Monthly Archives: February 2017
Runecast– Proactive performance for your VMware environment–Part 2 – Knowledge Base Articles, Best Practices, and Hardening Guidelines.
In part 1 of our Runecast review we took a look at just how quickly we can get Runecast installed and configured within our environment. We had a brief look at the Runecast dashboard which highlights any misconfigurations, un-applied Knowledge base articles, or non-compliant security settings. We saw that within just a few minutes we were reporting on all this information from within our environment, and comparing that to up-to-date lists of best practices and hardening guidelines. With KB’s, Best Practices, and Hardening Guidelines being at the heart of Runecast it’s best we take a more in-depth look at how we report on, manage, and resolve them within our environment. That is exactly what this final part of the review will focus on.
So with all that said let’s start diving deeper into our test environment to see if we can solve any problems! As we can see above, I currently have 38 issues that were already detected within my small little lab setup here, broken down into 5 critical, 19 major, and 14 medium. Clicking on either severity item within the dashboard display will take us directly to a filtered view of our issues list, or we can view all issues by selecting Issues List along the left hand navigational menu.
By default, our issues appear rolled up – to get more information in regards the Knowledge Base Article, Best Practice or Security setting we can click the ‘+’ icon next to our issue as shown above. As we can see here Runecast is reporting that we don’t have NTP configured on our ESXi host, falling under the Best Practice category. Certainly time is an important thing in the world of computing so I can see why they would flag this as a critical issue. We can also see after expanding the issue that we have a lot of other information available to us – a more descriptive issue of the problem, as well as ratings, impact, and a link to any reference material/knowledge base article, or security hardening guide to further explain or describe the issue and how to fix it. This is very handy to have. Right from within Runecast we can discover our issues and immediately jump into a document, user guide, or KB article outlining the problems and resolutions.
The ‘Findings’ tab within the expanded issue allows us to view the inventory objects within our environment that the issue applies to – in this case, both of our ESXi hosts. I should note here that we do not need to first click on an issue to view it’s associated objects – we can do this in the reverse direction as well by using the Inventory item on the left hand navigation – Inventory essentially gets us to the same place, but allows us to browse through our vCenter inventory, selecting a host, cluster, datastore, vm, etc and displaying just its’ associated issues. Either way we get to the same information though, just a couple of routes to get there.
Another useful tab on this screen is the ‘Note’ tab. As shown below we are able to input any notes or information that applies to this issue (or KB/Security setting for that matter) that we want. This can be extremely useful if we have multiple people working within the Runecast environment, or even just for documentation for yourself as to why you are making or not making a certain configuration change.
In order to clear issues within Runecast we have a couple of options – firstly, and probably the most preferred method is to simply fix your issue – I’ve since setup NTP on my hosts and no longer see this issue being reported. That said, as mentioned above their may be times when we have an issue present for a certain reason, especially dealing with the best practices category like the forged transmits setting above. For this, we can simply click the ‘Ignore’ link next to an issue, create an object filter as shown below, by giving it a name and selecting the objects it applies to.
After applying the filter the issue in question will no longer be reported in Runecast. We can edit or remove this filter at any time by selecting the ‘Filter’ tab from within Runecast’s settings in order to reset anything we may want to.
From within the ‘Configuration Analysis’ section we are able to to view our issues in a different fashion.
First up KBs discovered will show us all of the KBs that have been discovered that apply to our environment. It does this by parsing the VMware Knowledge Base and pulling down only those KBs which apply to the hardware and software versions we have running within our virtual infrastructure. As we can see below we still have the same options as we did within the Issue List screen – we have our link out to the actual VMware KB article, the article is also embedded into Runecast, and we can add notes and choose to ‘Ignore’ certain KBs that may not apply.
The ‘Best Practices’ and ‘Security Hardening’ take somewhat of a different approach as to how they are displayed. Since best practices and security settings are actual configurations that we can choose to make in our environment they are displayed in a simple Pass/Fail fashion – passing if we meet the criteria of the practice or security setting, and fail if we do not. This gives us the ability to quickly see thing such as “How many major items from the security guideline have we implemented” or “Have we applied all of the ‘critical’ best practices to our environment.
As we can see above we are getting a pass on our NTP settings, as we have already tackled them from the Issues screen. We are however receiving a fail in terms of Remote TSM, which is essentially having SSH enabled on our hosts. In my environments this is a known configuration setting, so I would most likely chose to create a filter to ignore this security setting.
The last section of Runecast I want to go over is the Log Analysis section. Within here we can see that we have another couple of screens we can access – KBs Discovered and Verbose dashboards. The KBs discovered section here deals solely with those KBs that specify certain patterns which are visible in the logs, such as with KB 2144934, where you can see below the “you see entries similar too…”
Nobody likes searching through log files – it’s a long and tedious task. In this situation, since we are already shipping our logs to Runecast why not let the analyzer go ahead and comb them for you. If it finds a pattern that applies to any specific KB article, it will be flagged here. This allows us to be quite pro-active in nature – alerting us of a KB issue that we may not even know we have.
As far as ‘Verbose Dashboards’ goes this allows us quickly get a grasp on all of the events occurring within our log files. Again, the task of combing through log files and greping out certain items such as SCSI Aborts on the command line can be daunting, not to mention very time consuming. Here, as shown below, we can do this directly from within the Runecast UI.
As you can see we have a lot of options to filter out the events within logs to get just the data we are looking for. For instance we can define we only want to see those logs entries flagged as an error and applying only to a certain ESX host. We can also define a time period of logs to parse – from predefined settings of the last 1/3/7/30 days to a custom period set up by us if we needed to audit a certain event at a certain time. This is a very useful feature to have within the UI. Since Runecast already has the log data in order to determine issues, why not give us a screen in order to analyze the raw data. I can see this being super useful in terms of things such as searching for certain logins during a specific time period – something that isn’t easy to do sitting within the cli of an ESXi hosts.
Runecast really has a very nice product here and brings a lot of information out of our environment and puts it front and center in a very easy, simple, UI. It’s so easy to setup as well – Simply deploy the ova, point it to our vCenter and right away we know how our environment stacks up in terms of best practices and security guidelines – as well as we have discovered any potential issues we may have, with all of the information on how to fix them. All of this, in about 5 minutes. Think about the flip-side of this, downloading best practices and the hardening guide and going through each line item one by one, looking up build numbers and then searching through mountains of VMware KB’s – not something I want to do. While other products providing some similar functionality such as vROPs and Log Insight may bring us more metrics, Runecast instead displays only what we need to see to properly troubleshoot our environment, keeping the UI clean and crisp and easy to use – aside from that, when compared to vROPs, Runecast doesn’t come with the install footprint, nor the price tag, and as far as I know is the only product on the market which parses and filters out VMware KBs for us. As far as development goes Runecast isn’t holding back, with a beta version set to be released soon we can see features such as multitenancy being added to the product – as well as a few more undisclosed features set to be released in Q1/Q2 of this year. Runecast comes with a fully featured, free 30 day trial but honestly the product gives you valuable information in the first 15 minutes – so 30 days is more than long enough to get your environment up to snuff. That said, in order to keep your environment running at it’s peak performance you will want to consult Runecast often as we all know how fast Best Practices and Security guidelines can change in our industry. Runecast automatically adjusts to these changes – ensuring your environment is ALWAYS compliant. The amount of time Runecast saves you is instantly recognized, and the fact that they are constantly connected to the VMware knowledge base and hardening guides means you are always “in the know” about how your environment is configured according the “preferred” way – even if your environment changes, or the “preferred” way changes! If you want to try out Runecast and what it has to offer for yourself you can do so by signing up for their 30 day trial! I guarantee you will find something in need of some attention in your environment!
Have you ever opened up the VMware Hardening Guide and checked your environment against every single item listed? How about combed through the VMware Knowledge Base looking for all KB articles that apply to the exact software builds and hardware you have? No? How about taken a list of industry best practices and ensured that you are indeed configured in the best possible way? Of course we haven’t – that would certainly take a lot of time and most organizations simply don’t have the resources to throw at those types of tasks. All that said what if I told you that there was a piece of software that could pretty much instantly tell you whether you are or are not compliant in those exact three scenarios? Interested yet? I thought you might be…
Before writing this review I’d never heard of Runecast, so first, a little bit about the company. Runecast was founded in 2014 in the quaint ol’ city of London in the UK. Their goal, to provide pro-active monitoring to our vSphere environments in order to save us time, prevent outages before they happen, ensure compliance at all times and simply make our environments more secure. Now there is only four things listed there – but they are four things that Runecast does really, really well. With that said, I could talk about how much I enjoyed doing this review forever, but it’s best just to jump right in and get monitoring…
As far as installation goes Runecast come bundled as a virtual appliance, so it’s just a matter of deploying the analyzer into our environment. To help you get started Runecast offers a 30 day full-featured free trial that you can try out! Configuration wise we really only have a couple of steps to perform; pointing the Runecast Analyzer at our vCenter Server and configuring our ESXi hosts to forward their logs. After deployment you should be brought to a screen similar to the one shown to the left. Simply follow the ‘Settings’ link and enter in your required vCenter Server information into Runecast as shown below.
Remember how we mentioned that configuration is divided into two steps. The first, connecting to our vCenter environment is now complete. The second, setting up the forwarding of logs is completely optional and can be completed at any time. We can still get valuable data from Runecast without having log forwarding set up, however in order to achieve a more holistic view of our environment we will continue to setup log forwarding.
There are many ways to setup our ESXi hosts to send their logs to Runecast. We can set them up manually, use some a PowerCLI script, or enter the Runecast Analyzer information into our Host Profile. The Runecast interface has the smarts to configure this for us as well. This review will follow the steps in order to setup log forwarding from within the Runecast Analyzer UI.
Selecting the “Status” section from the Log Analysis group, and then clicking on the ‘wrench’ icon will allow us to configure one or many of our hosts to send their log files to Runecast. This process provides the same results as if we were to go and set the syslog advanced setting directly on the hosts configuration. That said, utilizing Runecast for this seems like a much more automated and easier process. As you can see below, we also have the option to send our VM log files as well which is a good idea if you are looking for complete visibility into your virtualization stack.
As far as configuration goes we are now done! That’s it!. 2 simple steps and we are ready to start detecting problems within our environment. The process of going out and collecting data from our vCenter Server is called ‘Analyze’ within Runecast. Our analysis can be configured to occur via a schedule by navigating to the settings page (gear icon in top right) or can be run on-demand by clicking the ‘Analyze Now’ button from any screen within the application.
How long this process takes greatly depends on the size of your environment. My test environment, be it simple and small, only took a couple of minutes to gather the data. I’m sure this time would increase in a 32 host cluster with 1000 or so VMs though. That said, for the amount of data it gathers and the amount of comparisons going on behind the scenes Runecast does a very efficient job at processing everything.
Navigating back to the ‘Dashboard’ as shown below immediately let’s us start to explore the results of this analysis process. Almost instantaneously we can see many issues and best practices that can be applied within our environment. As you can see below I had a number of issues discovered – and I’ve only had Runecast up and running for less than 5 minutes.
Lets take a minute and dig a little into the data that is displayed on the ‘Dashboard’ screen. Mostly everything that Runecast monitors and does is rolled up here, giving us an at-a-glance view of everything you need to know. Let’s break down the items that we are seeing here…
Issues – The term “issue” within Runecast basically represents a detected problem in our infrastructure – this can come from any single or combined instance of configuration settings, log file analysis, or software and hardware versions. Although the source of discovering issues could be from configuration settings or log files, all issues belong to one of three categories within Runecast; Knowledge Base articles, Security Guidelines, or Best Practices, explained below…
KB’s – Runecast actively piles through the vast amounts of VMware Knowledge Base articles and displays to us any that may apply to our environment based on the hardware and software versions and configuration we are running.
Best Practices – All of our inventory objects and configuration items are routinely scanned to determine whether or not they meet any best practices related to VMware. This allows us to see if we simply Pass or Fail in terms having our environment running in it’s best possible configuration.
Security Compliance – Security Compliance takes all of the items within the official VMware Security Hardening guides and compares that to of the configuration of our infrastructure. At a glance we are able to see how we stack up against the recommended security practices provided by VMware.
It’s these four items; Issues, KB’s, Best Practices, and Security Compliance that are at the core of the Runecast analytical engine. Runecast automatically combs through all of these items and determines which ones apply to our environment, then reports back in a slick clean UI, allowing us to see whether we are in compliance or not! In the next part of our review we will go into each of these items in a lot more detail – explaining how to drill down, resolve, and exclude certain metrics from our dashboards. For now , I certainly recommend checking out Runecast for yourself – as you saw, it’s a simple install that can be up and running in your environment very quickly. So, while you wait for part 2 of the review head on over to the Runecast page and grab yourself a free 30 day trial to start reporting on your environment. I’m sure you will be surprised at all of the abnormalities and non-compliant configurations you find right off the hop – I know I was! Stay tuned for part 2.