The Runecast Analyzer settings icon (cog icon) is located on the right-hand side of the top navigation bar. Use this page to configure connections to the virtual infrastructure, scheduled analysis, alerting, logs, filters, licensing and Runecast appliance users.
Within the Connections tab, you can specify the connection details for vCenter servers (and optionally, NSX-V Managers), Horizon Connection Servers, NSX-T, VMware Cloud Director, AWS, Azure and Kubernetes details for the environment that Runecast will analyze. Server address, port number, username and password are mandatory fields as well as access and secret keys (if using AWS), directory and application id (if using Azure) or SA token (if using Kubernetes). The account you specify should have the minimum required permissions specified in System Requirements chapter of the user guide. To connect to multiple Systems, add them one by one. For more details please check Connect to a System and Analyze.
You can configure automatic scheduling by clicking the Edit button. Once automatic scanning is selected, the scanning frequency can be chosen. The Analyze now button can be used even when Automated scans are scheduled.
The Alerting page can be used to enable e-mail alerting. After each analysis, either manual or automatic, an e-mail containing a report of findings will be sent to the configured recipient(s). SMTP server and port, as well as sender and recipient e-mail addresses are mandatory fields. Multiple recipient e-mail addresses separated by a comma can be added (For example: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org).
The Log Analysis page can be used to configure log retention and syslog settings for VMware Hosts and VMs. For more information – see Configure Log Collection.
Use the Reload button, located on right-hand side of Syslog settings on the Hosts and VMs of configured vCenters to re-fetch the current configuration from all vCenters. A timestamp will indicate when the last fetch was triggered. Also, a re-fetch can be performed individually for each vCenter by clicking the specific icon.
In this section you can choose which profiles to use for your environment's security compliance, you can enable additional best practices or even create your own custom profile.
Security compliance: By default, VMware Security Hardening Guide for vSphere is enabled and active. You can select additional profiles if you need to adhere to other security standards.
Best practices: Additional Best practices profiles can be enabled – SAP HANA BPs.
Custom Profiles: By enabling Custom Profiles you can create your own profiles for audits and organize all necessary checks in one place.
The User Management tab can be used to manage the Local users accounts or to connect Runecast Analyzer to Active Directory or LDAP.
The default local user that has access to the Runecast Analyzer web interface is:
By default, rcuser is granted with Admin role which cannot be changed. Click Edit user (cog icon) in the Actions column to change the default password.
rcuser is the only account which cannot be deleted.
An unlimited number of Local users accounts can be added. For each user, one of two roles can be selected: Admin or Read-only.
The Admin role has no restrictions – it can manage the Runecast Analyzer without any limitations. It has also permission to create/remove other users apart from rcuser.
The Read-only role has restrictions - it is not able to change any settings or configuration and not able to scan or create/remove other users. This role can generate an API Access token with read-only privileges.
You can use Active Directory accounts to login to the Runecast Analyzer web interface. Members of configured groups will have access with specified roles.
Enable the Active Directory by clicking of the dedicated button and provide the information about your Active Directory domain:
- Domain: name of the Active Directory domain, for example
Optionally, you can configure the Advanced options by enabling the Use SSL button:
URL: the address of a domain controller, for example
Port: the LDAP service port number (by default
389for SSL disabled or
636for SSL enabled)
Root DN: specify the LDAP search base DN for users or groups, for example
OU=test,DC=company,DC=com. It might be useful in large domains to limit the number of search results.
Under Domain Groups, add the Active Directory groups which will have access to Runecast Analyzer. Any user, that is a member of this group in the specified domain, will get the assigned permissions (Admin or Read-only) to the Runecast Analyzer web interface.
When an AD user is a member of both Admin and Read-Only groups, as configured in Runecast Analyzer, his privilege level will be set to Admin.
Don't forget to Save once all the configurations are done.
Make sure that DNS is configured. The Runecast Analyzer should be able to resolve the domain controller name. Make sure that the group you specify for the Domain Group exists in your Active Directory domain. The user logging in MUST be able to read members of the group.
You can configure Runecast Analyzer to allow LDAP users to log in to the web interface. Based on the users' membership in configured groups, they will have access with the corresponding privileges.
To enable LDAP users to log in, switch on Enable LDAP and provide the configuration:
Domain name: enter the name of the LDAP domain, for example
Users root DN: enter the users LDAP search base, for example
OU=users, DC=company, DC=com. This will help shorten the login times in large LDAP trees.
Groups root DN: enter the group LDAP search base, for example
OU=groups, DC=company, DC=com.
User DN: enter the bind user distinguished name, for example
CN=bind_user, DC=company, DC=local. The user will be used for verifying the group membership and needs to have appropriate permissions.
Password: enter the bind user password.
Use LDAPS: if you want to use a secure connection to LDAP server(s), click the checkbox and use the Upload certificate button to upload a CA certificate or certificate chain.
Primary server URL: enter the FQDN or IP address of the LDAP server.
Port: enter the LDAP service port (by default
389for LDAP and
Optionally, enter the Secondary server URL and Port.
Under Domain Groups, click the Add Group button, fill-in an existing LDAP group name and choose the group role in the Role drop-down (Read-only or Admin). Click the Add Group button to confirm. You can repeat the procedure to insert additional groups.
When an LDAP user is a member of both Admin and Read-Only groups, as configured in Runecast Analyzer, their privilege level will be set to Admin.
Once all configuration is done, click the Save button.
Filters can be used to disable a combination of configuration items and issues from showing in the reports and statistics. Without filters, Runecast Analyzer will include all configuration items it has access to for all possible issues and best practices. Typically, these are all inventory objects within the analyzed System.
There are many use cases for using filters, for example:
Some of the Security Hardening checks are not part of your specific security policy and you need to exclude them from reports.
You have several test ESXi hosts that you want to exclude from all reports, or perhaps you want to see only Critical issues detected for those hosts.
Click Add Filter to create a new filter. A new filter called New Filter appears in the list. Expand New Filter and edit its name and description. The filter configuration includes two hierarchical trees:
The left-hand tree displays the analyzed Systems with all the inventory objects underneath. Select which object or group of objects will this filter apply to.
The right-hand tree displays all possible issues organized by type (Knowledge Base, Best Practices, Security Hardening) and severity (Low, Medium, Major, Critical). Select an issue or a group of issues the filter will apply to.
To quickly search for an object or an issue, you can use the Search box under the respective tree.
Click Update once finished. The filter is applied to all views.
Click Export/Import button on the top right corner of the Filters view to Export or Import all filters. Choose one of the following options:
Export Filters exports all filters in a downloadable .dat file. This function will not export the inventory objects specified in the filters. Once you import the filters, you would need to specify the objects this filter applies to.
Export Filters including objects exports all filters and objects they apply to in a downloadable .dat file. This function can be used in case you plan to import the filters to a Runecast Analyzer appliance that is connected to the exact same System.
Import Filters imports filters from a .dat file. Filters have an OFF status once imported.
In the case where the .dat file contains inventory objects, they will be added to the filters only if the System object ID and other object IDs match.
Filtering issues for the whole vCenter Server (including all child objects)
In case certain issues are filtered out for the whole vCenter Server, those issues will not appear in the issue list for the context of this specific vCenter Server.
If issues are filtered out for all connected vCenter Servers (including all their child objects), then the issues will also disappear in the All Systems context.
Below is an example screenshot of filtering out one specific rule for the whole vCenter Server system:
In this case, this issue will not appear any more in the context of this particular vCenter Server but will still show up in the context of All System, as it’s not filtered for all vCenter Servers connected to Runecast Analyzer.
Below is an example screenshot of filtering out one specific rule for all vCenter Servers:
In this case, this issue will not appear any more in the context of any of the filtered out vCenter Server, neither in the All Systems context.
Filtering issues for subset of the vCenter Server objects
In case certain issues are filtered out for a subset of the vCenter Server objects, those issues will still appear in the issue list. However, the objects which are filtered out will not be taken into consideration and if the issue ends up with 0 affected objects it will be marked with status Pass (or Configured for some of the security profiles).
Below is an example screenshot of filtering out one specific rule for a subset of the vCenter Server objects:
Note that the vCenter Server is marked as Partially filtered. In this case, the issue still appears in the issue list, and only the selected object scope will be filtered out. If the issue ends up with 0 affected objects, it will be marked with status Pass (or Configured for some of the security profiles).
In this tab you can add and assign a valid license to your hosts. For more information see Licensing Runecast Analyzer.
Within this tab the update status of Runecast Analyzer is shown. It is divided into two parts, Application and Knowledge Definition.
Application is consisting of updates to the OS, components, application, and database definitions like KB, BP, SH, etc. The version of the Runecast appliance currently deployed is displayed. This view differs based on the online/offline update state of the appliance:
If the appliance has an internet connection (online) then the application will check if there are any updates available. It will display one of two states: Up to date or Update available. If the status is Update available, you can perform manually the update by accessing Runecast Console Interface (check Note) and navigate to the Update section. Otherwise Runecast Analyzer will automatically apply the updates during the night.
If the appliance doesn’t have an internet connection (offline) then the status You are offline is displayed together with a link to the Customer portal. When accessing the portal through an internet connected device, expanding the Offline updates provides access to an .ISO file. Download the file and attach it to you Runecast Analyzer VM. You can perform the update manually by accessing Runecast Console Interface and navigate to the Update section.
To access the Runecast Console Interface open Runecast Analyzer VM console and press F1 key to login. Check section Runecast Console Interface for additional details.
Knowledge Definition contains only data definition updates for knowledge such as KBs, BPs, SH, etc. The last update release date is displayed. The view differs based on the online/offline state of the appliance:
If the appliance has an internet connection (online) then the application will check if there are any updates available. It will display one of the following two states: Up to date or Update now.
If the appliance doesn’t have internet connection (offline) then You are offline is displayed together with a link to the Customer portal. When accessing the portal through an internet connected device, expanding the Offline updates provides access to the .bin file. To perform an update, Download the file and then import it into the appliance using the Choose File button.
Online application and knowledge definition updates require access to https://updates.runecast.com. The default repository link is displayed below each one.
AWS deployed Runecast Analyzer automatically checks and installs updates. In case you need to update it manually, please login using SSH, and execute the script:
K8s deployed Runecast Analyzer automatically checks and installs the knowledge definitions, the application needs to be updated using the helm upgrade command. Please see the Kubernetes section in the Deployment chapter.
A custom repository can be configured for both application and knowledge definition updates. Click the wrench icon located on the right-hand side and add the Custom URL of the packages repository from where you would like to automatically download the new version. Ensure that all required files are available.
To find out how to configure your own update repository, please see the section How to set up Custom Repositories with Runecast Analyzer.
API Access tokens
Runecast Analyzer offers a full REST API for custom integration, configuration and reporting.
In order to use the API, an access token is required. The token can be generated in the graphical interface of the Runecast Analyzer or by sending a POST request to
Once generated, the access token needs to be included in the Authorization header of each request. For example, to retrieve data about the vCenters registered in your Runecast appliance, you can use a call like:
curl -H "Authorization: <your token here>" -X GET https://<appliance IP>/rc2/api/v1/vcenters
The Enterprise Console feature activates a global dashboard that integrates results of all connected Analyzer instances. Check section EC Dashboard for additional details.