help. You can contact me through my website.

Internet archive and my old Sun blog.

Because I am working on my websites and my marketing these days (see previous blog) and since I want to do some freelance writing, I was looking for my old blog at Sun. This was effectively the precursor to this independent self-hosted blog in the we-can-do-anythin-Sun-days. Amazingly it survived with me the transition to Oracle… But having left in 2012 they took it down. I guess my musings were not that interesting… I had fun with that blog though. It even once earned me an interesting exchange with our legal council. I cannot remember his name but he dressed up on “dress as a pirate day” – remember this was Sun – and is great guy. The entry was around acquisition rumours….. And if you want to find that blog you can! read on!

I wrote before about one of the greatest things on the information super highway, namely the Internet Archive. Their Wayback Machine has been indexing and storing snapshots of websites for many, many years. Look and behold they ran a few snapshots of my Oracle/Sun blog! You can see it here with all the entries…. We need to support archive.org!

Datadog part 1: Who let the dogs out?

TL;DR Datadog is a SaaS monitoring solution with an impressive list of integrations, including vCenter and AWS. Their agent is open source. They have impressive dashboarding and now feature logging and APM.

As part of my newly won freedom from vendors this year, I am looking at some options to manage your VMware environment. Of course vRealize Operations is still my baby, but choice is a good thing and in some cases you might be interested in looking at other solutions. Like when you look at prices to manage your full stack environment…

Datadog home screen.

Datadog is a very popular choice at the moment. You see their booths at DockerCon, AWS Summits and their engineers do a lot of public talks. Founded in NYC by two French, their claim to fame is that they are a SaaS solution. Yes, you install agents in your infrastructure to send data to their cloud engine. A few things stand out here:

  • The agent is open source! So you have complete visibility in the very optimised code they use and you can even change it if you want.
  • The SaaS model has it’s advantages: think about all the metrics you want to gather in your infrastructure. Do you really want to maintain servers and storage to keep those? Datadog keeps them in a – dare I say – data lake and allows you to do some nifty stuff with it. More on that later.
  • They have more than 250 integrations! I was used to the Blue Medora plugins catalogue but this is insane ! I am not going to list them all, just look at their page.

Datadog is very strong in cloud solutions, they are an AWS partner, but also shine in cloud native solutions. They are now venturing in logging and APM! It all reminds me a bit of what Blue Medora is trying to do with Bindplane, but you do not have the connectivity out to other monitoring systems (safe Grafana) but you get very cool dashboarding. Really cool dashboarding! This is where the solutions feels really different to me. You can build very beautiful and responsive dashboards, you can play with metrics in a notebook, you can even annotate a graph or part of it for your colleagues. It feels very much like monitoring for Millennials. You can also tie in comms systems for your monitors like Slack or PagerDuty. The system will also send you mails with daily updates.

In the next article I will dive into some highlights of integration with vCenter and AWS. If you want to try it out yourself get a trial on their home page. I am available as an independent contractor to work with you on evaluating a monitoring environment.

Starting Grafana…

Well, the advantage of more time on my hands and a working homelab is that I finally got round to installing Grafana! I have been reading up on this wonderful open source visualisation tool and wanted to use it… ever since I attended a FOSDEM session last year! I think this is a great tool to bring different data sources together and offer a complete stack view. I was contemplating attending Grafanacon next week, but the plane tickets to LA are a bit expensive… To console myself I installed version 6 beta 3 to learn everything new straight away.

I installed a Debian 9 vm in my vSphere environment with 2 vcpu, 4-GB RAM and a 50-GB disk. I played around with centos and ubuntu, but I think more and more of Debian as the clean, stable secure, mother of some other linuxes… and the CLI is so familiar with all my raspberry pis….

The Grafana install is very quick and painless. I just got some mixup when registering on their site. My username did not get through. Of course I did not read too much doc and I had not created a user in my instance yet… Worldping was not working… I almost immediately got some emails from Matt to point out something was wrong, which is rather impressive…

Anyways I have Worldping working, it is a plugin to monitor any services on the internet. When I pointed it to this blog it automatically connected DNS, ping and https to monitor! And installed some standard dashboards. This is a great quick intro to Grafana and a great way to get mileage out of it straight away!

Worldping dashboard for my blog

I also connected Azure monitoring, since they announced a collaboration with Grafana. The only thing a bit involved here is setting up a service admin to connect to. It went flawless but now I need some data to display there…. I also played around with Darksky as a data source to get the weather forecast, but no luck so far. I will keep you updated. Next is connecting AWS and maybe setup Prometheus …

If you want to start with Grafana, head over to their website and access the install instructions there or use their hosted version. You can also find Grafana images on AWS or Azure.