Aria Operations 8.18 was a big release, several new features were added, including one we haven't discusesd yet: Audit Events. Let's explore!
First thing you'll notice is that there are only 20,000 events displayed at a time, so keep that in mind.
Right below that you'll see how many of the vCenters you have in Operations are in fact sending Audit Events in as well.
Clicking VIEW DETAILS gives you the details behind which vCenters are actually sending Audit Events.
In my case, I have 10 vCenter Adapter Instances collecting data, but only 2 of them are sending Audit Events. Clicking on the Documentation link will tell you why. There are 3 requirements for Audit Events:
Aria Operations for Logs must be collecting logs from all vCenter Servers that are also being collected from in Aria Operations.
Aria Operations for Logs minimum version is 8.18.
Aria Operations for Logs Management Pack must be configured and running in Aria Operations
Once configured properly, you'll start seeing Audit Events which can be filtered by Severity, Updated By, vCenter, Object Type, Object ID, and Event Category. Severity is self-explanatory, but Updated By deserves some exploration. For example, if you're trying to track down a particular user, you can filter on that user and see their Audit Events.
If you're interested in Audit Events from only a particular vCenter you can filter on that. You can add multiple filters as well, maybe you want to see all Permission related Audit Events from a certain vCenter.
Expanding an Event will give you more details.
If it's Object Type and/or Object ID you're after, you can filter on them as well. Finally, and for me maybe the most interesting, is the Event Category Filter (there are 12 in total).
At this point, we can't yet create Alert/Symptoms based on Audit Events, include them in Dashboards/Views, or export Reports of them, but hopefully that's on the roadmap. This is a great first step toward providing audit-type capabilites in Aria Operations, more to come.
Comments