Vmware Audit
-
Luckily the log files from all the Vshpehere hosts will cover us. We have to give them the past 2 years of logs. The store in vcenter. And we had to get to decommissioned ones powered on to get the logs off of them. Now watch vmware try to say we needed licesnses for the decomed ones since we didn't uninstall vsphere just had them unracked and stacked in storage.
-
@Jason said in Vmware Audit:
Luckily the log files from all the Vshpehere hosts will cover us. We have to give them the past 2 years of logs. The store in vcenter. And we had to get to decommissioned ones powered on to get the logs off of them. Now watch vmware try to say we needed licesnses for the decomed ones since we didn't uninstall vsphere just had them unracked and stacked in storage.
YOu need a "log license."
-
-
You likely are under an EA if your getting audited by VMware. A lot of these operate on true up's (IE you commit to xxx, but can install up to yyy and at the end of the period you do an audit and adjust up/down). EA's fundamentally can include anything that is legal (I've seen some crazy EA's based on customer's need for wanting to pay per socket per day etc).
-
ALL of the data your asking about is tracked in the ESXi logs. If you just install LogInsight (Free for hosts now) it will track all of this information and retain it for you. There's even a handy dashboard you can request that will track vMotions, VM execution location to help with Oracle compliance if you have issues with them....
-
This is normal in enterprise when under an EA, and VMware (to my knowledge) has never sued anyone or taken the intense legal approach your used to hearing from Microsoft. Audits are multi-factored in that they can also make sure you are using what you pay for (and paying for what you use).
-
If you are not comfortable paying for what you use, and complying with licensing you REALLY need to move to BSD (not Linux, as the GPL requires compliance with specific requirements).
-
-
@John-Nicholson said in Vmware Audit:
- ALL of the data your asking about is tracked in the ESXi logs.
Not as he described it. Maybe what is actually required, but not as described. ESXi logs cannot track decoms, for example. And it isn't clear if the requirements are only VMware or other stuff as well.
-
@scottalanmiller The vCenter log will track decoms of VM's and hosts.
VMware doesn't enforce about licensing for non-VMware products (I'm not even sure if they are in the BSA, I think Microsoft dropped out and that group is largely CAD software stuff these days). -
@John-Nicholson said in Vmware Audit:
@scottalanmiller The vCenter log will track decoms of VM's and hosts.
VMware doesn't enforce about licensing for non-VMware products (I'm not even sure if they are in the BSA, I think Microsoft dropped out and that group is largely CAD software stuff these days)."Doesn't enforce licensing" is unrelated to "requires it in an audit", however. The concern that is raised here isn't what licensing is enforced, but how much it costs to perform an audit.
-
@scottalanmiller These audits generally involve filling out a spreadsheet according to best effort, and dumping the logs in the event an auditor really wants to validate something (often times they have scripts or 3rd parties tools for this stuff).
I've read several EA's over the years and never seen this language. This sounds like a lot of hand waving over a misunderstanding...
-
@John-Nicholson said in Vmware Audit:
I've read several EA's over the years and never seen this language. This sounds like a lot of hand waving over a misunderstanding...
Possibly. But VMware should make their audit requirements public if they want to have people know what they are. Keeping them secret means that companies claiming onerous audit requirements get nothing but tacit agreement from VMware. If there really are such limits, VMware should jump in and officially state so and relieve this company of believing that they have essentially impossible requirements to meet.
-
@John-Nicholson said in Vmware Audit:
I've read several EA's over the years and never seen this language.
here is the thing... if EA's are standard, there should be no problem having the language of the audit be public. If they are not standard, then having seen many of them doesn't tell us anything.
-
So here is the real question at the end...
How do we, at the end of the day, know how VMware is going to hold us to audits? The cost of the legal team alone to verify the requirements would cost more than the product itself in the SMB space. If you are an enterprise, you will have the legal team for this. But even then, so much of auditing is "knowing how the vendor is going to behave" which gets really tough always depending on "well they aren't normally unreasonable." Often it isn't the vendor but random third party auditors.
-
@Jason said in Vmware Audit:
Not sure yet, but they want a lot of stuff and we have thousands of Vmware servers. It's due within 7 days.
TLDR, but if it were me who had bought thousands of VMware licenses and some guy shows up and wants an audit in 7 days I would just ask him if he knows the current pricing of Xen or Hyper-V with MS System Center in such a scale.
-
@thwr said in Vmware Audit:
@Jason said in Vmware Audit:
Not sure yet, but they want a lot of stuff and we have thousands of Vmware servers. It's due within 7 days.
TLDR, but if it were me who had bought thousands of VMware licenses and some guy shows up and wants an audit in 7 days I would just ask him if he knows the current pricing of Xen or Hyper-V with MS System Center in such a scale.
Auditors don't care, they aren't paid through sales. They only make money, if they are paid that way, through penalties.
-
@scottalanmiller said in Vmware Audit:
@thwr said in Vmware Audit:
@Jason said in Vmware Audit:
Not sure yet, but they want a lot of stuff and we have thousands of Vmware servers. It's due within 7 days.
TLDR, but if it were me who had bought thousands of VMware licenses and some guy shows up and wants an audit in 7 days I would just ask him if he knows the current pricing of Xen or Hyper-V with MS System Center in such a scale.
Auditors don't care, they aren't paid through sales. They only make money, if they are paid that way, through penalties.
Sure, but wouldn't it be fun to see an auditor explaining to his boss why an audit resulted in the loss of a big customer?
Seven days is a joke, no matter the size. In case of being such a big customer, I would expect the audit to be announced at least a few months in advance and that the auditor will bring donuts and coffee. Sorry, this is driving me mad.
-
What would be great (for us to better understand this) is if @Jason could post an copy of the Audit forms that he's been given. Even if he excluded the details of the audit firm / his employer.
-
@thwr said in Vmware Audit:
Sure, but wouldn't it be fun to see an auditor explaining to his boss why an audit resulted in the loss of a big customer?
Often, at least with MS, they use external audit firms who are so far removed from wanting the customer to be happy that there is almost no way that things will go well. No idea how VMware does it.
-
@scottalanmiller said in Vmware Audit:
@thwr said in Vmware Audit:
Sure, but wouldn't it be fun to see an auditor explaining to his boss why an audit resulted in the loss of a big customer?
Often, at least with MS, they use external audit firms who are so far removed from wanting the customer to be happy that there is almost no way that things will go well. No idea how VMware does it.
I know, and that's the problem. Anyway, there's a company selling something, there's a customer who spends a reasonable amount of money and I would do virtually anything to keep that customer happy. It's not just about the money, but also about reputation.
-
You would think. But it's a major reason why I've moved us to zero Windows servers. If you have a lot, whatever. If you get down to like just one, the audit risk could just go away. So we pushed hard to eliminate all of them. Why carry that risk unnecessarily.
Funny, in another thread that prompted this one to pop back up elsewhere, someone laughed at me for even taking audit risk into consideration with "you'd have to eliminate all audit risk" which, of course, makes no sense as each risk stands on it own. But we did just that... eliminated everything that had audit risk. It's very freeing.
-
@scottalanmiller EA's and audit requirements have huge variables depending on industry, requirements, the country its originated in, the countries it is used in. The language varies so much (and you can ask for things to be waved, changed, or added based on your needs). EA's are fundamentally driven by both parties liking the numbers, and what the lawyers will approve. There is no "standard language" as what the DOD will accept is different from a hosting company is different from a oil company.
-
@John-Nicholson said in Vmware Audit:
@scottalanmiller EA's and audit requirements have huge variables depending on industry, requirements, the country its originated in, the countries it is used in. The language varies so much (and you can ask for things to be waved, changed, or added based on your needs). EA's are fundamentally driven by both parties liking the numbers, and what the lawyers will approve. There is no "standard language" as what the DOD will accept is different from a hosting company is different from a oil company.
I understand that it is very hard. It's also tough because the OP is saying that this is from a EULA, not from the EA. Hopefully he will chime in soon. It seems like crazy audit stuff.
Is there a clear guide to what audit requirements would fall on someone NOT under an EA?
-
Depends on the agreement and your industry.
If your a service provider operating under SPLA (Microsoft) or VCAN (VMware) you have to be reporting this every 30 days. If the licensing had "per day, or per month" fee's its completely normal to require this type of information be maintained. The most favorable (granular) licensing terms require the most aggressive logging information be maintained for audit purposes.
