As of NSX 6.3, Activity monitoring is no long supported and has been deprecated. When navigating to the Activity Monitoring section, the following warning will be displayed.
Activity Monitoring has been replaced by Endpoint monitoring which is a lot more powerful and allows you to map specific processes inside the guest OS to the network connections the processes are using. This allows you to be able to operationalize NSX much faster!
There are a few prerequisites before you can use Endpoint monitoring: Install Guest Introspection and ensure VMware tools is running and up to date. Note: VMware tools must have been completed with a custom installation to install the guest introspection drivers. Please see the screenshot below. I had to uninstall VMware tools, then perform a reinstall to add these drivers.
Navigating to the Endpoint Monitoring section of NSX, the first thing to do is enable Data Collection. To enable, simply click on the button “Start Collecting Data.”
Endpoint Monitoring can be enabled on one security group at a time. It’s possible to use preexisting groups, or create a brand new Security Group for VMs that you would like to monitor. The maximum number of VMs that can be collected simultaneously is 20 and the only VMs currently supported are Windows guests.
Let’s create a security group and add some virtual machines into the mix before we start the data collection. For more information, please see: Creating Security Groups
I didn’t have many windows VMs in my environment, so I just threw in Activity Directory / DNS, my vRealize Automation IaaS, and jump box. Select the Security Group, then toggle Data Collection to On.
It seemed to take a long time before I saw any information on the summary page. I actually ended up coming back in the morning before I saw any information. It picked up all 3 virtual machines and 9 total processes generating traffic. Endpoint Monitoring will also summarize the flow within a Security Group and outside of a Security Group, which can be useful to determine if some Web servers or Desktop servers are talking to each other that shouldn’t be and so on and so forth.
Looking at the VM flows tab I see exactly what I expected. All 3 of my VMs are talking to the Active Directory and DNS Server. Click on any of the blue bubbles, to get more information about the processes.
Clicking on my AD server, I can see there were 5 total processes, generating 19 total flows of traffic, as well as the version of the processes.
It’s also possible to click on the arrows between the servers to find out what ports the processes are communicating over. In this case, we have svchost.exe over tcp port 53 to dns.exe.
Finally, under the Process Flows tab you will see all of the processes, the VMs they are on, and the total flows (within a SG, outside of a SG) and a picture of the flow.
Endpoint monitoring provides really valuable information to help secure your datacenter. It can be used to confirm that there are no rogue processes, and can also confirm what ports and protocols are being used between processes. It’s will be beneficial to pair this will the new Application Rule Manager feature under Flow Monitoring to quickly identify the processes the flows are using, and the flows between virtual machines to then create firewall rules on the fly without having to manually type them out! I will be blogging about this next.. stay tuned.