Honeypot as a Service (HaaS) Part 3

This is the third Post of the Haas Series…..

After we have everything up and running would should take a deeper look at the vRealize Log Insight.  There we get our notifications in the interactive analytics. In normal cases nobody will monitor the whole time the interactive analytics therefore we create a Dashboard. The create dashboard is only for your custom view. The log Insight documentation state it like this “You can add, modify, and delete dashboards in your Custom Dashboards space.”

So, in the first step we create a dashboard for your personal view. The creating is quite easy. So, if you have an alert in the interactive analytics you can create the Dashboard from there.



Just click in the New Dashboard Icon on the right site. In the Wizard you create a new dashboard. Provide a Name and if you want share the Dashboard with other Users in the environment.

I use the chart graph for my Dashboard. After you are finished you will find your Dashboard in on the Dashboard View under Shared Dashboards.

Quite Easy or? But would It be better to get an Alert Notification from Log Insight?

This is also very easy. When you go back in the Interactive Analytics just take the Alerts Button.

In the Windows we choose “Create Alert from Query”.

There you provide the required Details for the Alert. Be sure that you configured your SMTP Server before when you use E-Mail as alert notification.

That was cool so far, or?

In the last months I made a couple of NSX Implementations. NSX provides us some really cool feature like the possibility to move VMs into Quarantine to isolate them from the communication with other VMs. So why wo should not use these feature, to migrate the VM were the Access violation was made, into a quarantine location to research what is happening on this VM? When the access was done from a physical machine, we can also create a firewall rule which deny the access to the virtual environment? From my point of view this is security in an automated way.

In this blog Post I will not show how to install and configure the NSX Part of this series. There are a lot of useful information available.

To archive these goal, we can use a REST API Call to the vRO Server to call a workflow which we develop to migrate the VMs or create the firewall rule. One of the first things which we need, is the possibility to interact with NSX from the VMware Orchestrator. Therefore, will install the VMware Orchestrator NSX Plugin. The plugin can be found on the VMware Page:

We also need two additional Plugins The first plugin is needed to decrypt the BASE64 encrypt string from the Shim in vRO. The Plugin can be found here:

The next Plugin is not really necessary but from my point of view the JSON Implementation in vRO is not the best in the world…. therefore, I use the jsonPath for Orchestrator Plugin frim Soeldner-Consulting. The documentation and the Link to the VMware Solution Exchange can be found here:

jsonPath for Orchestrator

After we download the all plugins we can install them via the vRO Control center.

After we are finished with that, we have to create our Workflow that must start when an alert is triggered. The triggering can be done via email or REST API Call. I prefer the REST-API Call du the circumstance that this more flexible, but wait…….here we have a problem. The VMware vRealize Log Insight doesn’t offer any option to create a REST API Call. In the Web GUI only Webhook Notification is available. Therefore, we need a translation between the Webhook and the REST API Call which we need for the vRealize Orchestrator. As always there is an solution available…..Steve Flanders create a Shim which can act as Proxy for the Webhook notification in direction of the VMware vRealize Orchestrator. Steve has a GIT Repository with a good documentation about the different available versions and the installation. I will not go further on the installation as already everything is explained here:

Another useful post can you find here:

After we installed and configured the Shim, we are ready to make our next steps.

I created a vRO Workflow which used as Input parameter the name of the Attacker VM. The workflow checks the Attacker VM against the configured Datacenter. When it is a virtual machine, then an NSX Security Profile is attached to the virtual machine and all communication is denied. When it is not a virtual machine, then an IPSet is created and this IPSet is added to a Security Group

For the workflow it is necessary, that the NSX Manager is configured within vRO. Also, that a security Policy exist which we can use in the workflow. Also, the Datacenter which host our virtual machines in our environment must be provided.

Now let’s have a look at the Workflow:

The Workflow consists from different areas. In the First Part of the Workflow (the yellow box) we have to decode the Base64 string and parse the VM Name from the Log Insight Message.

When we are finished with that, we check if the Attacker Machine is a virtual machine (the red box).  When the machine is a VM, we apply the security Group to the VM (the light brown box) which denies all communication via the Security Policy.

When the Attacker VM is not a virtual machine then the machine will be checked against DNS (the green box) to gather the IP. The DNS checking is done via vRO DNS query so the Orchestrator Appliance must be configured correctly with DNS Server. The DNS Check is done via Name and FQDN. When the name could be resolved and we have the IP Address, then an IPSet is created and the Attacker machine is applied to the security Policy. This only protects the virtual environment!

In all cases a email is created (the blue box) and send to an Administrator.

The Workflow itself has some Attributes which must be filled:

  1. Datacenter –> The Datacenter were to check against the Attacke Machine if it is a VMs
  2. SecurityGroupID –> The Securitygroup ID. The ID is not the name but should look like this: securitygroup-98765. If you don’t know the SecurityGroupID, you can Browse within vRO in the NSX Manager Connection. There you can find the correct name
  3. NSXManager –> Your corresponding NSX Manager (which must be configured before in vRO)
  4. smtpHost –> Your Mail Server
  5. fromName –>  Email Sender Name
  6. fromAddress –>  Email Sender Address
  7. toAddress –> Were the Mail should arrive
  8. DNSDomain –> Your DNS Name to check against FQDN
  9. Optional: SMTPUsername –> The Mail Server Username, if required
  10. Optional: SMTPPassword –> Password for the Mail Server user

For the Workflow itself there is room for optimizing. A loop to check against different Datacenter, or a loop to check against different Domain names……For me and this Demo the Workflow makes his job….

The Workflow can be found here:


Honeypot as a Service (HaaS) Part 1 Link:
Honeypot as a Service (HaaS) Part 2 Link:


New Version of OVF Transfer Plugin for vCO released

After a long time of development I am pleased to announce the availability of the New Version of the OVF Transfer Plugin. We reviewed the whole code of the old Plugin and rewrote it. With this Version we also improved the available feature.  The Plugin Description reads as flowing:

The OVA/F Transfer plug-in allows you to import and export virtual machines as OVF/OVA template to/from the VMware vCenter via the VMware vCenter/vRealize Orchestrator.

This plug-in provides actions and workflows to use the OVF/A functionalities directly in your own workflows.

Here are some functions of the new Plugin:

This plug-in includes amongst others following features:

  • [Export]  Export of virtual machines as OVF templates
  • [Import]  Import of virtual machines as OVF or OVA templates
  • [Import]  Support for vSS and vDS PortGroups
  • [Import]  Support for multiple vNics
  • [Import]  Support for OVF properties, e.g. used for virtual appliance imports
  • [Import/Export] Supported sources/destinations: Locale file, HTTP, HTTPS, FTP, CIFS

We included a lot of new functions which some of you required and fixed all Bugs which were reported.

For this Plugin the following types of sources are supported:

–       Local file (local means on vCO Server e.g. vCO appliance or vCO Windows installable)

–       HTTP, HTTPS

–       FTP

CIFS/Network Share (only with vCO Windows installable version

The Plugin is available at the VMware Solution Exchange  and is free of charge.

Many thanks to my colleague Sascha Bitzer who wrote and maintains the Plugin!


New OVF Transfer Plugin for vCO released

At the beginning of the Week I was pleased to place a new Plugin for the VMware vCenter Orchestrator in the VMware Solution Exchange ( ). The Plugin is called VMware Orchestrator OVF Transfer Plug-In and can be used to Up- and Download ovf Files with the VMware vCenter Orchestrator. Here is the description of the Plugin:
The OVF Transfer plug-in allows you to up and download OVF Templates to/from the vCenter via the vCO.
• The following operations are possible:
• Automatic deployment of your OVF templates
• Automatic export of VMs to an OVF

And some highlights:
• Upload OVF Templates via vCenter Orchestrator
• Download OVF Templates via vCenter Orchestrator
• As Source and Destinations the following places are available: Local file, HTTP, HTTPS and FTP. With the Windows installable version you can also use File share (CIFS)
You can download the Plugin from the VMware Solution Exchange here:

Many thanks to my colleague Carsten Schaefer who wrote and maintains the Plugin!


Backup vCloud Director vApps automatically, driven by vCO

This video shows another example how powerful vCenter Orchestrator really is:

Auto-Create a new Backup Job, whenever a new vApp is deployed in vCloud Director

vCloud Director Backup driven by vCenter Orchestrator from Joerg Lew on Vimeo.

For that I used the AMQP-Plugin, so that the “Create VM“-Event in vCD triggers the Generate Backup Job-Workflow. This workflow calls out to a Powershell-Script to create a new Backup Job using the vendor’s snapin. I used Veeam Backup&Recovery, because they provide a lot of helpful Cmdlets to automate their backup solution.

What to learn?

  • For vCloud Administrators: vCO allows you to integrate vCD with the rest of your IT-world
  • For Backup Vendors: Provide a Plugin for vCO (or at least a basic API), and your customer can integrate your backup product with the rest of their IT-world.
    (Then you don’t even have to develop the integration for vCloud Director from scratch 😉 )
  • For every VMware User: Even without vCloud Director you can use vCO for a lot of cool stuff to integrate your IT-world (what about to create a new Backup Job whenever anybody deploys a Template in vCenter…?)
  • For all: Be creative! Everything is possible with vCO!

References (in case I kicked your mind :mrgreen:)


vCO, SNMP Traps and vCOPS

Today I had the request, to generate a vCOPS Demo with an vCO integration. For that, I had a first look on Jörg’s post about is “Self-Healing datacenter” which can be found here:

For me, that was a good starting point but I want to integrate the SNMP Trap with an existing workflow. The creation of a Workflow to deal with snmp traps is not a big problem. The bigger problem is the “automatic” processing via Policy’s because there is no documentation (or I didn’t find it) . So I started to talk with Jörg and made some research in the web.  There I found this excellent post from William Lam about “Automatically Securing Virtual Machines Using vCenter Orchestrator”

This post from William (and his package) has everything inside we need.

First we have to create the preconditions like the SNMP installation in the vCO and the configuration in the vCOPS and the vCO. Jörg has this already documented here: so I will not repeat this steps here.

Let’s start with the Workflow development. First, we have to create a new workflow. I will call it “Execute Host Maintenance after trap” and I insert the following description “Waits to receive an SNMP trap from a vCenter Server instance, then set the host in maintenance mode or exist the maintenance mode “

After we created the Workflow, we go to the “Schema” tab

Here we insert some Elements. We need:

  • One Scriptable Task
  • One Decsion
  • The Workflow Enter Maintenance Mode
  • The Workflow Exit Maintenance Mode
  • And a Workflow End.

When you are ready your order should look like mine.

Now, let’s start with the Scriptable Task. I name it “Retrieve Host”. We want to extract the information out of the SNMP Message, for that we need some variables and SNMP Trap information. Let’s start with the SNMP Trap Information. The SNMP Messages comes with OID Numbers. Each OID Number has a different meaning and stands for a other component or message. The values of this OID Number can be found in the SNMP MIB Files which can be downloaded from the VMware Website. Every trap data has more than one OID Number



type: Number

snmp type: Timeticks

value: 1743301911

Element 2:



type: String

snmp type: OID


Element 3:



type: String

snmp type: Octet String

value: localhost

Element 4:



type: String

snmp type: Octet String


Element 5:



type: String

snmp type: Octet String

value: Resource

Element 6:



type: String

snmp type: Octet String

value: 1346068003943

Element 7:



type: String

snmp type: Octet String

value: Critical

Element 8:



type: String

snmp type: Octet String

value: New alert by id 36 is generated at Mon Aug 27 11:46:43 UTC 2012; Root Cause : (2 SYMPTOMS)

1. MESSAGE EVENT    (1 OF 3)

33% - FAULT -


Element 9:



type: String

snmp type: Octet String


Element 10:



type: Number

snmp type: Integer

value: 36

Element 11:



type: String

snmp type: Octet String

value: Verbindungsstatus der physischen Netzwerkkarte vmnic1 ist nicht bereit.

Element 12:



type: String

snmp type: Octet String

value: Health

Element 13:



type: String

snmp type: Octet String

value: Faults

For us, we want to search for the OID Number of the hostname and the error Message.

With this background information, we can create our needed In- and Outputs for our Workflow.

Local Parameter Variable Name Module Direction Type Value
trapData trapData Retrieve Host in Array/Properties
HostOID HostOID Retrieve Host in String
MessageOID MessageOID Retrieve Host in String
Host Host Retrieve Host out VC:HostSystem
SNMPMessage SNMPMessage Retrieve Host out String
NewAlert NewAlert Retrieve Host out Boolean

One important thing here: The trapData must be defined as Input Parameter not as attribute!

After we have created our variables, we can start with our scripting. I made a lot comments in the script, so everybody should understand what there happens….

// We extract the host name out of the SNMP TrapData
var HostName;
for (var x = 0; x < trapData.length; x++) {
var prop = trapData[x];
if (prop.get("oid") == HostOID) {
HostName = prop.get("value");

// We compare the extracted Hostname with the Hosts registred in the vCenter Server.
// when we hava a match, we have the managed object ID of the Host
var hosts = VcPlugin.getAllHostSystems();
for (var i = 0; i < trapData.length; i++) {
var tempHost = hosts[i];
if ( == HostName) {
Host = tempHost;

// We search for the OID in the Message to get the Field with the recieved error Message
var SNMPTrap;
for (var y = 0; y < trapData.length; y++) {
var prop = trapData[y];
if (prop.get("oid") == MessageOID) {
SNMPTrap = prop.get("value");

// Our search values in the Value Field of the Message
// When the Field contains the search string we beome the position. Otherwise be become a -1 value back.
var SNMPAlert = SNMPTrap.indexOf("New alert");
var SNMPCancel = SNMPTrap.indexOf("is cancelled");

// We check if the SNMP Trap has "New Alert" in the value field. Is so, we have a new alert.
if ( SNMPAlert != -1) {
NewAlert = true}
else {
NewAlert = false

Then we go to the Decsion. I name it “New Alert”. As Input we only need “NewAlert”. In the Decision field itself we set “NewAlert is true”.

After that, we go to the Enter Maintenance Mode. Here we only need to input variables:

Local Parameter Variable Name Module Direction Type Value
Host Host Enter Maintenance in VC:HostSystem
timeout timeout Enter Maintenance in number 0

Our Visual Binding has to look like this:

The same Variables and the same Visual Binding is required for Exit Maintenance Mode Workflow.

Local Parameter Variable Name Module Direction Type Value
Host Host Exit Maintenance in VC:HostSystem
timeout timeout Exit Maintenance in number 0

At last, we have to connect our Elements.  For the connections we Connect the start to “Retrieve Host” from there we connect the “New Alert”. From the “New Alert” we go with the Green line to “Enter Maintenance Mode” and with the red line to “Exit Maintenance Mode”.

Both Elements were connected to the End.

At last, we validate our Workflow and save our work.

After we have finished our Workflows, we create a Policy Template. For that, go to “policy Template” and create a folder with a name of your choice. I have a folder with the Name “”.

With a “right click” on the folder you can open a context menu and choose “ Add policy template..:”

First we have to insert a name and a description. I choose “SNMP Trap with data” as name.

Then we go to the Scripting tab

There we have to insert the Device from with we want to catch our data. You can insert the device by clicking on the first button.

In the Dialog we choose SNMP:SnmpDevice

Then we check the SNMP Device and then click on the Second button.

As trigger we choose “onTrap”

At last, we have to insert this Scripting in “Script” field from the “OnTrap” Trigger.

// Author Christian Strijbos ([email protected])
// based on Examples and a Blog Post of  William Lam
// SNMP Policy to Check for Host Maintenance in case of an host error

// Execute Host Maintenace after trap ID
// To catch the Workflow ID, just go to the Workflow, type CTRL-C, open Notepad and Type CTRL-V
// You will get the ID of the Workflow in the id. Field.
var wfId = "83808080808080808080808080808080AA8A808001345464207298aebf2a6a5a5";

// process SNMP trap
var key = event.getValue("key");
var snmpResult = SnmpService.retrievePolicyData(key);
var trapData = System.getModule("com.vmware.library.snmp").processSnmpResult(snmpResult);

// function to launch WF
function runWF(wfId,trapData) {
var workflowToLaunch = Server.getWorkflowWithId(wfId);
if (workflowToLaunch == null) {
throw "Workflow not found";
var workflowParameters = new Properties();
System.log("Launching Execute Host Maintenace after trap WF: " + wfId);
var wfToken = workflowToLaunch.execute(workflowParameters);

Some special notes here: In the Policy tab, variables are not highlighted. So if you write scripts on your own, make sure you write your variables well. Also there is no validation available, so there are a lot of possibility’s to make things go wrong 🙁

Save and close the template.

Next we want to apply out policy. Make a “right click” on the Policy Template and choose “Apply Policy..” in the Context menü.

In the menu you have to choose our SNMP Device

You can find your Policy under the “policy” Tab.

Right Click on it and choose “Edit”.

There you can choose our Startup Policy.  I choose “on Server Startup, start the Policy”. Save and  close the Policy.

At last, “right click” on the policy and start it.

After that, your policy is active and wait’s for SNMP traps from the vCOPS.

My setup follows the same principle like the integration with the SNMP Plugin with the vCenter Server like described in this Link:

35.8 KiB