Endpoint Monitoring in NSX 6.3

 
As of NSX 6.3, Activity monitoring is no long supported and has been deprecated. When navigating to the Activity Monitoring section, the following warning will be displayed.
 
1
 
Activity Monitoring has been replaced by Endpoint monitoring which is a lot more powerful and allows you to map specific processes inside the guest OS to the network connections the processes are using. This allows you to be able to operationalize NSX much faster!
 
There are a few prerequisites before you can use Endpoint monitoring: Install Guest Introspection and ensure VMware tools is running and up to date. Note: VMware tools must have been completed with a custom installation to install the guest introspection drivers. Please see the screenshot below. I had to uninstall VMware tools, then perform a reinstall to add these drivers.
 

 
Navigating to the Endpoint Monitoring section of NSX, the first thing to do is enable Data Collection. To enable, simply click on the button “Start Collecting Data.
 
2
 
Endpoint Monitoring can be enabled on one security group at a time. It’s possible to use preexisting groups, or create a brand new Security Group for VMs that you would like to monitor. The maximum number of VMs that can be collected simultaneously is 20 and the only VMs currently supported are Windows guests.
 
Let’s create a security group and add some virtual machines into the mix before we start the data collection. For more information, please see: Creating Security Groups
 
I didn’t have many windows VMs in my environment, so I just threw in Activity Directory / DNS, my vRealize Automation IaaS, and jump box. Select the Security Group, then toggle Data Collection to On.
 
3
 
It seemed to take a long time before I saw any information on the summary page. I actually ended up coming back in the morning before I saw any information. It picked up all 3 virtual machines and 9 total processes generating traffic. Endpoint Monitoring will also summarize the flow within a Security Group and outside of a Security Group, which can be useful to determine if some Web servers or Desktop servers are talking to each other that shouldn’t be and so on and so forth.
 

 
Looking at the VM flows tab I see exactly what I expected. All 3 of my VMs are talking to the Active Directory and DNS Server. Click on any of the blue bubbles, to get more information about the processes.
 

 
Clicking on my AD server, I can see there were 5 total processes, generating 19 total flows of traffic, as well as the version of the processes.
 

 
It’s also possible to click on the arrows between the servers to find out what ports the processes are communicating over. In this case, we have svchost.exe over tcp port 53 to dns.exe.
 

 
Finally, under the Process Flows tab you will see all of the processes, the VMs they are on, and the total flows (within a SG, outside of a SG) and a picture of the flow.
 

 
Endpoint monitoring provides really valuable information to help secure your datacenter. It can be used to confirm that there are no rogue processes, and can also confirm what ports and protocols are being used between processes. It’s will be beneficial to pair this will the new Application Rule Manager feature under Flow Monitoring to quickly identify the processes the flows are using, and the flows between virtual machines to then create firewall rules on the fly without having to manually type them out! I will be blogging about this next.. stay tuned.
 

Posted by:

Sean Whitney

9 Comments

  1. Andreas Marqvardsen -  March 18, 2017 - 2:57 pm 567

    Hi Sean,

    Thank you for your post. Configured Endpoint Monitoring on two of my demo-clusters today and I do not see any “Virtual Machines Running” for the moment, so as you said it probably takes some time before information starts showing up. Have done alle the required steps, prepped the clusters for GI, checked that the NSX GI drivers are installed with VMware tools.. Will check in tomorrow morning to see if there is any update.
    Thanks again for your blog posts, most useful!

    Regards
    Andreas

    Reply
    • Sean Whitney -  March 18, 2017 - 3:17 pm 568

      No problem! Me and a colleague had the same issue. I checked after 3-4 hours and nothing, next morning it had information.

      Reply
      • Andreas Marqvardsen -  March 19, 2017 - 2:34 am 569

        Well I checked today and still nothing. Been running all the night on both of the cluster and no information.
        There must be something I am missing here. It dont even report any number of running VMs.
        I am running vSphere 6.5b with NSX 6.3.1, and I have checked that the Guest Introspection drivers are included when installing VMware tools. The Guest Introspection appliances are running on each hosts.

        Reply
        • Sean Whitney -  March 19, 2017 - 11:04 am 570

          Hi Andreas,

          Mine didn’t report any running VMs either until I checked back the next morning. What guest OS are the VMs running?

          Sean

          Reply
          • Andreas Marqvardsen -  March 19, 2017 - 12:47 pm 571

            Hi Sean,
            The guest os is both Linux and Windows 2k12 R2. I can see that the Thin Agent under Datacenter/Monitor/Guest Introspection is registered as running on two of the Windows guests, but not the Linux ones (that is probably the VMware tools driver, I suspect they are running with the OpenVMtools). Was hoping to to a demo on this for a customer tomorrow.. But it looks like this has to wait 😉

          • Sean Whitney -  March 19, 2017 - 1:01 pm 572

            Endpoint monitoring won’t work with the linux guests, it only works with windows for now. Can you try a SG group with just the two windows guests, and see if any data shows up by tomorrow morning?

  2. Andreas Marqvardsen -  March 19, 2017 - 1:11 pm 573

    Started a new monitoring now with just the two Windows machines in the SG group. Lets see if there is something there tomorrow.
    Thank you for your replies Sean!
    Regards

    Reply
    • Andreas Marqvardsen -  March 20, 2017 - 12:52 pm 574

      Hi again Sean,
      You were right. After I removed the Linux vm’s and started a new monitoring I finally got some data. But it still had to work over the night to present any data.
      Thank you for your help.
      Best regards
      Andreas

      Reply
      • Sean Whitney -  March 20, 2017 - 12:58 pm 575

        Awesome, happy to help!

        Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top