You might have seen or even used the vCenter Event Broker applianced that had been released as a fling some weeks ago and was released completely open source last week by the excellent team of Michael Gasch and William Lam.

While the tag example that comes with the project and that is covered in the manual is a nice starter, it’s not the most useful thing to have. But that can easily be changed. Think about acting based on reconfigure events and push VM config changes to Slack: Audit VM configuration! That way you have all changes documented and searchable using the Slack service.

Audit VM configuration

Setup the vCenter Event Broker Appliance (VEBA)

I won’t go into details here, as we covered it already in former blog post.

You can read it here:

Audit VM configuration requirements

To enable a service to audit VM configuration, we need to add or change the following:

  • create a Slack webhook
  • vcconfig.json to include Slack details
  • template that includes Slack
  • stack.yml to use a different container image and to detect vm reconfigure events
  • handler function to send the VM change information to Slack

You can also speed things up and use our repository that contains the Example already:

You can find everything under examples/powercli/hwchange-slack.

For a quick start simply clone the original or the forked repository:

Original repository:

In that case I recommend to copy the example/powercli/tagging into another directory to customize the files.

Quick start is using the forked repository including the Audit VM configuration example:

git clone
# or
git clone

Setup Slack

To generate a Slack webhook just visit the following link while logged into Slack:

Generate Slack webhook

Simply create and select a Slack channel you want to use for the Audit VM configuration messages.

Copy the Webhook URI and the Channel name and configure that in your vcconfig.json.

The new Audit VM configuration function


The first file we’re changing is our credential file that contains the vCenter connection details and Slack.

    "VC" : "my-vCenter",
    "VC_USERNAME" : "user@vsphere.local",
    "VC_PASSWORD" : "userpassword",
    "SLACK_URL"   : "",
    "SLACK_CHANNEL" : "vcevent"


That file contains the stack definition that will be pushed to the Open FaaS service later on. The important lines are: gateway, image, und topic.

  name: faas
  gateway: https://veba.mynetwork.local
    lang: powercli
    handler: ./handler
    image: opvizorpa/powercli-slack:latest
      write_debug: true
      read_debug: true
      function_debug: false
      - vcconfig
      topic: vm.reconfigured
  • Gateway: the FQDN of the VEBA Appliance
  • Image: the image to be used (best is to use your own Docker Hub account)
  • Topic: vm.reconfigured covers all configuration changes of a VM


This is your function written in PowerShell:

# Process function Secrets passed in
$VC_CONFIG_FILE = "/var/openfaas/secrets/vcconfig"
$VC_CONFIG = (Get-Content -Raw -Path $VC_CONFIG_FILE | ConvertFrom-Json)
if($env:function_debug -eq "true") {
    Write-host "DEBUG: `"$VC_CONFIG`""

# Process payload sent from vCenter Server Event
$json = $args | ConvertFrom-Json
if($env:function_debug -eq "true") {
    Write-Host "DEBUG: `"$json`""

$eventObjectName = $json.objectName

# import and configure Slack
Import-Module PSSlack | Out-Null

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore  -DisplayDeprecationWarnings $false -ParticipateInCeip $false -Confirm:$false | Out-Null

# Connect to vCenter Server
Write-Host "Connecting to vCenter Server ..."
Connect-VIServer -Server $($VC_CONFIG.VC) -User $($VC_CONFIG.VC_USERNAME) -Password $($VC_CONFIG.VC_PASSWORD)

# Retrieve VM changes
$Message = (Get-VM $eventObjectName | Get-ViEvent -MaxSamples 1).FullFormattedMessage

# Bold format for titles
[string]$Message = $Message -replace "Modified","*Modified*" -replace "Added","*Added*" -replace "Deleted","*Deleted*"

# Send VM changes
Write-Host "Detected change to $eventObjectName ..."

New-SlackMessageAttachment -Color $([System.Drawing.Color]::red) `
                           -Title 'VM Change detected' `
                           -Text "$Message" `
                           -Fallback 'ouch' |
    New-SlackMessage -Channel $($VC_CONFIG.SLACK_CHANNEL) `
                     -IconEmoji :fire: |
    Send-SlackMessage -Uri $($VC_CONFIG.SLACK_URL)

Write-Host "Disconnecting from vCenter Server ..."
Disconnect-VIServer * -Confirm:$false

Whenever the function is triggered, we receive the object as a payload. Based on that object, we grab the latest event. There is a chance of catching the wrong event if there are too many changes for the same VM in a very short amount of time.

Good news – this is known to the VEBA guys and a change is planned to enhance the payload with the event id.

FaaS PowerCLI Template

This one is very important as we use it to build and push the container image to our Container image registry. Best is to create your own account on and login locally: docker login

If you don’t use the forked repository, copy the PowerCLI template to your working directory from here and change it to add Slack:


We simply need to add the following part:

# Add PSSlack
RUN pwsh -c "$ProgressPreference = "SilentlyContinue"; Install-Module PSSlack"

Complete file content:

FROM vmware/powerclicore:latest

RUN mkdir -p /home/app
USER root
RUN echo "Pulling watchdog binary from Github." 
    && curl -sSL > /usr/bin/fwatchdog 
    && chmod +x /usr/bin/fwatchdog 
    && cp /usr/bin/fwatchdog /root

# Add PSSlack
RUN pwsh -c "$ProgressPreference = "SilentlyContinue"; Install-Module PSSlack"


USER root

# Populate example here - i.e. "cat", "sha512sum" or "node index.js"
SHELL [ "pwsh", "-command" ]
ENV fprocess="xargs pwsh ./function/script.ps1"
COPY function function
# Set to true to see request in function logs
ENV write_debug="true"


HEALTHCHECK --interval=3s CMD [ -e /tmp/.lock ] || exit 1
CMD [ "fwatchdog" ]

Build, Push and Publish the function

Now comes the easy part as we only need to run a couple of commands:

FaaS-CLI – configure OpenFaaS

# set up faas-cli for first use
faas-cli login -p VEBA_OPENFAAS_PASSWORD --tls-no-verify

# create the secret based on the local file
faas-cli secret create vcconfig --from-file=vcconfig.json --tls-no-verify

Build and Deploy

# Build the new container based on the Template
faas-cli build -f stack.yml

# Push the container to the registry
faas-cli push -f stack.yml

# Deploy the function to the OpenFaaS service
faas-cli deploy -f stack.yml --tls-no-verify

Pushing the container image to your Dockerhub repo

You can check the container image on your Dockerhub repo and if the Slack integration worked.

Slack integration

Make sure you receive a 200 code when deploying the function!

Slack output

OpenFaaS is now configured to watch for VM reconfigure events to trigger the PowerCLI Script.

That’s it and you should see a similar message in your chosen Slack channel to audit VM configuration changes.

Audit VM configuration


Save energy without reducing VM performance in your VMware vSphere cluster
16 August 2022
Over the last couple of decades energy consumption went up massively in every data center and while the…
Metrics & Logs support for IoT - Bringing Secure Monitoring and Logging to the Edge
7 July 2022
Simple uptime monitoring for Internet-of-Things (IoT) is well-known and requires knowing if the devices are up and running.…
Monitoring Azure SQL Managed Instance with Opvizor Metrics & Logs
17 January 2022
When you have critical applications and business processes that rely on Azure resources, it's critical to keep an…

White Paper — Registration

You will receive the research paper by mail.

Codenotary — Webinar

White Paper — Registration

Please let us know where we can send the whitepaper on Codenotary Trusted Software Supply Chain. 

Become a partner

Start Your Trial

Please enter contact information to receive an email with the virtual appliance download instructions.

Start Free Trial

Please enter contact information to receive an email with the free trial details.

Subscribe to our newsletter