Discover VMs with Duplicate IPs using VCF Operations for Logs

I was trying to find VMs with duplicate IPs in my environment. There's no easy way to do this in VCF Operations as you can't compare VM Properties to other VM Properties in Alerts/Symptoms, so I started looking at VCF Operations for Logs and found this Alert Definition.

As the Origin indicates, this Alert Definition comes with the VMware - vSphere Content Pack. Go to Content Packs - Installed Content Packs (in my case as it's already installed) - Alerts tab.

Scrolling down you can find the Alert Definition.

I enabled the Alert Definition, configured it to send Notifications (emails and Alerts to VCF Operations), and waited. And Waited. And Waited. Nothing. So I explored the Alert Definition in a bit more detail.

No idea what the Query was looking for, so clicked RUN QUERY to see the details.

This Query is looking for the existence of these Extracted Fields (defined by the VMware-vSphere Content Pack), and not finding any in this case. Clicking the eyeball icon on the right will show the detail of the Extracted Field.

We need more detail about these Extracted Fields from VMware - vSphere Content Pack - Extracted Fields.

Notice the filepath contains vpxd filter, this is a clue that these logs are coming from a vRLI Agent. Looking at the Setup Instructions for the Content Pack provides some detail.

It clearly hasn't been udpated in a while, but does point us to the need for the vRLI Agent on the vCenter VM/s. Note: as called out in the Setup Instructions, vCenter Syslog forwarding to Operations for logs is not enabled by the vSphere Integration, you must do it manually. I'll detail this in another blog.

I installed the vRLI Agent on my vCenter VM, documentation can be found here. Once installed, configured, and started, it logged into my VCF Operations for Logs instance.

Next I created an Agent Group called vSphere 8.0 - vCenter, which was cloned from the Agent Group of the same name that came in the VMware - vSphere Content Pack. I added a filter to filter in my vRLI Agent and saved the configuration. I immediately starting seeing logs come in, based on the File Logs defined in the Agent Group.

But, still no Alerts or Notifications on duplicate IPs. So I decided to power off the VM with the duplicate IP and power it back on and voila, there it is!

You'll notice the Extracted Fields still aren't there, I think they are using malformed REGEX, but they aren't necessary anyway. I cloned the out-of-the-box Duplicate IP Alert Definition to this.

With my new Alert Definition (with email notifications) in place, I booted the VM with the duplicate IP and received the email I expected.

This went much deeper than I expected when looking for a way to detect VMs with duplicate IPs, but with a few gotchas along the way, I wanted to blog it. I hope it was helpful, enjoy!