Locations

Resources

Careers

Contact

Contact us

Broadcom VMware Audits

Navigating a VMware (vRealize/Aria) Suite Audit

VMware (vRealize/Aria) Suite Audit

Navigating a VMware (vRealize Aria) Suite Audit

Introduction – Why Aria Audits Matter Under Broadcom

Broadcom’s acquisition of VMware in late 2023 ushered in a new era of strict compliance. VMware’s vRealize/Aria suite, once lightly audited, now faces audits with teeth. Broadcom aggressively enforces license terms. If you run VMware Aria Operations, Automation, or related tools, expect stricter audits.

Broadcom is driving customers to subscription models, making audits far more likely than before. A Broadcom audit can feel high-stakes, with potential true-up fees or forced subscription upgrades if you’re caught short.

Read our complete guide to Preparing for VMware License Audits Under Broadcom: Risks, Traps & Defense.

Understanding Aria/vRealize Licensing Models

VMware’s Aria suite (formerly vRealize) has varied licensing models across its components. Licensing for these products can be complex.

The table below summarizes common licensing models and how usage is counted:

License ModelKey Points
OSI (Operating System Instance)Common for Aria Operations, Automation, Log Insight, etc. Each VM, physical server, or cloud instance counts as one OSI license.
Per CPU (Socket)Used in legacy vRealize Suite bundles. Each CPU socket license covers all VMs on that host (for vSphere environments).
Subscription (SaaS)Used in Aria SaaS offerings and new bundles. You subscribe for a set capacity (e.g. 200 OSIs/year or specific features). Exceeding that usage cap means you must true-up or upgrade. When converting old perpetual licenses to subscription, ensure the new subscription covers the same scope .

Common Compliance Traps

Even well-intentioned teams can slip into non-compliance. Beware of these common traps:

  • Over-Monitoring OSIs: Adding more VMs/instances into Aria than your licenses cover. This often happens gradually as new systems come online. Always compare your monitored count to purchased OSIs to avoid overuse.
  • Forgotten or Inactive Systems: Leaving test environments or decommissioned VMs connected to Aria still consumes licenses. Even a powered-off VM can count if it’s still being monitored. Remove any endpoints that are not actively in use to stay within your entitlements.
  • Mixing Free/Trial with Paid: Using “free” Aria editions (like the 25-OSI Log Insight that comes with vCenter) in production can lead to overuse. Always isolate free/trial tools from your enterprise deployments.
  • Misinterpreting What Counts: Misunderstanding what requires a license. For example, assume that every VM or cloud instance integrated with Aria Operations requires an OSI license (unless your contract states otherwise). Don’t assume something is excluded or unlimited just because it’s part of a bundle—verify it.

Read about Horizon, audits – VMware Horizon and EUC Audit Considerations Under Broadcom.

Self-Audit Best Practices

Regular self-audits are your best defense. Adopt these practices to stay audit-ready:

  1. Proactively Track Usage: Utilize Aria’s built-in licensing or usage dashboards to monitor consumption. Check how many OSIs or units you’re using versus your entitlements monthly. Set internal alerts when you reach ~90% of a license limit, so you can plan for expansions before running out.
  2. Remove Unneeded Monitors: Clean up regularly. If certain VMs or endpoints are no longer needed (e.g., completed projects, old test machines, or powered-off systems), remove them from Aria Operations and Automation. Don’t pay for inactive resources – if it’s not in use, it shouldn’t consume a license.

Responding to an Audit Notice

Receiving an audit notice can be stressful, but a calm, methodical response is key.

Take these steps if Broadcom comes knocking:

  1. Review the Notice Scope: Read the audit letter closely. Note which products are being audited, and any deadlines or specific data requests. Knowing the exact scope helps you focus your response.
  2. Gather Only What’s Asked: Collect exactly the data the auditor requests – nothing extra. For example, if they ask for “all VMs monitored by Aria Operations,” provide that list (and only for the environment under audit). Don’t volunteer data about systems outside the audit’s scope.
  3. Double-Check Everything: Before you send anything, verify it. If your report indicates 600 OSIs were used, but you know 50 are powered-off VMs, note this discrepancy. It’s better to clarify upfront than to let the auditor assume those 50 count. Be truthful and refrain from altering data – simply explain it where necessary.
  4. Keep Communication Professional: Stick to email or written correspondence to have a record. Be polite and cooperative, but stay on topic. If an auditor’s request strays beyond the agreed scope, it’s okay to ask for clarification or politely redirect them to the relevant data.

Negotiating Audit Findings

If the audit report shows you were over your entitlements, it’s time to negotiate. Keep these tactics in mind:

  • Validate and Offer a Solution: Don’t blindly accept the auditor’s numbers – double-check for any mistakes (like inactive VMs being counted). Once you confirm there’s an overuse, suggest a path to compliance by purchasing the necessary licenses or subscriptions moving forward, rather than paying back penalties. Vendors prefer selling you a subscription over issuing fines.
  • Leverage Renewals or Upgrades: If you have a renewal coming up or were considering an upgrade, use it to your advantage. For example, fold the extra licenses you need into your upcoming renewal or next-tier subscription. This way, you get normal pricing and frame the true-up as part of a planned expansion.
  • Request a Grace Period: Ask for a short window (such as 30 days) to get back into compliance. Often, auditors will hold off on punitive actions if you commit to buying the needed licenses within that period. It shows good faith and avoids immediate penalties.

Read about vSphere compliance, VMware vSphere Compliance Best Practices.

Preventative Governance Practices

Finally, bake compliance into your day-to-day operations. A few governance measures can prevent headaches:

  • Monitor Usage Continuously: Treat Aria license usage as a key metric. Review usage dashboards monthly and address any growth before it exceeds your limits.
  • Require Approval for New Integrations: Institute a policy that no new cluster, cloud account, or major load is added to Aria monitoring without a license check and approval. This ensures, for example, that someone doesn’t connect an entirely new environment to Aria Operations and unknowingly exceed licenses.
  • Keep Free and Paid Separate: If you use any free VMware tools or community editions (like the limited Log Insight that comes with vCenter), run them in isolation. Never mix free or trial versions with your licensed production deployments. This avoids accidental overuse and confusion over what’s covered.
  • Educate and Empower Your Team: Ensure administrators and engineers understand the fundamentals of Aria licensing. Even a brief training or cheat sheet can go a long way. When admins know that adding a VM or enabling a feature consumes a license, they’ll be more cautious. A little awareness prevents a lot of compliance issues.

Example Audit Scenario

An enterprise licensed for 5,000 OSIs was found to be monitoring 5,400 (400 more than licensed). Approximately 200 inactive VMs were left in the tool – these were removed from monitoring immediately.

For the remaining 200 active overages, the company negotiated a solution: purchasing additional OSI licenses (at normal rates) in their upcoming renewal.

Broadcom closed the audit without penalties once the purchase was agreed upon. The key lesson was to promptly disconnect unused systems and proactively true-up licenses as the environment grows.

Compliance Checklist & FAQs

License Compliance Checklist: Use this list to stay audit-ready:

  • Know Your Entitlements: Keep an up-to-date inventory of all your VMware Aria/vRealize licenses (product, edition, quantity). Understand exactly what you’ve purchased and the limits.
  • Monitor Usage Monthly: Regularly check your actual usage against your entitlements (use Aria’s usage reports or manual counts). Consider setting an alert when you reach approximately 90% of any license capacity, so you can take action before running out.
  • Clean Up Unused Monitors: Every month or quarter, remove VMs or resources from Aria that you’re no longer using (decommissioned servers, test VMs, etc.). This frees up licenses and keeps your usage in check.
  • Separate Free vs. Paid: Don’t mix “free” or trial versions with your licensed deployments. For example, keep that free 25-OSI log tool separate from your production Aria environment, to avoid any confusion or overstepping.
  • Educate on License Boundaries: Ensure your team understands the do’s and don’ts (e.g., avoid adding unlicensed systems to Aria, and refrain from enabling features from a higher edition than you own). When everyone is aware of the boundaries, you greatly reduce accidental compliance issues.

Frequently Asked Questions:

  • Q: What counts as an “OS instance” in Aria licensing?
    A: In VMware Aria licensing, an OS instance (OSI) generally means one VM or one physical server being monitored. Essentially, each individual operating system under Aria management consumes one OSI license.
  • Q: Can inactive or powered-off VMs be excluded from licensing?
    A: If a VM is powered off and truly not being monitored, it shouldn’t count against your license. However, if that VM is still connected to Aria (even in a powered-down state), it might appear in usage counts. It’s safest to remove or disable monitoring for any VM that isn’t active to avoid confusion during an audit.
  • Q: How often does Broadcom audit customers now?
    A: More often than VMware used to. Many companies have been audited within a year or so of Broadcom’s takeover. You should assume an audit will happen periodically (perhaps every 1-2 years).
  • Q: What data is typically requested during an audit?
    A: Auditors usually request outputs from the Aria tools themselves—things like a license usage report (how many OSIs you’re using vs. licensed), an inventory of all VMs or endpoints under management, and proof of your entitlements (your license keys or contracts). They may also provide a script or ask for a support bundle to collect information. Always review such requests to ensure they only gather data relevant to the audit’s scope.

Read about our Broadcom Audit Defense Service.

VMware Audits Under Broadcom: Compliance Risks, Traps & Defense Strategies

Do you want to know more about our Broadcom Audit Defense Services?

Author

  • Fredrik Filipsson

    Fredrik Filipsson brings two decades of Oracle license management experience, including a nine-year tenure at Oracle and 11 years in Oracle license consulting. His expertise extends across leading IT corporations like IBM, enriching his profile with a broad spectrum of software and cloud projects. Filipsson's proficiency encompasses IBM, SAP, Microsoft, and Salesforce platforms, alongside significant involvement in Microsoft Copilot and AI initiatives, improving organizational efficiency.

    View all posts