Auto-editions of production on virtual machines based on events

Hello

Is it possible to receive a VMS mail each time an event like high signature is detected, if we can automate this process, I am unable to find any these settings in virtual machines, can you please help me out of this.

Thanks and greetings

Salim

This is a script that will work a bit on VMS and 4.1 sensors

#! / usr/bin/perl

Use Time::Local;

#***********************************************************************

# FILE NAME: emailalert.pl

# DESCRIPTION: This file is a perl script that will be run as a

action # when an event ID - MC rule fires and will send you a

# e-mail to $EmailRcpt with additional parameters of the alerts (similar to)

(# the features available with notifications of CSPM)

# NOTE: this script only works with 4.x sensors. It will be

# does not work with the 3.x sensors.

# NOTE: This script takes the keyword ${Query} of the

# triggered rule, extracts of all alarms that caused

# the rule to trigger. It then reads the last alarm of

# analysis of this set, the individual fields of alarm, and

# calls the script inherited with the same set of command

line arguments # as CSPM.

# The sequence of calling this script must be of the form:

# emailalert.pl "${Query}.

# Where:

# "${Query}"-this is the keyword query dynamically

# output by the rule when it fires.

# It MUST be wrapped in double quotes

# When showing you in the Arguments

# box on the rule Actions Panel.

#***********************************************************************

# The following is only two variables that must change. $TempIDSFile can be

# filename (doesn't have to exist), make sure the directory you specify

# exists. Make sure you use the backslashes 2 for each directory, the first backslash is

# If the Perl interpreter is not error on the path.

# $EmailRcpt is the person who will receive notifications by e-mail. Also

# Make sure escape you the symbol by putting a backslash in front of him, if not @.

# you will get a Perl syntax error.

$TempIDSFile = "c:\\temp\\idsalert.txt";

$EmailRcpt = "gfullage\@cisco.com";

subroutine # add 0 in front in any variable of date that is less than 10.

void add_zero {}

my ($var) = @_;

If ($var< 10)="">

$var = '0 '. $var

}

return $var;

}

subroutine # to find one or more IP addresses within the XML tag (we can have several

# victims or aggressors in an alert now).

void find_addresses {}

my ($var) = @_;

my @addresses = ();

If (m / $var /) {}

$raw = $&;

While ($raw = ~ m /(\d{1,3}\.)) {3} \d {1,3} /) {}

push @addresses, $&;

$raw = $';

}

$var = join (",", @addresses);

return $var;

}

# out command line arg

$whereClause = $ARGV [0];

# extract all the alarms corresponding search expression

$tmpFile = "alarms.out";

# Extract the XML from the database alert/event.

System ("IdsAlarms-if" $whereClause\ "-f\" $tmpFile\ "");

# Open corresponding output alarm

If (! open (ALARM_FILE, $tmpFile)) {}

Print "Could not open $tmpFile\n";

Output - 1;

}

# read the last line

While () {}

chomp $_;

push @logfile, $_;

}

# clean up

Close (ALARM_FILE);

unlink ($tmpFile);

# Open the temp file to write data alerts

Open(out,">$TempIDSFile");

# split the XML output in

$oneline = join('',@logfile);

$oneline = ~ s /-<\ vents\="">/ / g;

$oneline = ~ s /-<\ valert\="">/-<\ valert\="">, / g;

@items = split(/,/,$oneline);

# If you want to see the result of database query in the e-mail, a comment on the

# line below (useful for troubleshooting):

# (print "$oneline\n");

# Loop until there are no more alerts

{foreach (@items)

if (m/\(.*)\<\ ostid\="">/) {

$hostid = $1;

}

If (m/severity = "(.*?)") » /) {

$sev = $1;

}

If (m/Zone\=".*"\ >(.*)-<\ ime\="">/) {}

$t = $1;

{If ($t = ~ m/(.*)(\d{9})/ {)}

($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = localtime($1);

# Year is reported from 1900 (eg. 2003 is 103).

$year = $year + 1900;

# Months begin at 0 (January = 0, February = 1, etc.), add 1.

$mon = $mon + 1;

$mon = add_zero ($mon);

$mday = add_zero ($mday);

$hour = add_zero ($hour);

$min = add_zero ($min);

$sec = add_zero ($sec);

}

If (m/sigName = "(.*?)") » /) {

$SigName = $1;

}

If (m/iRIMS = "(.*?)") » /) {

$SigID = $1;

}

If (m/subSigId = "(.*?)") » /) {

$SubSig = $1;

}

$attackerstring = "\".

If ($attackerstring = find_addresses ($attackerstring)) {}

}

$victimstring = "\".

If ($victimstring = find_addresses ($victimstring)) {}

}

@actions = ();

if (m/\(.*)\<\ ctions\="">/) {

$rawaction = $1;

While ($rawaction = ~ m /-<(\w*?)\>(. *?)------)

$rawaction = $';

If {($2 eq "true")

push @actions, $1;

}

If {(@actions)

$actiontaken = join (",", @actions);

}

else {}

$actiontaken = 'none ';

}

# Now write your notification e-mail. You write the following in

# the temporary file at the moment, but it will then be sent.

# Even once, be sure to escape the special characters with a backslash (note the: between)

(# the hamid and the SubSig).

print (OUT "\n$hostid reported an alert of severity $sev to $mon / $mday / $year $hour: $min: $sec\n");

("print ("Signature $SigName $$SigID\:$SubSig$ from $attackerstring to $victimstring\n ");

print (THE "measures taken: $actiontaken \n\n" "");

print(OUT "----------------------------------------------------\n");

}

Close (out);

# Gives the word "blat" to send the file content in the body of an e-mail message.

# Blat is a freeware for Windows NT/95 e-mail program, it comes with the virtual machines in the

# $BASE\CSCOpx\bin directory, make sure that you install first by running:

# blat - install

# For more information on blat, simply type "blat" to the prompt on your system (make VMS

# It's in your path (feel free to move the executable to c:\winnt\system32 FRONT)

(# run you the facility, which will ensure that your system can still find).

System ("blat \"$TempIDSFile\"t - \"$EmailRcpt\ "s - \"Received ID alert\"');

Tags: Cisco Security

Similar Questions

vRA 6.2 API - is possible to ask a new virtual machine based on a machine of model using the API

Hello
Is this possible in version 6.2 API at the request of a new virtual machine based on a model of Machine catalog?
Thanks for the help in advance,
Pieter

Yes, you need to specify the new virtual machine in json format and publish it on/catalog-service/api/consumer/requests

rename several virtual machines based on the State of food & VM name

I'm looking for a powershell script to rename the virtual machine based on the state name and vm power. For example, I have several virtual machines with a - temp at the end of the name of the server. Some are turned on and some are turned off. I am wanting to rename only those who is off
Thank you
tjw82

Assuming that - temp is part of the name

Get - vm | where {$_.powerstate - eq "poweredoff"} | foreach {Set-machine virtual - VM $_ - name (($_.name).)} Replace ("temp", "delete"))}

Remove/delete virtual machines based on creation Date

Hello
I'm fairly new to PowerCLI and I'm not a coder strong. I've been reviewing through communities and [web] inter and this time, Google is not my best friend.
I'm trying to make a script that deletes VMs of the disk based on the time of creation of virtual machines and the unique string in the VM name to avoid deleting other virtual machines then those I want. I would like to modify this script to remove the AD and SCCM objects, however, it's just a list of wishes
You may be wondering why I don't want to do something like this and the answer is for testing purposes.
I have a group trying to test applications in a lab environment and we want to make sure that the virtual machines are removed within 3 weeks being created without doing it manually.
Any help with this would be greatly appreciated

Then, you could make the Where clause more specific, something like
```
where {$_ -is [VMware.Vim.VmCreatedEvent] -and $_.Vm.Name -like "LAB*} | %{
```

Free auto-off setting on multiple virtual machines

Hello
I have several machines, I want to set the "auto-off free" Annotation on IT.
I tried this
```
Set-Annotation -Entity "VMname" -CustomAttribute "Auto-shutdown Exempt" -Value ON

which works fine on 1 machine
```
I created a folder and moved the VMs and tried
```
Set-Annotation -Entity "folder name" -CustomAttribute "Auto-shutdown Exempt" -Value ON 
```
but it did not work.
I think I need to use the
Get-file 'xxxx '. Set Annotation - entity $host - CustomAttribute "-free auto-off" - value WE
But what value goes after - entity?
I don't want to list all the names of virtual machine
Thanks in advance

You can try:

Get-file 'xxxx '. Get - VM | Set Annotation - CustomAttribute "-free auto-off" - value WE

Best regards, Robert

Selection of virtual machines based on record of grandparent

How can I get all the virtual machines that are NOT under a certain folder of grandparent?

You could do something like that

$folderName = "MyAccount".

Get - VM | where {}

(Get-View - ID (Get-view $_.)) ExtensionData.Parent | Select - ExpandProperty Parent) |

(Select-ExpandProperty nom) - not $folderName}

Or you can use the BlueFolderPath New-VIProperty of my post to file through .

Then it would become

$folderName = "MyAccount".

Get - VM | where {$_.} BlueFolderPath - notmatch $folderName}

If you have several files with the same name, you can provide the full folderpath, which would be more infallible in all cases.

$folderName = "DC1, Blue1, myFolder.

Get - VM | where {$_.} BlueFolderPath - notmatch $folderName}

How to build a new virtual machine based on cluster with powercli?

When you create a new virtual machine on cluster in the user interface, you cannot select the host, it is decided by the cluster.
Now, I want to create a new vm on cluster by powerCli. I have not found any parameter to specify the cluster.
Only the "$vmhost" to specify the host.
Why are they so different?
Can someone help me understand it and how to create a new VM on cluster?
Thank you in advance!

Hello, bob1118-

While, as you said, it has non - Cluster parameter to the cmdlet New - VM, you _can_ effectively specify the cluster at new time of creation of VM via PowerCLI: you specify the list of resources within the desired cluster. So a partial New - VM call would look like:
```
New-VM -Name myNewVM0 -ResourcePool (Get-Cluster myDestinationCluster | Get-ResourcePool -Name "Resources") -Template ...
```
Who uses the resource pool default "Resources" that exists in a cluster. And, you could fill in the rest of the parameters relevant to the new virtual machine of your desires. How do I?

Start the virtual machine based on the load of another virtual machine

Hi all
I am looking for a solution that will start the VM on request depending on the load on the other virtual machines, perhaps in the same resource pool. Essentially, the expected result would be something like this:
-When the dv01 reaches 75% CPU usage for 15 minutes,
-Boot VM02
-Once dv01 was less 40% use for 30 minutes,
-Close the VM02
This could also be a new virtual machine that is upwards of a model and Sysprep, rather than one that just sits there, offshore and unused.
I hope that the final objective is clear. Does anyone have recommendations on how to do it? I just did a quick search on certain clauses that I thought would be relevant and did not really turn anything upwards.
Thanks for your comments!
-James

jamesgreen wrote:

Hi all

I am looking for a solution that will start the VM on request depending on the load on the other virtual machines, perhaps in the same resource pool. Essentially, the expected result would be something like this:

-When the dv01 reaches 75% CPU usage for 15 minutes,

-Boot VM02

-Once dv01 was less 40% use for 30 minutes,

-Close the VM02

This could also be a new virtual machine that is upwards of a model and Sysprep, rather than one that just sits there, offshore and unused.

I hope that the final objective is clear. Does anyone have recommendations on how to do it? I just did a quick search on certain clauses that I thought would be relevant and did not really turn anything upwards.

Thanks for your comments!

-James

with raise vm02, you can set the alarm action to run a script that will start vm02.

PowerCLI command would be

Start-VM - vm VM02

you could probably add an alarm if dv01 has a less than 40% cpu

run another script

the command is:

stop-vmguest - vm-VM02

Model of the virtual machine - based model to customize

Hello
Am currently adapting this script (thanks Alex) http://www.jasemccarty.com/blog/?tag=powercli is a script all encompassing.
I want to be able to deploy virtual machines to a CSV file and customize the model with a static IP address, attach it to the domain etc etc, attached is my current effort (poor)... If anyone can help me then that would be really appreciated.
Thank you

Dan

The error message explains, run the PowerCLI 32-bit version.

Virtual machines based on statement records

I'm looking to count the number of virtual machines that are contained in each of the top level folders in vCenter Server. For example, there are 10 top-level folders - in folder1 of higher level, there are 200 virtual machines (including all folders under this folder), and in the 2 top-level folder there are 250 mV and so on.
Any contribution appreciated - thank you!

Greetings, @TheVMinator-

This can be done quite easily by using the parameter - NoRecursion on Get-file. So, assuming that the folder structure is something like:
```
myVCenter
  smallDatacenter
    + topFolder0
    |   + subfolder0
    |   + anotherSubfolder
    + topFolder1
    |   + thisFolder0
    |   |   + deeperFolder
    |   + subfolderHere
    + topFolder2
    |...
```
You can use the following to get the top-level folder names and counting the number of VMS in each top-level folder and all their subfolders:
```
## get the given datacenter, then get the built-in "VM" folder, then get the top-level folders there, and foreach top-level folder
Get-Datacenter "smallDatacenter" | Get-Folder "VM" | Get-Folder -NoRecursion | %{
     ## create a new object that contains the folder name and the count of the VMs in this folder and all of its subfolders
     $oOutput = New-Object -Type PSObject -Property @{
          "FolderName" = $_.Name
          "VMCount" = @(Get-View -ViewType VirtualMachine -SearchRoot (Get-View $_).MoRef -Property Name).Count
     } ## end New-Object
     ## write out the info
     $oOutput
} ## end Foreach-Object
```
This will display a single object by top-level folder, each with the name of the folder and the number of VM for the folder and all its subfolders.

Enjoy

Sorting of virtual machines based on the record, they are in

I want to sort vm based on the record, they are everyone knows how to do this? Even better export to the excel sheet.

You want only the name of folder or the complete file path?

If it's only the name of the folder, you can use a slight variation on the script in the list of VMS by folder name.

Something like that
```
$report = @()

Get-Folder | %{
  $folder = $_.Name
  $_ | Get-VM | %{
    $row = "" | select FolderName, VMName
    $row.FolderName = $folder
    $row.VMName = $_.Name
    $report += $row
  }
}
$report | Sort-Object -Property FolderName | Export-Csv "C:\VM-by-folder.csv" -NoTypeInformation
```

Workflow to edit an existing virtual machine

Hi all!
I just wanted to ask if someone can give me an example of a workflow that can be used to modify an existing virtual machine.
I guess in order to change the virtual machine, you will need to power off, edit and it turns on again.
I would like to modify CPU, RAM and maybe add/remove a disc. I looked in the workflow to create VM and I see how the settings are made, but I don't know how to edit on an existing virtual machine.
Thank you

Take a look at this post:

http://communities.vmware.com/docs/DOC-10543 for adding memory to a virtual computer. The same area http://communities.vmware.com/community/vmtn/mgmt/orchestrator/?view=documents has another workflow for adding cycles CPU. Cycles adding CPU or memory to new or existing VM are the same call as you add really, but instead, you set how much memory & cpu you want.

There is a workflow that you can use to add a disk in the library.

Let us know if you need help with anything that anyone else.

SIA

Unable to start the virtual machine and snapshots are missing from snapshot Manager.

Hello
I'm new here in the VMWARE communities and I don't know if I'm posting this survey in the right place. I am currently using VMWARE Workstation 9. The issue I'm having is that I can not start my VM. The error that says:
This is an overview of my settings:
When I try to get a snapshot I can go back, I get this snapshot Manager screen:
I checked the files on the directory of the virtual machine. The snapshot files are still there.
I tried to solve the problem by editing the configuration of virtual machine file to use another vmdk. I got an error saying something about the parent and the child are not synchronized. Sorry I don't have a screenshot of that. I also tried to make a copy of one of the other VMDK and rename it to match with the name of the missing file. That also made me anywhere I tried looking on the net but I get answers to other vmware ESXi and vSphere products. So I don't know if they apply to my current situation.
At this point, I'm hoping to recover my machine or at least be able to use snapshots. Please notify.

I think that the restoration was the best way to solve this problem. I actually checked the different files, but it looks like I missed something. In any case, create snapshots with the virtual machine in a state engine is my personal preference. It is not only to save disk space (since there is no need to preserve the current state of memory), but also provides a consistent state. As for the number of snapshots, you're always on the stop side, and if you are not having issue of performace with small changes you make you should be ok. In case there is a performance problem, you may consider to store the computer virtual on an SSD that will certainly help.

Since the Center of Documentation of VMware Workstation 10

To the premises of the virtual machines, you can take more than 100 snapshots for each linear process. For shared virtual computers and remote, you can take a maximum of 31 snapshots for each linear process.

André

Post edited by: a.p. corrected fault, "SSD" instead of "SD".

To make a Virtual Machine from Windows XP to a hard training camp?

At first, I use bootcamp to install Windows XP, then I made a virtual machine using the merger. Disk failure hard macbook, good thing I had a backup superduper, call apple and got a new hard drive. Reinstall Leopard and migrate the data back. Is their a way I can do the virtual machine back in a bootcamp partition? because of the game and it is possible.

With no offense intended if you ask it would be probably faster and easier to just install Windows via Boot Camp and then if you also want to run the Boot Camp partition in a Virtual Machine afterward then you can do it too.

That said, let me go on what said you, you said... "At the beginning I use bootcamp to install Windows XP, then I made a virtual machine using the merger." Well your statement could be interpreted as ambiguous and you didn't say what version of Fusion you use so I'll assume 2.x and with this in mind, you have two choices in Fusion 2.x himself. 1. you can run the partition Boot Camp in a VM or 2. You can import the Boot Camp partition as a Virtual Machine based on a normal file and it is then separated and apart from the Boot Camp partition and will cease to be in harmony as running just the Boot Camp as a Virtual Machine partition would be however it gives the possibility to do something else that the Boot Camp partition as a virtual se Machine running can do.

Now, if all you had done turns partition Boot Camp in a Virtual Machine then you have no other choice than to run the Boot Camp Assistant and reinstall Windows because your SuperDuper! Backup probably would not have the Boot Camp partition in it, and as such, there is nothing to restore the Boot Camp partition. Did you have a backup Winclone then that would be another story.

On the other hand was actually imported the Boot Camp Virtual Machine based on the partition to a normal file and you want to use to run from the Boot Camp partition then it's called ranging from virtual to physical or P2V. If that's what your want to do so that is where my first comment in this response applies mainly. In any case while V2P is technically feasible is not if easily done for someone who needs to ask because it may be a technical process complex which requires a certain level of expertise that is generally beyond what casual users are configured to do and more technical use should not ask because even if they don't know how they would get the answers before they would ask questions and then ask for verification of what they are seeking first.

Adequate preparation is absolutely necessary going V2P when it's a Fusion Virtual Machine to Boot, Boot Camp partition natively.

It has been my experience that unless a Virtual Machine is properly prepared as in the use of SysPrep or other products such as ShadowProtectDesktop that initiating the Boot Camp partition natively an image of a virtual one Machine will get the proverbial STOP: 0x0000007b BSOD so it's one of the good preparation of the main reasons is necessary.

Unless you have a good reason, then I think a clean build is always the best way to go if we have time, however, if I had a complex construction that I had no time to clean the build and really need to V2P then I'd probably make an appropriate SysPrep, and then use Paragon Drive Backup 9.0 Professional as it is compatible with the Tables of Partition GUIDS and compatible with the configuration of Boot Camp Apple.

Anyway if your situation is a V2P scenario, then I would say that search you the forum by using V2P or Virtual physical since the search terms such as this have been debated before.

Get virtual machines in a subnet

I need to get all the virtual machines in a subnet given with something like this:
Get - vm | where {$_.2ndOctet - eq "110"} #(vous voyez l'idée)
How can I select a set of virtual machines based on their IP address so that I get all virtual machines in the subnet 10.110.0.0/16?
Thank you!

The easiest way would be something like this:

Notice-EEG - ViewType VirtualMachine. Where {$_.guest.} IpAddress-like "10.110. *. * »} | Select Name, {$_.guest.} Ip_address}

If you are comfortable with regular expressions you could do something like this as well:

Notice-EEG - ViewType VirtualMachine. Where {$_.guest.} IpAddress-match "10\.110\. [65-66]. * »} | Select Name, {$_.guest.} Ip_address}

Auto-editions of production on virtual machines based on events

Similar Questions

Maybe you are looking for