Monitoring VMware Cloud on AWS firewall changes with vRealize Log Insight Cloud

I am one of the admins of our team’s lab environment. Part of learning is making mistakes, and one of those mistakes it sometimes making less-than-desirable firewall changes.

I wanted to be alerted any time somebody opened up vCenter access to the world.

Find the firewall event

First, I need to see the firewall messages logged by vRLIC when I make a firewall change in VMC. I create a new firewall rule named ‘vcenter-any-pkremer’ with source Any and destination vCenter

I search vRLIC for my rule name ‘vcenter-any-pkremer’

This gives me everything I need to create my query.

Build a query

  • The destination_groups section contains any groups that are added to the destination section of the firewall rule. The asterisk after the first bracket allows for an arbitrary number of groups to exist in the group before finding the group we need – VCENTER.
  • You cannot have more than 1 member when your source is ‘ANY’, so that one is just a direct string match
  • I only care about ALLOW, not DENY
  • I want to alert when the gateway policy is updated

I build my query and save it as ‘MGW-vCenter-Open-To-World’

Create a webhook

Now I need a webhook. I already created a Slack webhook in a previous post, check it out if you need to set up Slack. You can of course use any webhook, not just Slack.

The result of that setup process will be a webhook URL that you can use

Add webhook to vRLIC

You can find webhook configuration under the Configuration section of vRLIC. You can even test it

The test event succeeds.

Create an alert

Under Alerts>Alert Definitions, click Create New

I reuse my saved Query

I change the trigger condition to Real Time, then click on the notify section and click the checkbox next to the webhook configuration I created in the previous step. I add some text to the Recommendations section

I scroll back to the top, click the Enable slider and click Save. Don’t forget the Enable slider, I missed the first time through.

Live test

I test by adding another allow Any rule

The webhook succeeds and I get a realtime alert in Slack.

I can click on the blue text and it brings me to the triggered alert.

I click on the View Query button and can see the event that tripped the alert.

I hope this post helps you monitor unwanted firewall changes in your VMC environment.

2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *