Alert/Notification when a VM is added or removed from the Exclusion List in NSX for vSphere

Imagem de capa

Here is a quick approach to setting up a Log Insight alert to send out a notification when a VM is added/removed from the Exclusion List in NSX.

Below is the event you would expect in syslog (Log Insight in this case), along with a screenshot of the filter (from the NSX content pack in Log Insight) I used to locate it. I built a simple email alert notification using these two things.
The syslog event tells you the UserName that made the change to the exclusion list.

2019-04-04T19:56:20.048+11:00 nsx-manager.ultimate.local NSXV 6146 -  [nsxv@6876 comp="nsx-manager" subcomp="manager"] [AuditLog]  
UserName:'vsphere.local\administrator', ModuleName:'APP_EXCLUDE_LIST',  Operation:'MODIFY', Resource:'Global', 
Time:'Thu Apr 04 19:56:20.047  AEDT 2019', Status:'SUCCESS', Universal Object:'false   

You can then look in the Network and Security tab in NSX and see what was changed in the Exclusion List. We can see here that vm-103 was removed.

You can quickly translate the vm object name to inventory name using the below PowerCLI one liner:

get-vm -Id VirtualMachine-vm-103