Vmware Audit
-
@Jason said in Vmware Audit:
Not sure yet, but they want a lot of stuff and we have thousands of Vmware servers. It's due within 7 days.
I just now noticed this part "Due in 7 days"
That seems like a very short turn around, are they sending an auditor on site or providing you with any guidance on pulling all of this information together?
-
@DustinB3403 said in Vmware Audit:
@Jason said in Vmware Audit:
Not sure yet, but they want a lot of stuff and we have thousands of Vmware servers. It's due within 7 days.
I just now noticed this part "Due in 7 days"
That seems like a very short turn around, are they sending an auditor on site or providing you with any guidance on pulling all of this information together?
From the sounds of it, the EULA suggested that the information should always be ready, not something to be pulled together.
-
Which means one should expect to be audited at any time from VMWare within a 12 month span?
That seems like yet another reason to not use VMWare....
-
@DustinB3403 said in Vmware Audit:
Which means one should expect to be audited at any time from VMWare within a 12 month span?
That seems like yet another reason to not use VMWare....
It's a general risk with proprietary software. It's not universal, but it is common. Anyone in the BSA group can audit you if you run any software from any one. Let any of it in the door and you are "EULA compromised."
-
Ya we are a full RHEL shop also. Both workstations and servers. We have a few things running CentOS and Debian, but they were "appliances" so they are just left alone.
-
Even if you don't need the support, buying RHEL gives you a voice into features and stuff and helps to fund continuing development of the product.
-
I've definitely been at customers large enough that when I said I needed a package from the EPEL to be fully supported they were like "we can do that."
-
How is this audit going? I believe you have 2 days left if I recall correctly from this conversation.
-
@DustinB3403 said in Vmware Audit:
How is this audit going? I believe you have 2 days left if I recall correctly from this conversation.
We don't know.. Audit's don't work like that you don't get updates/progress reports. You send the information then wait for months to hear back..
-
@Jason Sorry I was more referring to your progress on gathering of data to send to the auditors.
Not the actual progress of the audit response team.
-
Wow that really sucks. This will be one to remember for any future VMware discussions!
-
Luckily the log files from all the Vshpehere hosts will cover us. We have to give them the past 2 years of logs. The store in vcenter. And we had to get to decommissioned ones powered on to get the logs off of them. Now watch vmware try to say we needed licesnses for the decomed ones since we didn't uninstall vsphere just had them unracked and stacked in storage.
-
@Jason said in Vmware Audit:
Luckily the log files from all the Vshpehere hosts will cover us. We have to give them the past 2 years of logs. The store in vcenter. And we had to get to decommissioned ones powered on to get the logs off of them. Now watch vmware try to say we needed licesnses for the decomed ones since we didn't uninstall vsphere just had them unracked and stacked in storage.
YOu need a "log license."
-
-
You likely are under an EA if your getting audited by VMware. A lot of these operate on true up's (IE you commit to xxx, but can install up to yyy and at the end of the period you do an audit and adjust up/down). EA's fundamentally can include anything that is legal (I've seen some crazy EA's based on customer's need for wanting to pay per socket per day etc).
-
ALL of the data your asking about is tracked in the ESXi logs. If you just install LogInsight (Free for hosts now) it will track all of this information and retain it for you. There's even a handy dashboard you can request that will track vMotions, VM execution location to help with Oracle compliance if you have issues with them....
-
This is normal in enterprise when under an EA, and VMware (to my knowledge) has never sued anyone or taken the intense legal approach your used to hearing from Microsoft. Audits are multi-factored in that they can also make sure you are using what you pay for (and paying for what you use).
-
If you are not comfortable paying for what you use, and complying with licensing you REALLY need to move to BSD (not Linux, as the GPL requires compliance with specific requirements).
-
-
@John-Nicholson said in Vmware Audit:
- ALL of the data your asking about is tracked in the ESXi logs.
Not as he described it. Maybe what is actually required, but not as described. ESXi logs cannot track decoms, for example. And it isn't clear if the requirements are only VMware or other stuff as well.
-
@scottalanmiller The vCenter log will track decoms of VM's and hosts.
VMware doesn't enforce about licensing for non-VMware products (I'm not even sure if they are in the BSA, I think Microsoft dropped out and that group is largely CAD software stuff these days). -
@John-Nicholson said in Vmware Audit:
@scottalanmiller The vCenter log will track decoms of VM's and hosts.
VMware doesn't enforce about licensing for non-VMware products (I'm not even sure if they are in the BSA, I think Microsoft dropped out and that group is largely CAD software stuff these days)."Doesn't enforce licensing" is unrelated to "requires it in an audit", however. The concern that is raised here isn't what licensing is enforced, but how much it costs to perform an audit.
-
@scottalanmiller These audits generally involve filling out a spreadsheet according to best effort, and dumping the logs in the event an auditor really wants to validate something (often times they have scripts or 3rd parties tools for this stuff).
I've read several EA's over the years and never seen this language. This sounds like a lot of hand waving over a misunderstanding...
-
@John-Nicholson said in Vmware Audit:
I've read several EA's over the years and never seen this language. This sounds like a lot of hand waving over a misunderstanding...
Possibly. But VMware should make their audit requirements public if they want to have people know what they are. Keeping them secret means that companies claiming onerous audit requirements get nothing but tacit agreement from VMware. If there really are such limits, VMware should jump in and officially state so and relieve this company of believing that they have essentially impossible requirements to meet.
-
@John-Nicholson said in Vmware Audit:
I've read several EA's over the years and never seen this language.
here is the thing... if EA's are standard, there should be no problem having the language of the audit be public. If they are not standard, then having seen many of them doesn't tell us anything.