Aria Operations for Logs #1 vCenter Failed Logins
VMware Aria Operations for Logs (formerly VMware vRealize Log Insight) is a log storage and analysis product. With related integrations, you can visualise logs for analysis with certain filters and receive notifications in case of alarm. In this article, we will create alarms and dashboards of failed login attempts to the web interface with logs from vCenter.
Explore Logs – Query filtering
Firstly, in the Explore Logs menu, we filter the log records with hostname value as vcenter and text as Failed login Considering that you have more than one vCenter environment here, if you want to receive location-based alarms, you can narrow your filters according to the hostname value and customise your notifications.
After creating filters in this section, we can see previously failed login attempts in the vCenter user interface under Events.
Alert Definitions – Creating Alert from Query
Now let's create an alarm definition for this filter. For this, we use the red alarm button and switch to alarm definition with Create Alert from Query...
In this section, we fill in the alarm name and description information. Then we select this alarm as Real Time in Trigger Condition. In the current situation, we will receive notification via e-mail and Slack Webhook when the number of events is more than 1.
vCenter Web Access – Failed Login Count
Now, using the same filters that we have defined alarm above, we transfer the total failed entries to a dashboard with the Add query to Dashboard button. Thus, we get an image containing the total number of events as below.
vCenter Web Access – Failed Logins by Source
As we did in the previous topic, we select these events as non-time series this time with the same filters and filter them according to Source with Group By. In this way, you can see the Source-based user login attempts to the vCenter web interface by transferring the existing filter to a new dashboard in the same way. In this way, you can get a view like below on your dashboard.
In the continuation of this series, you can reach the next article below, where we create alarms and dashboards of log records with failed login attempts via SSH to vCenter.