A short time ago a colleague wrote to me and asked what to consider when using encryption in connection with van (Data-at-Rest) or on the ESXi host (insert ESXi Host Encryption link) and in the SR case Log Assist from Skyline is to be used.
I took this as an opportunity to take a deeper look at this topic and show what the difference is for encrypted systems.
But first, what does a vm-support Log Bundle contain?
A log bundle contains a set of information that is needed when troubleshooting by VMware Support. This diagnostic information of the ESXi host includes e.g. its name, logfiles and VM descriptions. Also included in this VM support bundle is a so-called core dump. This is created if the ESXi falls into a PSOD due to an error, e.g. at the hostd.
This core dump can contain further data from the memory (RAM) of the ESXi host.
This information is automatically moved into the bundle when a support bundle is created and is thus made available to support.
If this information is not sent to support, it can be manually removed from the host prior to creation.
The bundle can be created in several ways, as is described in the KB article “Collecting diagnostic information for ESX/ESXi hosts and vCenter Server using the vSphere Web Client” under https://kb.vmware.com/s/article/2032892.
What if Encryption is active?
As soon as Encryption is used, be it VM Encryption or vSAN Data-at-Rest encryption (about the difference and the respective differences e.g. Frank Dennenmann has written in his blog: ), the coredump is also automatically encrypted. This prevents the data, which is considered sensitive, from being given to unauthorized persons for viewing.
If this information is needed by support, it must first be decrypted. This process is also described in the documentation: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-63728E8B-810D-418B-B1AA-6A0A2F92AABE.html.
What does Log Assist do from Skyline?
With Log Assist, a VM-support bundle of specific infrastructure components can be created directly to a running support request via Skyline Collector and sent directly to support.
The “initate Log Transfer” process, which is triggered by Log Assist, does not currently collect and transfer core dump files!
Should the information still be required in the course of this case, only the manual upload of a dedicated bundle remains again. In case of active encryption the documentation will help again: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-D3FB2182-ECC9-42F2-9F87-11CBC33F414C.html.
One More Thing: Netdump collector service
You may have heard about the Netdump Collector Service, which allows a dump file to be stored directly on the vCenter over the network. https://kb.vmware.com/s/article/2002954
As soon as the ESXi uses some kind of encryption, the dump file will of course be stored encrypted on the Netdump Collector and can only be decrypted by the described process and crypto-util. https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-A8D99C90-A092-46F8-B9C2-F62856C3AC90.html.
How to configure Netdump:
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.esxi.install.doc/GUID-85D78165-E590-42CF-80AC-E78CBA307232.html
https://kb.vmware.com/s/article/2151072
