Auditing VMware vCenter Actions (on SQL Server)

When you’ve got a SIEM appliance or application, you want actions and events going into it as a central repository. That allows you to see patterns and hopefully track incidents across systems. As a result, if you want to track actions in VMware’s vCenter and you’ve got the database hosted on SQL Server, you need to give access to the following two tables:

  • VPX_EVENT
  • VPX_EVENT_ARG

A standard tendency is to give the account that the SIEM product is using membership in theĀ db_datareader role. Don’t do this. It’s a violation of the Principle of Least Privilege. It’s far better to create a user-defined role and granting it the appropriate permissions. Then make the account a member of the role. For instance:

USE VirtualCenterDB;
GO

CREATE ROLE [Auditor];
GO

GRANT SELECT ON OBJECT::dbo.VPX_EVENT TO [Auditor];
GRANT SELECT ON OBJECT::dbo.VPX_EVENT_ARG TO [Auditor];
GO

And then you make the user account being used by the SIEM product a member of the Auditor role.