A few days ago I was required to obtain some audit logs from our SIEM system (Sumologic) and from vCenter and I noticed that our vCenter logs weren’t going in to Sumologic and that the log files required for SSO auditing or the VPXD log (where, among other things, stipulates what client was used by who to connect) were rotating every 7 days. This was not good. So I decided what better time than now to forward vCenter syslogs to Sumologic.
It was a little more complex than just enabling syslog through appliance management as by default, this does not collect the SSO logs, like:
- /var/log/vmware/sso/ssoAdminServer.log – Auditing SSO logins
- /var/log/vmware/sso/vmware-identity-sts.log – Auditing SSO user changes
I found this out by scouring the internet and piecing little pieces together and eventually, creating a rock solid syslog source for our vCenter Servers.
Please note: This is not an officially supported configuration by VMware and for larger environments, this could potentially have an impact on the vCenter Server service, so please take caution in the logs you decide to forward. And as always, test this in a lab first.
I also want to mention that this needs to be done on each VCSA instance, i.e. if you have a vCenter with an External PSC, this would need to be done on both servers, in order to collect all the logs.
So, lets begin:
Continue reading Forward vCenter Server Appliance Log Files to Remote Syslog Server
After about 6 months of planning and preparing for our VCSA upgrade, we had to completely revamp our upgrade path. In our environment, we use Netapp, and along with Netapp comes some extension like Virtual Storage Console (VSC) and now, the new Netapp Snapcenter.
I spent a lot of my time planning the deployment for an upgrade of our environment which included a upgrade of VSC from 6.2.1 to 7.0 and the install of SnapCenter 3.0, not wait, 3.1, no wait 4.0.
Yes, that’s right, SnapCenter released 2 version in the time of my upgrade planning and it still couldn’t to what needed it to do, mainly cross-domain authentication, so, we had a little shout at our account manager who confirmed cross-domain authentication will be available in August 2018, so lets see what happens. So, this process is still required, however, this made the upgrade a lot easier.
Continue reading Upgrading VCSA from 6.0u3 to 6.5u1
Recently the company I work for has upgraded all their VMware ESXi licenses to Enterprise Plus and with great licenses come great configurations. So, I’ve decided to install a fresh install of vCenter 6.5 in a lab with a couple of ESXi hosts attached so I can start configuring the awesomeness like distributed switches (which will be documented too). I’ve always wanted to play with this, but licensing was an issue.
This is for a new install of vCenter, using the UI. I included a very brief CLI deployment too. I will also include an upgrade vCenter post to show the upgrade procedure from 6.0 to 6.5 (and the issues faced with that).
Continue reading Installing vCenter with External Platform Services Controller
So, its been quite some time since my last post, dealing with personal issues and the festive season and and and, so, here I am, back in 2017 and hopefully bringing awesome content.
So, lets kick it off with resetting the vSphere password. This works on the vCenter, an external Platform Service controller or an AIO system.
The reason behind me doing this is due to the password expiring and someone resetting it and not recording it in our password management software.
A Live boot ISO – I used this one: ADRIANE-KNOPPIX_V7.2.0gCD-2013-07-28-EN
Console access to the VM you want to reset.
Be sure to have ESXi host access to the host where these VMs reside as the VMs WILL require a reboot, meaning your entire vCenter will be offline for the during of this password reset.
I assume you have some basic ESXi / vSphere knowledge so I will not go in to how to do simple things like mount the ISO – I will continue from the boot process.
Boot from the ISO, till you reach
Continue reading Resetting vSphere 6.0 Password
This is going to be a multi-part post, based on a very recent deployment.
I had to urgently build an AlwaysOn Availability Group and Listener in Azure on SQL Server 2014. The only issue was, I have limited Azure and SQL knowledge. I can maintain and install, and create a few scripts here and there. But not enough to be called a DBA or Cloud Boff. However, I decided this would be an awesome thing to learn how to do. So, during the course of man flu, about 40 hours of crunch time, I can now install, configure and maintain a SQL AlwaysON AG with Listener on Azure.
So, lets get cracking.
- 1x Domain Controller
- 1x Service account for the SQL Server Service and for the SQL Server Agent Service
- 1x Delegated permissions on AD for the cluster to create computer objects.
- 1x Load balancer (on Azure)
- 2x Windows Servers installed with a minimum of SQL 2012 installed
- Shared location on each node (this will be used for adding DBs to the using a “Full” model)
Some of these pre-requisites are listed in this post – so don’t worry if you don’t know how to do certain things.
Continue reading Install and configure SQL AlwaysON AG with Listener on Azure
I needed to move our FSMO roles to a centralised server today, the main cause for this was firewall ruling (cannot add rules mid-week) and an urgent requirement for Domain controllers in our Azure Production environment.
We were unable to dcpromo our Azure server and after 2 days of troubleshooting, wiresharking and several work-a-rounds – we decided to move the FSMO roles yet again. Now, I know for a fact that continuously moving the FSMO roles is NOT HEALTHY for a domain environment, I was totally against it, but I bit the bullet and did as I was told.
They are now in their new home, On-Premise Site A, and will not be moved again. However, due to Microsoft best practice, we will split the Schema master and Domain Naming Master off to DC2 once all firewall rules are in place.
Continue reading Step by Step Moving FSMO roles in Server 2012 R2
Today I went through the process of scripting the configuration of SNMP configurations for multiple OS/devices. The reason for this is that there has never been a formality or standardisation of this and sometimes we tend to forget this and or that. So, in case you would also like to script it, here is what we use.
For this, you could either use “3rd floor, of some office” or, if you are a global company, with monitoring system that makes use of the GoogleMaps API (e.g. Observium) and would like to show various location globally – use a google API name – e.g. London, UK or Cape Town, South Africa etc.
This could be a name or an email address or telephone number
Something that is configured on your server and on your device/workstation/server that allows communications. There is also a permission set that will get applied to this.
This is the place you are sending information to
This is by default, 161/UDP, unless you change it.
Continue reading Scripted configurations of SNMP v2
Recently, I had taken part in a maintenance weekend at the office, post maintenance, Our IPSentry dashboard, (we use IPSentry for some of our monitoring), reported a couple errors, which was fixed.
Come Monday morning, a colleague of mine noticed that certain systems were down, which he brought up. I did some further investigation and noticed one of our DHCP pools were running out of leases. I wanted to see if IPSentry could monitor DHCP addresses, and as it turns out, it can.
It took me a while to figure this out, but now I know it, I’ll add it here for the world to share.
As mentioned before, in order to monitor DHCP leases, you would need to make use of the SNMP Addin for IPSentry.
So here are the prerequisites:
Continue reading How to Monitor DHCP Addresses with IPSentry
Today I needed to reset a DSRM password, not because we forgot it, but more due to wanting to have different passwords for our domain controllers.
Although, you could have the same password for each Domain Controller – this is not always secure. If your server gets compromised and they hack the DSRM password, they will try that exact password on a different server in order to gain access to it.
What is DSRM?
DSRM is a special boot mode (or option) for Windows Server Domain Controllers (ONLY). Think of it as a kind of “SafeMode” for directory services. With DSRM, the administrator is able to repair, recover or restore Active Directory services. DSRM is configured during the promotion of Active Directory Services. This Administrator account that you configure is completely unrelated and separate to the DOMAIN\Administrator account.
Continue reading Resetting DSRM or Directory Services Restore Mode password in Server 2012 R2