Comprehensive hypervisor monitoring with EventLog Analyzer

Hypervisors are critical components in virtualized environments, enabling the creation and management of virtual machines (VMs) across multiple servers. ManageEngine EventLog Analyzer, a robust log management solution, monitors hypervisor activities and secures them against potential threats.

This guide explores the various hypervisor monitoring and security use cases covered by EventLog Analyzer . Before exploring these use cases, ensure that logging is enabled in EventLog Analyzer and that your vCenter, ESXi, or Hyper-V hypervisor is configured to send logs to the EventLog Analyzer console.

In this article:

Performance and health monitoring use cases

EventLog Analyzer offers extensive support for vCenter, ESXi, and Hyper-V hypervisor auditing, delivering security and performance insights through predefined reports. These reports can be scheduled to generate at specified intervals and distributed via email to keep you informed of your hypervisor environment's status.

VM management Use case Description Why implement it? Available reports
vCenter Enhancing cluster configuration integrity. Tracks key cluster management events in vCenter, including creation, deletion, reconfiguration, and renaming of clusters. Enhances visibility into cluster activities for better configuration management, troubleshooting, and compliance monitoring.
  • Cluster Created
  • Cluster Destroyed
  • Cluster Reconfigured
  • Cluster Renamed
  Security monitoring of data center configuration changes. The system logs detailed information on when a data center is established, renamed, or deleted, ensuring that all significant changes to the data center infrastructure are recorded and traceable. Monitoring these events in EventLog Analyzer ensures visibility into critical data center changes, supporting security and compliance efforts.
  • Datacenter Created
  • Datacenter Renamed
  • Datacenter Destroyed
  Unauthorized changes in VMware vCenter folders. The folder changes event types in vCenter track significant changes to the folder structure and inventory organization. These logs capturedetails such as names, users, and timestamps for creation, deletion, renaming, and movements of folders and objects. Implementing these events improves visibility, creates an audit trail, and supports compliance and troubleshooting by documenting all changes.
  • Folder Created
  • Folder Deleted
  • Folder Renamed
  • Inventory Objects moved into a Folder
  Detecting unauthorized permission changes in vCenter. Permission changes in vCenter logs, such as Permission Created, Permission Removed, and Permission Updated, track modifications to user access within the environment. These logs ensure a clear audit trail of access changes. Implementing these logs enhances security by detecting unauthorized changes, supports regulatory compliance, and maintains proper access control to safeguard system integrity.
  • Permission Created
  • Permission Removed
  • Permission Updated
  Monitoring resource pool changes. These events record when a new resource pool is created, an existing one is removed, or when a pool is relocated or its configuration is modified. Resource pools are critical for allocating and managing CPU and memory resources among VMs, and these events provide visibility into their life cycle and changes. Implementing these events helps in monitoring resource pool changes, optimizing resource management, maintaining compliance, and enabling proactive issue resolution to ensure system stability and efficiency.
  • Resourcepool Created
  • Resourcepool Destroyed
  • Resourcepool Moved
  • Resourcepool Reconfigured
  Monitoring role changes in vCenter for permission integrity. The Role Added, Role Removed, and Role Updated events track changes to user roles in vCenter, including role assignments, removals, and updates. These events log critical details such as role names, affected users, and timestamps. Monitoring these events is essential for ensuring proper access control, maintaining security and compliance, and enhancing accountability within the vCenter environment. This helps in quickly identifying and addressing potential issues and ensuring smooth operations.
  • Role Added
  • Role Removed
  • Role Updated
  Unauthorized VM configuration changes. VM Changes in vCenter for EventLog Analyzer track key VM events, such as creation, deployment, removal, renaming, reconfiguration, relocation, and power state changes. This tracking provides real-time insights, supports compliance, and aids in troubleshooting and security. Implementing this feature enhances visibility, helps detect unauthorized changes, and streamlines operations through detailed logs and alerts.
  • VM Created
  • VM Deployed
  • VM Removed
  • VM Renamed
  • VM Reconfigured
  • VM Relocated
  • VM Power State Changes
  Unauthorized device changes in vCenter. Device Changes in EventLog Analyzer monitors key events like device additions, IP changes, shutdowns, and removals. This category also provides an overview of device connections and monitors when devices are powered down to standby. Implementing this tracking ensures enhanced visibility by capturing detailed logs of device status and changes. Administrators can quickly address issues, ensure compliance with security policies, and optimize resource management.
  • Device Added
  • Device Add Failed
  • Device IP Changed
  • Device Connection Overview
  • Device Shutdown
  • Device Removed
  • Devices Powered down to Standby
  User activity in vCenter. The logon/ logoff r eports for vCenter in EventLog Analyzer track user login, logoff, and failed login events, providing key details like user IDs and timestamps. This monitoring helps detect unauthorized access, manage sessions, and ensure compliance. Implementing these reports enhances security, supports regulatory compliance, and aids in incident response and operational insights.
  • Logons
  • Logoff
  • Failed Logons
ESXi Monitoring hypervisor events. Hypervisor events tracks critical events r elated to hypervisors and VMs. Monitoring these events ensure thorough monitoring, early issue detection, and improved security in virtualized environments.
  • All Events
  • Important Events
  Monitoring logons/logoffs in VMware environments. The VMWare logon /logoff module tracks and reports on all types of logon and logoff activities, including user, super user (SU), SSH, and FTP/SFTP logons, along with failed attempts and overall logoff activities. Implementing this module enhances security, ensures compliance, aids in troubleshooting, and provides insights into user access patterns.
  • User Logons
  • SU Logons
  • SSH logons
  • FTP/SFTP Logons
  • Logons Overview
  • Top logons based on users
  • Top logons based on remote devices
  • User Failed Logons
  • SU Failed Logons
  • Failed SSH Logons
  • FTP/SFTP Failed Logons
  • Failed Logons Overview
  • Top failure logons based on users
  • Top Failure Logons based on Remote Devices
  • User Logoff
  • SU Logoff
  • SSH Logoff
  • FTP/SFTP Logoff
  • Logoff
  Monitoring user account management operations . Tracks user and group changes, password events, syslog status, and system health in VMWare environments. Enhances security and operational efficiency by providing real-time insights into critical system activities and potential issues.
  • Users Added
  • Users Deleted
  • Users Renamed
  • Group Added
  • Group Deleted
  • Group Modified
  • Password Changes
  • Password Changes Failed
  • Failed user additions
  • Syslog Stopped
  • Syslog Restarted
  • Low Diskspace
  • System ShutDown
Hyper-V Monitoring VM activity for security. VMWare Server Events monitor key VM activities, including logins, creation, deletion, state changes, and significant VM modifications. Monitoring these events boosts security and efficiency by tracking VM events, aiding in access control, resource management, and compliance.
  • Guest Login on VM
  • VM CreatedVM Deleted
  • VM State Changes
  • Top VM Changes
  • VM Events Overview
  Hyper-V server configuration changes and failures. Hyper-V Server Events in EventLog Analyzer monitor key activities like partition and switch management, including creation, deletion, and failures. These logs help track changes, detect issues early, and manage the virtual environment effectively. Implementing this monitoring improves visibility, supports proactive issue resolution, and ensures compliance by providing detailed records of critical activities, which aids in maintaining a reliable virtual infrastructure.
  • Partitions Created
  • Partitions Deleted
  • Failed Partition Creations
  • Hyper-V Start Events
  • Failed Hyper -V Launch
  • Hyper-V Switch Creations
  • Hyper-V Switch Deletions
  Monitoring of Hyper-V VM management. Monitor Hyper-V VM management events, including service start, failures, VM creation, deletion, and disk space issues. These logs provide critical insights into the operational status and health of your virtual environment. Implementing these events ensures early detection of issues, such as service failures and VM operation errors, allowing for quick resolution and maintaining system reliability and performance.
  • VM Management Service Started
  • Failed Starts of VM Management Service
  • VM Management Service ShutDown
  • VM Creation
  • VM Deletion
  • Failed VM Creations
  • Failed VM Imports
  • Failed VM Exports
  • Hyper-V Disk Out of Space
  • Failed Hyper-V Worker Operation

Compliance use cases

Hypervisors, as the foundation of virtualized environments, play a crucial role in ensuring data security and integrity. Many regulatory mandates require organizations to implement robust monitoring solutions for hypervisors to track access, modifications, and potential vulnerabilities. EventLog Analyzer can be a valuable tool in meeting these compliance requirements for hypervisor monitoring.

Compliance requirements: Solution mapping
EventLog Analyzer reports and alerts Detection rules Regulations Requirements
  • Windows Logon Reports
  • Windows Successful User Logons
  • Network Logon
  • Windows Successful User Logoffs
  • Network Logoff
  • Windows UnSuccessful User Logons
  • Failed Network Logons
  • Logons
  • Logoff
  • Failed Logons
 FISMA Access Control (AC)
PCI-DSS
  • PCI-DSS requirements 10.1
  • PCI-DSS requirements 10.2.1
  • PCI-DSS requirements 10.2.3
  • PCI-DSS requirements 10.1
  • PCI-DSS requirements 10.2.1
  • PCI-DSS requirements 10.2.2
  • PCI-DSS requirements 10.2.3
SOX SEC 302 (a) (4) (C)
HIPPA
  • 164.308 (a) (5) (ii) (C)
  • 164.308 (a) (6) (ii)
GLBA Section 501B (2) & (3)
ISO 27001:2013 Control A 12.4.3
GPG Recording Relating to Network Connections (PMC Rule 6)
GDPR
  • GDPR ARTICLE 5 (1B)
  • GDPR ARTICLE 5 (1F)
ISLP ARTICLE 16.3
NRC
  • ACT B.1.3
  • ACT B.1.7
  • ACT B.1.11
  • ACT B.1.15
  • ACT B.3.11
  • ACT C.4.3
  • ACT C.11.4
NERC
  • CIP 007-6 R4.1
  • CIP 007-6 R4.2
  • CIP 007-6 R5.7
PDPA
  • RULE VI Section 25
  • RULE VII Section 30
NIST CSF Data Security (PR.DS)
POPIA
  • Chapter 2 - Section 4
  • Chapter 3 - Section 19 (1) (a)
  • Chapter 3 - Section 19 (2) (a)
QCF 5.2.2 Network Access Control Management Service
TISAX 5.2.4
ECC
  • 2-2 Identity and Access Management
  • 2-8 Cryptography
  • 2-12 Cybersecurity Event Logs and Monitoring Management
PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
  • Unix Logon Reports
  • User Logons
  • User Logoffs
  • Unix UnSuccessful User Logons
  • Logons
  • Logoff
 FISMA Access Control (AC)
PCI-DSS
  • PCI-DSS requirements 10.1
  • PCI-DSS requirements 10.2.1
  • PCI-DSS requirements 10.2.2
  • PCI-DSS requirements 10.2.3
HIPPA
  • SEC 302 (a) (4) (C)
  • 164.308 (a) (5) (ii) (C)
  • 164.308 (a) (6) (ii)
SOX SEC 302 (a) (4) (C)
GLBA Section 501B (2) & (3)
ISO 27001:2013 Control A 12.4.3
GPG Recording Relating to Network Connections (PMC Rule 6)
GDPR
  • GDPR ARTICLE 5 (1B)
  • GDPR ARTICLE 5 (1F)
ISLP
  • ARTICLE 16.3
  • ARTICLE 30.6
NRC
  • ACT B.1.3
  • ACT B.1.7
  • ACT B.1.11
  • ACT B.1.15
  • ACT B.3.11
  • ACT C.4.3
COCO 2.Authentication and Access Control
NERC
  • CIP 007-6 R4.1
  • CIP 007-6 R4.2
  • CIP 007-6 R5.7
PDPA
  • RULE VI Section 25
  • RULE VII Section 30
NIST CSF Data Security (PR.DS)
POPIA
  • Chapter 2 - Section 4
  • Chapter 3 - Section 19 (1) (a)
  • Chapter 3 - Section 19 (2) (a)
QCF
  • 5.2.2 Network Access Control Management Service
  • 6.8.2 Data in use
TISAX
  • 4.2.1
  • 5.2.4
ECC
  • 2-8 Cryptography
  • 2-12 Cybersecurity Event Logs and Monitoring Management
PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
  • File Changes
  • File Created
  • File Modified
  • File Deleted
  • File Renamed
  • File Permission Changes
 Permission CreatedPermission Removed FISMA Audit and Accountability
PCI-DSS
  • PCI-DSS requirements 10.1
  • PCI-DSS requirements 10.2.3
  • PCI-DSS requirements 10.2.7
SOX SEC 302 (a) (5) (A)
HIPPA 164.308 (a) (1) (ii) (D)
ISO 27001:2013
  • Control A 12.4.1
  • Control A 12.4.2
GDPR
  • GDPR ARTICLE 5 (1B)
  • GDPR ARTICLE 5 (1F)
  • GDPR ARTICLE 32 (1D)
ISLP
  • ARTICLE 12
  • ARTICLE 13
  • ARTICLE 19.3
  • ARTICLE 20.5
  • ARTICLE 30.4
  • ARTICLE 30.6
NRC
  • ACT B.1.6
  • ACT B.1.22
  • ACT B.2.6
  • ACT C.3.7
  • ACT C.4.3
CCPA and CPRA Section 1798.150.(a)
FERPA Section 99.31 (a)(1)(ii)
PDPA
  • RULE VI Section 25
  • RULE VII Section 30
NIST CSF Data Security (PR.DS)
POPIA Chapter 3 - Section 20 (1) (b)
QCF
  • 4.2 Application Security Service
  • 6.8.3 Data at rest
TISAX 5.2.4
CJDN Application Development
UAE-NESA
  • T3.2.3
  • T7.5.1
  • T7.6.1
SOC 2
  • 7.2.02
  • 8.1.14
  • C1.1.02