ESX Firewall Change Notifications using VCF Logs & Operations Alerts

In fast-moving IT environments, visibility is key—especially when it comes to security. One area worth watching closely: ESX firewall configuration changes. These can be part of routine updates… or early signs of a security issue.

If you’re running VMware Cloud Foundation (VCF), there’s good news. You can automate firewall change monitoring using VCF Operations for Logs and VCF Operations Manager. In this post, I’ll walk you through setting up a smart alerting system that notifies your team the moment a change happens—via Slack, PagerDuty, email, or whatever channel keeps your ops team connected.

---

🛠 Step-by-Step: Creating a VCF Alert for ESX Firewall Changes

You’ll complete this in three steps:

---

✅ Step 1: Define the Trigger in VCF Operations for Logs

Start by creating an alert definition that watches for the log string:

esx.audit.net.firewall.config.changed

This string flags a firewall configuration change, therefore setup a real-time query which will catch these events.

Alert Configuration:

• Name/Description: Include variables for clarity (e.g., ESX firewall changed on ${hostname})
  
• Text Contains: esx.audit.net.firewall.config.changed
  
• Frequency: Real-time (check every minute)
  
• Forwarding: Send results to VCF Operations as Message Event
  
• Recommendation: Add operator guidance like “Review host firewall settings in the vSphere client.”
  

🔔 Step 2: Create a Symptom Definition in VCF Operations Manager

Now define the condition VCF Operations Manager will use to trigger an alert.

Steps:

• In the VCF Operations console, navigate to: Infrastructure Operations → Configurations → Symptom Definitions
• Go to the Message Event tab
• Set Base Object Type to: Host System
• Drag Notification Event Type into the center pane
  

Symptom Configuration:

• Name: ESX firewall changed on ${hostname}
• Condition: Use the Contains operator with: ESX firewall changed on ${hostname}
• Trigger Level: Critical
  

This becomes the core of your alert logic.

🚨 Step 3: Build the Final Alert Definition

With your trigger and symptom defined, build the final alert.

Steps:

• Navigate to: Infrastructure Operations → Configurations → Alert Definitions
• Click Add to create a new alert
  

Alert Configuration Steps:

• Name & Description – I kept this consistent: ESX firewall changed on ${hostname}
• Symptoms/Conditions – In the right window, select Symptoms and make sure to choose Message Event from the dropdown.  Search for the item that was created in step 2 and drag that entry into the center pane.

• Complete the Recommendations and Policy attachment sections.

• ⚠️ Avoid using the Default Policy—it may be overwritten during upgrades
• ✅ Create and use a custom policy for persistence
  

---

📣 Get Notified Where It Matters

Once the alert is live, route notifications through your preferred systems:

• PagerDuty – for incident escalation
• Slack – for team visibility and fast response
• Email – for audit tracking

Your team stays informed—whether it’s routine or something suspicious.

---

✨ Wrapping Up

Proactive security starts with awareness. With this alerting setup in VCF, you’re not just reacting—you’re staying one step ahead.