CIM monitoring configuration on ESXi via powershell

0 Flares Twitter 0 Facebook 0 LinkedIn 0 Email -- 0 Flares ×

As in many datacenters, we use monitoring software to control many parameters of our infrastructure. Thanks to CIM, is it possible to use directly these APIs to monitor hardware and health status of the ESXi servers, rather than using script and agents to accomplish the same results.

Nagios has some cool plugins to use CIM and monitor ESXi, but the problem was to correctly configure the credentials needed for accessing CIM. I found out William Lam had already digged into this problem, and his results are in this great blog post.

Anyway, since my comfort zone is in PowerShell code rather than Perl and Python, I used his findings to recreate the same script.

The goal, in both methods, is to create a user who only has the minimum privileges needed to read CIM data, so we can have a secure environment. In fact, by default ESXi has only these local Roles available:

If you try to create a nagios user, it will need this specific privilege:

So, we will need to create a new role having only this privilege, so to limit interaction to nagios user to a bare minimum. In William’s script, the privilege was called by its id, while on powershell you need to use its name. You can see the name in the roles management as in the above screenshot, or check the name directly via powershell (Get-VIPrivilege without arguments gives you the complete list):

Also, as Williaw discovered, the user will need to be part of the root group. So, to somehow limit this user, the script will give it no shell access.

This is the complete PowerShell script. With a simple For cycle you can load a list of ESXi servers and configure them all at once.