2.5.1 For VMware
If the virtual environment to be monitored uses VMware environment, communication between PFM - RM for Virtual Machine and the virtual environment is encrypted using SSL/TLS#.
Therefore, the following settings are required:
-
Setting of encrypted communication (For the PFM - RM for Virtual Machine host of Windows Server 2016 or later)
-
Confirmation the certificate used in the monitored VMware ESX
-
Installing a CA certificate in the PFM - RM for Virtual Machine host
- #
-
The SSL/TLS communication protocol is using the Internet Options of the user account set for HostUserID in the instance environment settings.
If you change the settings, log in to the PFM - RM for Virtual Machine host by using the user account set for HostUserID in the instance environment settings, in the Internet Options dialog box, click the Advanced tab, and then change the settings in the Security category. If you do not use SSL 3.0, uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2 in the Security category.
- Organization of this subsection
(1) Setting of encrypted communication (For the PFM - RM for Virtual Machine host of Windows Server 2016 or later)
One of the following methods is required for the PFM - RM for Virtual Machine host of Windows Server 2016 or later:
- Important
-
If the settings are not made, the status will be as follows and the report cannot be displayed.
-
Status field of Host Status Detail (PD) record is SUCCESS
-
VM Count field of Host Status Detail (PD) record is 0
-
VM Active field of Host Status Detail (PD) record is 0
-
No data other than Host Status Detail (PD) records is collected.
-
(a) Add the Web site to the Restricted Sites or Trusted Sites zones
Using by the user specified as a HostUserID in the "Internet Options" dialog box for instance setting, select the "Security" tab, specify a host for monitoring target to "Add this website to the zone:" in "Local Intranet" or "Trusted sites" as followings:
If you have more than one monitoring target, add each of them to the zone for the Web site.
https://( monitoring-target-hosts-name #)
- #
-
When VM_Host is not specified by setting for the monitoring target, specify the name of Target Host. When VM_Host is specified, specify the name of VM_Host.
(b) Turn off Internet Explorer Enhanced Security Configuration
For the group (Administrators or Users groups) includes the user specified as a HostUserID in the Internet Options dialog box for instance setting, turn off on "Internet Explorer Enhanced Security Configuration" dialog box.
In this case, be careful that the settings are applied for the other users in the same group.
If a user other than the user specified as a HostUserID turns off this configuration, the user with HostUserID needs to log on to the PFM - RM host to apply the configuration change.
(2) Confirmation the certificate used for the monitored VMware ESX
Check the certificate used by VMware ESX to be monitored. To check it with Internet Explorer, use the following procedure.
(a) Open the login page of VMware ESX to be monitored
In the address bar of Internet Explorer, enter https://name-of-the-monitored-host to open the login page of VMware ESX.
If you see the This site is not secure message, select Go on to the webpage (not recommended) under More information.
(b) Show the certificate
In the address bar of Internet Explorer, click Certificate Error or the key icon, and in the pop-up window that appears, select View Certificate.
(c) Check the certificate
In the General tab of the Certificate dialog box, check the Issued by field. The following types of certificates are available:
-
Default certificate
If the issuer is VMware Installer, the certificate will be a default certificate.
-
vCenter Server certificate
If the issuer is CA and the Issuer field in the Details tab of the Certificate dialog box is VMware Engineering, the certificate will be a vCenter Server certificate.
-
Your own certificate
The certificates issued by any issuer other than the above will be your own certificate.
If VMware ESX to be monitored uses the default certificate, you do not have to install the CA certificate in the PFM - RM for Virtual Machine host. However, when monitoring using the default certificate, see (3) When using the default certificate.
If a vCenter Server certificate or an own certificate is used for the monitored VMware ESX, a CA certificate must be installed in the PFM-RM for Virtual Machine host.
If you are using a vCenter Server certificate on the monitored VMware ESX or using your own certificate, see (4) When obtaining and operating a CA certificate.
Furthermore, check the certificate of VMware ESX to see if:
-
The validity period for the certificate of VMware ESX is valid.
-
The name specified in the Issued to field of the VMware ESX certificate can be resolved by the PFM - RM for Virtual Machine host.
-
The name specified in the Issued to field of the certificate is the same as that of the host to be specified as the target monitored by PFM - RM for Virtual Machine.
If these host names are inconsistent, the certificate is handled as an invalid one.
You need to configure the monitored host differently according to the Issued to field of the VMware ESX certificate. Based on your environment, configure it as follows:
-
If the Issued to field of the VMware ESX certificate contains a domain name
Specify the name entered in the Issued to field of the VMware ESX certificate for the VM_Host parameter of the settings for the monitored host.
-
If the Issued to field of the VMware ESX certificate contains a host name, but not a domain name
Specify the name entered in the Issued to field of the VMware ESX certificate for the Target Host parameter of the settings for the monitored host.
Specify no value or specify the same value as that of the Target Host parameter for the VM_Host parameter of the settings for the monitored host.
-
If you monitor the target without installing the CA certificate in the PFM - RM for Virtual Machine host when VMware ESX to be monitored uses the vCenter Server certificate or your own certificate, see (3) When using the default certificate, just like the case where the default certificate is used.
(3) When using the default certificate
If you choose to use a default certificate of VMware Installer, the following precautions need to be taken.
-
For an environment that cannot communicate with the Windows Update site
The Update Root Certificates function works for communications that use a certificate. When the Update Root Certificates function verifies the certificate, the function does so by downloading the latest information from the Windows Update site. When the Update Root Certificates function is enabled, if the environment does not allow the host that runs PFM - RM for Virtual Machine to communicate with the Windows Update site, verifying the certificate might take a long time.
If certificate verification takes too much time, the KAVL20014-W warning message is output to the common message log and the monitoring cannot be performed.
- Important
-
If certificate verification takes a long time, the following problems may occur.
-
When collecting performance data, it takes a long time for the response from the connection destination VMware, a KAVL20516-W warning message is output to the common message log, and the collection of performance data does not complete within the collection interval.
-
When collecting performance data, it takes a long time for the response from the connection destination VMware to occur, a KAVL20014-W warning message is output to the common message log, and collection fails.
Take one of the following actions:
-
Review the network environment so that the Windows root certificate update function operates.
-
Change the Windows settings (the security policy settings of the OS) so that the Update Root Certificates function does not communicate with the Windows Update site.
-
Modify the network environment so that the Update Root Certificates function can run normally.
-
Change the Windows settings (the security policy settings of the OS) so that the Update Root Certificates function does not communicate with the Windows Update site.
-
-
Ignore the KAVL20205-W warning message that is output to the common message log
If 1 is specified for Security in the monitoring target settings, the KAVL20205-W warning message is output to the common message log because the default certificate of VMware is not a valid certificate. In this case, make sure that the message can be safely ignored for normal operation.
If the warning message is not necessary, specify 2 for Security in the monitoring target settings.
Note that when the default certificate of VMware is used, monitoring does not function if 3 is specified for Security in monitoring target settings.
-
Operation using a certificate that cannot be trusted
The default certificate of VMware is determined to be a certificate that cannot be trusted by certificate verification. Make sure that a certificate that cannot be trusted does not cause problems that affect operation.
(4) When obtaining and operating a CA certificate
To operate with a CA certificate, obtain the issuing CA certificate and import it to the PFM-VM for Virtual Machine host.
(a) Obtain the CA certificate
-
When the vCenter Server certificate is used
If you used the vCenter Server for VMware ESX management, obtain CA certificate from vCenter Server. The vCenter Server's CA certificate is available from "Download trusted root CA certificates" on the page where "Getting Started" of vCenter Server is displayed.
For details about, the following knowledge base. For questions about knowledge base, contact VMware.
KB 2108294 : How to download and install vCenter Server root certificates to avoid Web Browser certificate warnings
-
When your own certificate is used
Obtain the CA certificate from the administrator of the certificate.
Check whether the obtained CA certificate is the validity period.
In addition, if the validity period of the certificate is expired, you need to obtain a new CA certificate and import it.
(b) Importing the default certificate for VMware
After you have prepared a CA certificate for VMware as described in (1) above, import the certificate onto the PFM-VM host. To import the certificate:
-
In Windows, choose Start and then Run.
The Run dialog box opens.
-
In the Run dialog box, enter mmc and click OK.
Management Console starts.
-
In Console1, choose File and then Add/Remove Snap-in.
The Add/Remove Snap-in dialog box opens.
-
Choose Certificates and then click Add.
The Certificates snap-in dialog box opens.
-
Choose Computer account and then click Next.
The Select Computer dialog box opens.
-
Choose Local computer and click Finish.
-
Check that Certificates (Local Computer) is added to Selected snap-ins and click OK.
-
Expand Certificates (Local Computer) and right-click Certificates under Trusted Root Certification Authorities. Then click All Tasks and Import from the displayed menu items.
-
In the right pane of Console1, right-click Trusted Root Certification Authorities, then All Tasks and Import.
The Certificate Import Wizard dialog box opens.
-
Click Next.
-
In the File name text box, enter the file name under which to save the certificate, and then click Next.
-
Choose Place all certificates in the following store, and then click Next.
-
Click Finish.
-
Click OK.
(5) Confirmation of Host Logical Disk Status (PI_HLDI) record
The PI_HLDI record source data is equivalent to the amount of free space displayed for the storage on the Configuration page when the connection-destination VMware ESX is displayed in vSphere Client.#
- #
-
This value might be different from the amount of free space displayed in vSphere Client that is connected to vCenter Server. If vSphere Client is connected to vCenter Server, recheck the value by connecting to VMware ESX.
As a result, if you monitor free space on the VMware datastore by using the Used, Free, and Used % fields of the PI_HLDI record, which are retrieved by PFM - RM for Virtual Machine, the value might not be changed when collecting performance data or evaluating the alert.
By using the Last Update field of the PI_HLDI record, make sure that the last update time of the VMware datastore is periodically updated.
If it is not periodically updated, consider the following knowledge base.
For further information about countermeasures or other topics, contact VMware.
KB2008367: Amount of free space reported on the host is incorrect in vCenter Server
(6) User defined records
If the monitoring target is a VMware environment, you can use user defined records to monitor performance information that is not retrieved by PFM - RM for Virtual Machine.
(a) User defined record collection
The following records are used in user defined record collection:
-
Host Generic Data Detail (PD_HGDD)
-
Host Generic Data Interval (PI_HGDI)
-
VM Generic Data Detail (PD_VGDD)
-
VM Generic Data Interval (PI_VGDI)
Each record has different record types and monitoring targets. Use the record that meets your needs.
The following table shows the details of the records.
Record name |
Record type |
Monitoring target |
Use it to: |
---|---|---|---|
Host Generic Data Detail (PD_HGDD) |
PD record |
Physical server |
Get the physical server's system status at a given point in time. |
Host Generic Data Interval (PI_HGDI) |
PI record |
Physical server |
Analyze changes or trends in the physical server's system status over time. |
VM Generic Data Detail (PD_VGDD) |
PD record |
Virtual machine |
Get the virtual machine's system status at a given point in time. |
VM Generic Data Interval (PI_VGDI) |
PI record |
Virtual machine |
Analyze changes or trends in the virtual machine's system status over time. |
(b) Items collected in user defined records
You can see which items are collected in user defined records by checking the performance chart of VMware vSphere Client.
For example, if you want to monitor utilization of the physical server's CPU core, you check the following items:
- Items collected for CPU core utilization
-
Chart Options: CPU
Rollup: average
Internal Name: coreUtilization
(c) Deploying the user-defined record definition file
Add the user-defined record definition file with the name recorddef.ini to the folder of the instance whose VM_Type is vmware.
- For physical hosts:
-
installation-folder\agt8\agent\instance-name\recorddef.ini
- For logical hosts:
-
environment-folder\jp1pc\agt8\agent\instance-name\recorddef.ini
The same definition file is used for all the monitoring targets in the instance.
- Examples where the instance name is inst01:
-
-
For physical hosts:
installation-folder\agt8\agent\inst01\recorddef.ini
-
For logical hosts:
environment-folder\jp1pc\agt8\agent\inst01\recorddef.ini
-
The user-defined record define information file is validated when the Remote Monitor Collector service starts. If there is no error in the file, the message KAVL20528-I is output. If there is an error in the file, the message KAVL20527-W is output, and the Remote Monitor Collector service starts without collecting user defined records.
- Note
-
If you change the user-defined record definition file, restart the Remote Monitor Collector service. The definition file that was loaded at startup is not updated until the service is restarted.
(d) Creating the user-defined record definition file
You can specify the user defined records to be monitored and the items to be collected to create the user-defined record definition file.
- Format of the definition file
-
Configure the user-defined record definition file (in ini format) as follows:
[record-ID] [[section-name]] TYPE=chart-option NAME=internal-name ROLLUP=rollup
- Items of the definition file
-
The following table shows the items you need to specify.
Item
Parameter
Explanation
1
[record-ID]
Specify the record ID in which data is stored.
Values can be:
-
PD_HGDD: Host Generic Data Detail record
-
PI_HGDI: Host Generic Data Interval record
-
PD_VGDD: VM Generic Data Detail record
-
PI_VGDI: VM Generic Data Interval record
2
[[section-name]]
Specify the section name with up to 32 bytes of single-byte alphanumeric characters, hyphens (-), and underscores (_).
The specified section name is stored in the SECTION_NAME field.
3
TYPE=chart-option
Specify the chart option# with up to 32 bytes of single-byte alphanumeric characters.
If the specified chart option does not exist, no performance data will be collected.
4
NAME=internal-name
Specify the name of the performance counter (internal name) with up to 64 bytes of single-byte alphanumeric characters and periods (.).
If the specified internal name does not exist, no performance data will be collected.
5
ROLLUP=rollup
Specify the rollup.
Values can be:
-
Average value: average
-
Latest value: latest
-
Summary value: summation
If the specified rollup does not exist, no performance data will be collected.
Item
Chart option
Value to be specified
Corresponding record ID
1
CPU
cpu
PD_HGDD, PI_HGDI, PD_VGDD, and PI_VGDI
2
vSphere Replication
hbr
PD_HGDD and PI_HGDI
3
System
sys
PD_HGDD, PI_HGDI, PD_VGDD, and PI_VGDI
4
Storage adapter
storageAdapter
PD_HGDD and PI_HGDI
5
Storage path
storagePath
PD_HGDD and PI_HGDI
6
Disk
disk
PD_HGDD, PI_HGDI, PD_VGDD, and PI_VGDI
7
Datastore
datastore
PD_HGDD, PI_HGDI, PD_VGDD, and PI_VGDI
8
Network
net
PD_HGDD, PI_HGDI, PD_VGDD, and PI_VGDI
9
Memory
mem
PD_HGDD, PI_HGDI, PD_VGDD, and PI_VGDI
10
Virtual flash
vflashModule
PD_HGDD and PI_HGDI
11
Virtual disk
virtualDisk
PD_VGDD and PI_VGDI
12
Power source
power
PD_HGDD, PI_HGDI, PD_VGDD, and PI_VGDI
13
Information on the management agent
managementAgent
PD_HGDD and PI_HGDI
-
- Definition example for utilization of the physical server's CPU core
[PD_HGDD] [[CPU_CORE_UTIL]] TYPE=cpu NAME=coreUtilization ROLLUP=average
- Notes
-
-
If there is no performance data that matches the combination of the specified items, the type name (TYPE), counter name (NAME), and rollup type (ROLLUP), no user defined record will be collected. Create a report for the user defined record to make sure the items are output.
-
The number of the section names in the user-defined record definition file must not exceed 100. Collecting performance data can take a long time when many section names are listed in the file.
-
If a large number of virtual machines monitored are running, the number of the PI_VGDI records increases. Keep this in mind, and monitor the PFM-RM host to prevent a poor disk performance or a storage shortage.
-
The user-defined record definition file is loaded during startup of the PFM - RM for Virtual Machine service. If you change the definition file, restart the service.
-
If there is an error in the user-defined record definition file, the message KAVL20527-W is output to the common message log. Check the line number and the details in the message to correct the file.
-
If there is an error in the user-defined record definition file, the PFM - RM for Virtual Machine service starts while ignoring the record type that includes the error. You can check the valid defined record types in the message KAVL20528-I, which is output to the common message log.
-
If the message KAVL20528-I is not output to the common message log, no user defined records will be collected. Make sure that the location where the user-defined record definition file is stored, the file name, and the contents of the file are correct.
-
(e) Examples of the definition and output
Here are examples of the definition and output to collect CPU wait time and memory wait time for physical servers and virtual machines.
- Definition example:
[PD_HGDD] [[CPU_WAIT]] TYPE=cpu NAME=wait ROLLUP=summation [[MEM_LATENCY]] TYPE=mem NAME=latency ROLLUP=average [PI_VGDI] [[CPU_WAIT]] TYPE=cpu NAME=wait ROLLUP=summation [[MEM_LATENCY]] TYPE=mem NAME=latency ROLLUP=average
- Output example:
-
Host Generic Data Detail (PD_HGDD) record
Section Name
Data Name
Object Name
String Data
Double Data
CPU_WAIT
wait
0
0
0.0
CPU_WAIT
wait
1
24
24.0
MEM_LATENCY
latency
n/a
0
0.0
VM Generic Data Interval (PI_VGDI) record
Section Name
Data Name
Object Name
String Data
Double Data
CPU_WAIT
wait
0
1.2
1.2
CPU_WAIT
wait
1
1
1.0
MEM_LATENCY
latency
n/a
0.2
0.2