Friday, January 29, 2016


If you are looking for a centralized IDS logging solution with real time elastic search capabilities and security event classification, trending I'd highly recommend Wazuh based on Elasticsearch, Logstash and Kibana (ELK) stack and its own fork of OSSEC.  Customizable, importable visualizations and loadbalanced scalability make this opensource project robust and valuable.

When following the implementation guide, make sure to use the OSSEC 2.9 fork

Friday, February 6, 2015

Quantifying TPS Savings now that its disabled - how much are you losing?

The most recent ESXi updates will incorporate a change in TPS.  Due to security (KB 2080735) considerations, TPS will be disabled by default.
As a vmadmin, your next question would be how much am I losing with TPS gone ?
Thankfully there is a tool to quantify exactly how much TPS is going on - credit @vmMarkA and @vBrianGraf.
As it turns out, our main clusters are only seeing 2-5% TPS savings (mostly zero pages) so this change will have no real impact.  I can imagine VDI type workloads could be the most impacted by this change - what are the max TPS numbers folks are seeing ?

vExpert 2015

Congratulations to the vExpert class of 2015, new and alumni alike, its an honor to be counted in your company!

Friday, April 18, 2014

Windows 2003 IPSec error blocks all traffic

This happened to one of our windows 2003 VMs this week - it was patched and rebooted and came up with no network traffic being passed.

The team first looked to revert to the previous known good state - the central storage snapshots.
But as it turns out these restored snapshots also came up with no network being passed.

I removed the old VM network adapter (AMD) and replaced it with the newer Intel, updated the vmwaretools, several reboots in between, all to no effect (the adapter was up and "connected") but not passing any traffic - could not ping the default gateway.

Finally found a post leading us to check the System Event logs

And finding a VMware KB article confirming the resolution:

Disable the Windows 2003 IPSec service and reboot - voila, traffic now unblocked!

Hope this saves other folks some time to resolution!

Tuesday, April 8, 2014

ESXi 5.5 vulnerable to OpenSSL Heartbleed bug - 4/19 Patch Released

Today the existence of a serious bug in OpenSSL was revealed which allows an attacker to read the memory of your system including usernames, passwords, keys etc.

More information here:

This site will check a URL for the vulnerability: 

This command line tool also checks for the vulnerability- its a python script you can use inside your firewalled zones.

Our ESXi 5.5 build 1331820 servers have the vulnerability.
And fully patched ESXi 5.5  build 1623387 (as of 4/8) shows the vulnerability as well.
I've posted in the vmware forums asking about the ETA of a patch to fix this in our VI.

Update 4/9: VMWare has supplied a KB of products affected 

Update 4/19 - Patch Released:

Note: VMWare recommends updating vCenter before ESXi

VMware KB: Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160

Confirmed the vulnerability is removed by this patch - folks should also cycle keys and update passwords

cd /etc/vmware/ssl
chmod +t rui.crt
chmod +t rui.key
passwd root