VMware vSphere Express Scan

Overview of AutoMonitor VMware vSphere Express Scan

Overview

AutoMonitor allows users to quickly and effortlessly discover and import hosts into their Opsview Cloud environment. The new wizard-based functionality simplifies and automates the scanning and configuration steps providing a fast and reliable way of maintaining continuous monitoring of your changing Enterprise landscape.

VMware vSphere Express Scan provides a configuration wizard to guide you through and quickly discover VMware objects (ESXi Hosts, VMs, Datastores, Resources Pools) within a given vCenter or ESXi Host and automatically import them into Opsview Cloud.

VMware vSphere Express Scan

ESXi hosts discovered by the VMware Scan will be imported into the following Host group Structure:

  • Opsview > AutoMonitor > VMware vSphere Express Scan > {VMware server} - ESXi > {ESXi Hostname}

Virtual Machine guests discovered by the VMware Scan will be imported into the following Host group Structure:

  • Opsview > AutoMonitor > VMware vSphere Express Scan > {VMware server} - VMs > {Virtual Machine Hostname}

This scan will inspect discovered Hosts to allocate relevant Host Templates from the following list:

  • OS - VMware vSphere ESXi Host
  • OS - VMware vSphere ESXi Guest
  • OS - VMware vSphere ESXi Datastore
  • OS - VMware vSphere ESXi Resource Pool
  • OS - VMware vSphere vCenter

See more information about Host Templates within the OS - VMware vSphere Opspack

Pre-Requisites

In order to access the AutoMonitor Application and run a VMware Express Scan, the following permissions are required:

VMware vSphere Credentials:

Credentials forPrivilege NameDescription
vCenterGlobal > Act as vCenter Server- Allows Automonitor Scan to discovery ESXi Hosts, VMs, Datastores, Resource Pools and other VMware elements through vCenter
- Allows Opspacks to be informed of vMotion send and receive operations
ESXiRoot >
- Alarm
- Datacenter
- Datastore
- HealthUpdateProvider
- Performance
- System
- VirtualMachine
- Allows Automonitor Scan to discovery ESXi Hosts, VMs, Datastores, Resource Pools and other VMware elements through ESXi
- Allows relevant Host Templates to be allocated and Service Checks to retrieve metrics for the discovered resources

🚧

if the ESXi user to be used for monitoring is part of a role with lower privileges than root (e.g. read-only), it needs to be added to the SystemConfiguration.Administrators group.
If the VMware server account DOES NOT have the right permissions, VMware Scan will fail.

📘

Depending on your organisation structure, you may prefer to NOT give user permissions to CONFIGUREHOSTGROUPS and/or have access to the Opsview Host Groups. In this case, you need to create the Host Group Structure in advance ("Opsview > Automonitor > VMware Express Scan > Server - ESXi" and "Opsview > Automonitor > VMware Express Scan > Server - VMs") and provide access only to the Server - ESXi and Server - VMs Host Groups to the user(s) running a VMware AutoMonitor Scan.

Run a Scan

AutoMonitor VMware Express Scan feature is accessible from the Configuration > AutoMonitor menu. When selecting this option you will be presented with the following screen:

Select VMware to start with the AutoMonitor VMware Express configuration wizard

In the configuration wizard (VMware | Input your vCenter or ESXi credentials), as per the screen shown below, you need to enter the following information.

Your vCenter or ESXi Server: Hostname or IP address of your VMware vSphere Server. If you are using vCenter then this should be the name or address of the vCenter, otherwise, it should be the ESXi host.

Account name and Password: Admin credentials

When running a VMware Express Scan using vCenter credentials, the discovered and imported ESXi Hosts will use those credentials to run relevant Service checks. If your ESXi Hosts have different credentials, you will have to manually re-configure the default variable VSPHERE_ESXI_CREDENTIALS value (in Configuration > Variables) so the Service Checks can connect and retrieve metrics for ESXi Hosts, VMs, Datastores and Resource Pools.

When running a VMware Express Scan against either vCenter or ESXi host, AutoMonitor will try to ensure the correct global variables are set, to ensure Host checks and Service checks are green once Apply Changes has been completed after scanning. There may be occasions, like a specific case above, where checking the following Global Variable values after the scan has run would ensure Service checks are green:

  • VSPHERE_CERTIFICATES (more information below on host certificates)
  • VSPHERE_ESXI_CREDENTIALS
  • VSPHERE_VC_CREDENTIALS.

Once you have entered the relevant information for the required fields, the "Start Scan" button will be enabled for you to proceed when you are ready to start the scan.

If the credentials are invalid or fail to be authorised, the following error message will be displayed:

If the following Connection timed out - service did not respond message appears this indicates that something in the back-end failed to respond in a timely fashion. This may indicate that the back-end is overloaded or that there is a network outage. Alternatively, a Connection has timed out error indicates some other operational error has occurred during the authentication process.

Upon successful authorisation, the Scan starts by interrogating the server for a list of Virtual Machines (VMware guests) to scan. The Virtual Machines will only be scanned if they are running VMware Tools. Once the scan has started the progress bar will be displayed which indicates how many of the discovered Virtual Machines have been scanned:

As the scan is being carried out, it can be aborted by hovering over the 'Abort' button which displays a panel to confirm the aborting of the scan. Once the 'Yes' button is clicked, the form from the previous page is displayed and the scan is aborted. Note that if the scan is close to finishing then it may be completed before it can be aborted.

If an unrecoverable error occurs during the scan, the following error page will be displayed:

A connection timed out message indicates that something in the back-end failed to respond in a timely fashion. This may indicate that the back-end is overloaded or that there is a network outage. Alternatively, a Sorry there was an error that we can't identify message indicates that some other error occurred during scanning. This may indicate a system outage or configuration problem. Scans will recover from short Datastore (i.e. CouchDB) outages. However, if an outage lasts longer than one hour the scan will time out with and show this error message.

If such errors occur, you can click Try again to restart the scan. You can also view the log to understand what the problem could be, for example, you might see access denied when creating Host Group or importing Host, in which case, check you have sufficient permissions to either create or write to the desired Host Group.

When the scan completes the following screen will be displayed:

At this point, you can click on Apply changes to trigger a system reload and start monitoring the scanned hosts. Clicking on "New` will allow you to start another scan. Hosts that have already been imported will be disregarded and will NOT be re-imported by later scans:

Clicking View log will display a detailed list of the steps completed by the scan:

If the scan fails for some reason, View log is a good way to help diagnose the problem.

Once the scan has finished, you can see the pending hosts by clicking the Host Settings link. It is worth noting at this point you may wish to check the host configurations to ensure the details are correct, as although AutoMonitor tries its best to fill them in correctly, you may have a case where the credentials used for scanning are NOT the same credentials that are required by the service check.

Host Certificates

The AutoMonitor scan does not use certificates for host checking. However several of the service checks do use certificates for host identification checks. You have two options:

  • If you have already uploaded certificates, you can configure the VSPHERE_CERTIFICATES variable with the location and names of uploaded certificates. The service checks will then pick up the value of this variable. (Running a VMware vSphere scan will not override this variable if it has already been set.)
  • Secondly, you could upload your certificates to the location below, because if the scan used SSL for authentication (highly likely) the AutoMonitor configures the VSPHERE_CERTIFICATES host variable to use the following filename for the Certificate Authority PEM file: /opt/opsview/monitoringscripts/etc/certs/<VMware server>
  • The Certificate Authority and/or host certificates for the imported hosts can be placed in this folder and should be owned by user root, group opsview and mode 0440.

📘

Note: In a clustered environment (multiple clusters/collectors) these certificates need to be uploaded to the Master Monitoring Server and ALL collectors. The easiest way to do this is to upload the certificates, on the Master Monitoring Server in the location mentioned above, and then use the sync_monitoringscripts playbook to copy to the collectors.

If you want to manage certificates in a sub-folder of /opt/opsview/monitoringscripts/etc/certs on the Master Monitoring Server, first update the VSPHERE_CERTIFICATES host variable paths, then run sync_monitoringscripts playbook.

Variables

  • When running a VMware Express Scan using vCenter credentials, the discovered and imported hosts will use those credentials to run relevant Service checks. All vCenter service checks will run using these credentials. For ESXi (non-vCenter) service checks to work correctly, populate the VSPHERE_ESXI_CREDENTIALS global variable manually (in Configuration > Variables), before or after running the scan. If some hosts require a different set of credentials, the VSPHERE_ESXI_CREDENTIALS variable can be set at the host level where needed to override the global variable, after the hosts have been imported.
  • When running a VMware Express Scan using ESXi credentials, the global VSPHERE_ESXI_CREDENTIALS variable does not need to be set, as each discovered and imported host will be populated with the relevant credentials variable.

Considerations

  • We recommend running a scan against VMware vCenter if you have one, it's the quickest and easiest way to import your VMware estate and get monitoring up and running.
  • AutoMonitor VMware Express Scan now supports running on Master Monitoring Server or one of the Clusters. The cluster on which the scan is run is selected by an algorithm that probes the connectivity to the vCenter or ESXi server being scanned and selects the Cluster that has the best connection. Once selected, the imported hosts are then monitored by the cluster that discovered them.
  • If you have run a vCenter scan, the imported VMware vCenter server host and ESXi hosts will have "TCP port 443 (HTTP/SSL)" host check set by default. If you have disabled this on your specific VMware vSphere instance then you will need to manually modify the Host Check to a relevant one.
  • If you have run an ESXi scan, the ESXi hosts will have "TCP port 443 (HTTP/SSL)" host check set by default. If you have disabled this on your specific VMware vSphere instance then you will need to manually modify the Host Check to a relevant one. If the scan has discovered a vCenter VM on that ESXi host, that VM will be treated as a guest VM, and default host check will be "ping".

Troubleshooting

  • After importing Hosts from a VMware Express Scan using vCenter credentials, some service checks may report UNKNOWN state due to a missing password variable. To resolve this issue, the VSPHERE_ESXI_CREDENTIALS variable must be populated correctly at either the global variable level (in Configuration > Variables), or on the specific host with the UNKNOWN check.