[Updated 26-03: Added the NSX API call script]

During the last few years we’ve had some fun demos at the Dutch VMUG Usercon. We’ve automated a coffee machine using vRealize Orchestrator. We did a vRealize Automation challenge where competitors could control a lightsaber when they successfully completed the blueprint. Because the Dutch VMUG Usercon is the largest in the world, 1.000 attendees, we needed to come up with something special. So we decided to control NSX using Log Insight webhooks and a Lego Mindstorms robot.

Actually @smitmartijn already volunteered to setup a NSX demo with micro-segmentation.  We build on that idea and to show the endless possibilities with VMware software we threw vRealize Log Insight and vRealize Operations in the mix. The idea was to have Usercon attendees control NSX using the Lego Mindstorms robot. The VMUG Usercon is a gathering of tech-savy VMware enthusiasts who like nothing more than to get their hands on tech,  geeky stuff. So a Lego Mindstorms robot should attract some attention.

Building the robot

First I build the Gripp3r robot from the Lego manual because this was a robot which was able to pick up and move items. I had to extend this design and add two additional functions. The robot should be able to recognise the ‘zone’ in which it placed an object. Second, it had to recognise which virtual machine it was moving. For this I added two color sensors. One facing down to detect the color of the ‘zone’, red for unsafe/not segmented, green for the safe micro-segmented zone. I placed the second color sensor near the gripper which enabled me to detect the color of the object, blue for virtual machine 1, white for virtual machine two.

For the ones of you who know Lego Mindstorms, you can program it by placing blocks on a design canvas and assigning a function to it. Much like the example you see below.

Log Insight webhooks

The programming was easy and before I knew I had a robot which could be controlled with a remote control and was able to pick up and move objects.

Programming the robot

The next step was to setup communications between the robot and NSX. Because the Lego Mindstorms EV3 software is Linux based, the idea was to use vRealize Log Insight to gather the syslog and base actions of of that. The only this I needed to do was to enable syslog and point it to our Log Insight instance, easy…….. Ehm wrong! The standard Lego software proved to be very closed and read-only allowing no changes. Some searching pointed me to ‘ev3dev‘. which is a Debian Linux-based operating system that runs on several Lego Mindstroms compatible platforms including the Lego Mindstroms EV3 we were using. The only downside was that the object oriented programming shown above did no longer work. I would have to program Lego Mindstroms EV3 using Python, JavaScript, Go, C or C++. Because a lot of examples online used Python I decided to go with that.

Log Insight webhooks Log Insight webhooks Log Insight webhook

After a long weekend I got it working. I programmed to robot to respond to the ir-remote control. I created two tubes, a white and a blue one, which represent the virtual machines to move around. For the ones who would like to do this themselves, here’s the code.

Setup communications

As you can see in the code above, the robot writes a message to the syslog every time it puts an object down. The syslog message includes the zone name and the virtual machine number. To enable syslog I installed syslog-ng and configured the syslog to be forwarded to our Log Insight instance.

Once I set this up, Log Insight picked up on the syslog message right away. Easy does it.

Log Insight webhooks

Trigger actions on NSX

Log Insight webhooksNow we had to perform actions in NSX. We decided to use Log Insight webhooks to initiate the assignment of the security groups to the virtual machines which in turn results in the virtual machine being micro-segmented.

Log Insight webhooks are available from version 3.3 and provide a simple and extensible way to map Log Insight alerts to third-party actions. Of course, you need to translate Log Insight webhooks from the output format of Log Insight into the input format of the third-party destination using a shim.

With Log Insight webhooks you can build integrations with:

  • PagerDuty.
  • Slack.
  • Socialcast.
  • Bugzilla.
  • HipChat.
  • Jenkins.
  • OpsGenie.
  • ServiceNow.
  • PushBullet.
  • vRealize Orchestrator.
  • ZenDesk.

We then created filters in Log Insight and created alerts for them using Log Insight webhooks to initiate the action in NSX using a webserver.

NSX API

After creating the Log Insight webhooks, we needed something that translates a Log Insight webhook to a NSX API call. This was done using a web server with a basic PHP script behind it. The PHP script has different routes for each action:

  • http://webserver/vm1_green – Safeguarding VM1 by blocking traffic
  • http://webserver/vm2_green – Safeguarding VM2 by blocking traffic
  • http://webserver/vm1_red – Unsecuring VM1 by allowing traffic
  • http://webserver/vm2_red – Unsecuring VM1 by allowing traffic

To create this I used the Slim PHP Framework as a kickstarter, which makes it pretty easy and allows the code to be small. Below is the entire script:

The result

Now we can pick up a virtual machine which is in the unsafe (red) zone and move it across to the micro-segmented (green) zone. Once you put down the object, a syslog message is created and forwarded to Log Insight. Once Log Insight receives the message the web hook for that action and specific virtual machine is initiated. The action attaches or the NSX security group to that virtual machine which results in the virtual machine being micro-segmented. Once the security group has been assigned you will see the ping to that virtual machine or the web site on that server will no longer respond.

To complete the integration with of Log Insight we also added a vRealize Operations instance to give a graphical representation of the Health of the virtual machines.

The demo shows that with Log Insight we can monitor anything that produces a log file and perform actions based on the log output. This makes Log Insight a very powerful tool and a next step toward auto-remediation of problems or even a self-healing data center. The demo was received with a lot af enthusiasm, attendees really liked the visualisation of the micro-segmentation assignment and the possibilities that Log Insight brings.

All the code that was used in this project can be found on GitHub here:

gitHub-download-button NSX