Refer to the KB258 for details about how VMWare auditing with Netwrix Auditor works.
Overwrites warnings occur because there is some gap between the last collected and the oldest of newly received events.
Try running collections more frequently by configuring a scheduled task trigger.
If this doesn’t help please perform the following steps to troubleshot this and localize the problematic place:
- Download and install VMWare PowerCLI, this package contains set of Powershell cmdlets which can be used to retrieve audit events from ESX server vCenter.
Alternatively you can download them from our file service using this link
NOTE. We uploaded them just for the case you are unable to register at VMWare website
The VMWare PowerCLI documentation available here: https://www.vmware.com/support/developer/PowerCLI/
- Then after receiving a Change report for VMware with event overwrites warning and changes, which as a results of event overwrites were reported as made by system, retrieve audit events using VMWare PowerCLI cmdlets by connecting to vCenter and ESX hosts:
- Run the Connect-VIServer cmdlet and connect to the VMWare host (https://www.vmware.com/support/developer/windowstoolkit/wintk40u1/html/Connect-VIServer.html) by running this command:
- Run the Get-VIEvent cmdlet (https://www.vmware.com/support/developer/windowstoolkit/wintk40u1/html/Get-VIEvent.html) and get all events for last 24 hours by running this command:
This command will export all available events for all VMs for the last 24 hours and save it to the D:%ESX_host_name%.txt file
- Perform these steps for every ESX host which is managed with vCenter specified In the Netwrix Auditor for VMware
- Submit a case and send us the following information:
- Events retrieved with VMWare PowerCLI cmdlets from vCenter and ESX hosts (files created during the steps described in the section 2 above)
- Received change summary report of VMware (after that receiving which the event files were generated) and inventory report
- Events from from the following directory %% for the day you the report with warning and day before
Archive these files and provide them with your support case with our Technical Support team.
Having the files with events from every server involved into the VMWare data collection we will be able to see which server events are overwritten and probably why.