Vmware Audit
-
@John-Nicholson said in Vmware Audit:
- ALL of the data your asking about is tracked in the ESXi logs.
Not as he described it. Maybe what is actually required, but not as described. ESXi logs cannot track decoms, for example. And it isn't clear if the requirements are only VMware or other stuff as well.
-
@scottalanmiller The vCenter log will track decoms of VM's and hosts.
VMware doesn't enforce about licensing for non-VMware products (I'm not even sure if they are in the BSA, I think Microsoft dropped out and that group is largely CAD software stuff these days). -
@John-Nicholson said in Vmware Audit:
@scottalanmiller The vCenter log will track decoms of VM's and hosts.
VMware doesn't enforce about licensing for non-VMware products (I'm not even sure if they are in the BSA, I think Microsoft dropped out and that group is largely CAD software stuff these days)."Doesn't enforce licensing" is unrelated to "requires it in an audit", however. The concern that is raised here isn't what licensing is enforced, but how much it costs to perform an audit.
-
@scottalanmiller These audits generally involve filling out a spreadsheet according to best effort, and dumping the logs in the event an auditor really wants to validate something (often times they have scripts or 3rd parties tools for this stuff).
I've read several EA's over the years and never seen this language. This sounds like a lot of hand waving over a misunderstanding...
-
@John-Nicholson said in Vmware Audit:
I've read several EA's over the years and never seen this language. This sounds like a lot of hand waving over a misunderstanding...
Possibly. But VMware should make their audit requirements public if they want to have people know what they are. Keeping them secret means that companies claiming onerous audit requirements get nothing but tacit agreement from VMware. If there really are such limits, VMware should jump in and officially state so and relieve this company of believing that they have essentially impossible requirements to meet.
-
@John-Nicholson said in Vmware Audit:
I've read several EA's over the years and never seen this language.
here is the thing... if EA's are standard, there should be no problem having the language of the audit be public. If they are not standard, then having seen many of them doesn't tell us anything.
-
So here is the real question at the end...
How do we, at the end of the day, know how VMware is going to hold us to audits? The cost of the legal team alone to verify the requirements would cost more than the product itself in the SMB space. If you are an enterprise, you will have the legal team for this. But even then, so much of auditing is "knowing how the vendor is going to behave" which gets really tough always depending on "well they aren't normally unreasonable." Often it isn't the vendor but random third party auditors.
-
@Jason said in Vmware Audit:
Not sure yet, but they want a lot of stuff and we have thousands of Vmware servers. It's due within 7 days.
TLDR, but if it were me who had bought thousands of VMware licenses and some guy shows up and wants an audit in 7 days I would just ask him if he knows the current pricing of Xen or Hyper-V with MS System Center in such a scale.
-
@thwr said in Vmware Audit:
@Jason said in Vmware Audit:
Not sure yet, but they want a lot of stuff and we have thousands of Vmware servers. It's due within 7 days.
TLDR, but if it were me who had bought thousands of VMware licenses and some guy shows up and wants an audit in 7 days I would just ask him if he knows the current pricing of Xen or Hyper-V with MS System Center in such a scale.
Auditors don't care, they aren't paid through sales. They only make money, if they are paid that way, through penalties.
-
@scottalanmiller said in Vmware Audit:
@thwr said in Vmware Audit:
@Jason said in Vmware Audit:
Not sure yet, but they want a lot of stuff and we have thousands of Vmware servers. It's due within 7 days.
TLDR, but if it were me who had bought thousands of VMware licenses and some guy shows up and wants an audit in 7 days I would just ask him if he knows the current pricing of Xen or Hyper-V with MS System Center in such a scale.
Auditors don't care, they aren't paid through sales. They only make money, if they are paid that way, through penalties.
Sure, but wouldn't it be fun to see an auditor explaining to his boss why an audit resulted in the loss of a big customer?
Seven days is a joke, no matter the size. In case of being such a big customer, I would expect the audit to be announced at least a few months in advance and that the auditor will bring donuts and coffee. Sorry, this is driving me mad.
-
What would be great (for us to better understand this) is if @Jason could post an copy of the Audit forms that he's been given. Even if he excluded the details of the audit firm / his employer.
-
@thwr said in Vmware Audit:
Sure, but wouldn't it be fun to see an auditor explaining to his boss why an audit resulted in the loss of a big customer?
Often, at least with MS, they use external audit firms who are so far removed from wanting the customer to be happy that there is almost no way that things will go well. No idea how VMware does it.
-
@scottalanmiller said in Vmware Audit:
@thwr said in Vmware Audit:
Sure, but wouldn't it be fun to see an auditor explaining to his boss why an audit resulted in the loss of a big customer?
Often, at least with MS, they use external audit firms who are so far removed from wanting the customer to be happy that there is almost no way that things will go well. No idea how VMware does it.
I know, and that's the problem. Anyway, there's a company selling something, there's a customer who spends a reasonable amount of money and I would do virtually anything to keep that customer happy. It's not just about the money, but also about reputation.
-
You would think. But it's a major reason why I've moved us to zero Windows servers. If you have a lot, whatever. If you get down to like just one, the audit risk could just go away. So we pushed hard to eliminate all of them. Why carry that risk unnecessarily.
Funny, in another thread that prompted this one to pop back up elsewhere, someone laughed at me for even taking audit risk into consideration with "you'd have to eliminate all audit risk" which, of course, makes no sense as each risk stands on it own. But we did just that... eliminated everything that had audit risk. It's very freeing.
-
@scottalanmiller EA's and audit requirements have huge variables depending on industry, requirements, the country its originated in, the countries it is used in. The language varies so much (and you can ask for things to be waved, changed, or added based on your needs). EA's are fundamentally driven by both parties liking the numbers, and what the lawyers will approve. There is no "standard language" as what the DOD will accept is different from a hosting company is different from a oil company.
-
@John-Nicholson said in Vmware Audit:
@scottalanmiller EA's and audit requirements have huge variables depending on industry, requirements, the country its originated in, the countries it is used in. The language varies so much (and you can ask for things to be waved, changed, or added based on your needs). EA's are fundamentally driven by both parties liking the numbers, and what the lawyers will approve. There is no "standard language" as what the DOD will accept is different from a hosting company is different from a oil company.
I understand that it is very hard. It's also tough because the OP is saying that this is from a EULA, not from the EA. Hopefully he will chime in soon. It seems like crazy audit stuff.
Is there a clear guide to what audit requirements would fall on someone NOT under an EA?
-
Depends on the agreement and your industry.
If your a service provider operating under SPLA (Microsoft) or VCAN (VMware) you have to be reporting this every 30 days. If the licensing had "per day, or per month" fee's its completely normal to require this type of information be maintained. The most favorable (granular) licensing terms require the most aggressive logging information be maintained for audit purposes. -
@scottalanmiller said in Vmware Audit:
@scottalanmiller EA's and audit requirements have huge variables depending on industry, requirements, the country its originated in, the countries it is used in. The language varies so much (and you can ask for things to be waved, changed, or added based on your needs). EA's are fundamentally driven by both parties liking the numbers, and what the lawyers will approve. There is no "standard language" as what the DOD will accept is different from a hosting company is different from a oil company.
I understand that it is very hard. It's also tough because the OP is saying that this is from a EULA, not from the EA. Hopefully he will chime in soon. It seems like crazy audit stuff.
I don't believe auditing is in the standard EULA on the website. I have NEVER heard of a non-EA customer being audited.
-
@John-Nicholson said in Vmware Audit:
Depends on the agreement and your industry.
If your a service provider operating under SPLA (Microsoft) or VCAN (VMware) you have to be reporting this every 30 days. If the licensing had "per day, or per month" fee's its completely normal to require this type of information be maintained. The most favorable (granular) licensing terms require the most aggressive logging information be maintained for audit purposes.Maybe those needing that could send it automatically? Seems WAY better to have VMware getting your daily logs than to suddenly be on the hook for years of logs that go back before anyone is around to know first hand what might have been there.
I'd happily log ship to a good vendor partner in real time. But having to maintain old data like that is scary. Too much to go wrong.
-
@scottalanmiller There is phone home capability in vSphere. Most people backup their vCenter DB's and hold onto that DB for the life of their environment.... If your exporting logs to some type of SIEM, or something like LogInsight those can maintain logs as long as you want to archive.
These are all normal things that F500's do (as well as many use over-archiving SAM solutions for tracking their licensing usage). This isn't something SMB's have to think or worry about (and when your at this scale you enter into these type of EA's because the cost of the added overhead for compliance is generally significantly offset by the YUUUUUUUGE discounts you get).
