ESXI VMware Login Tracking

mbarbaro · ‎08-01-2017

Hello,

how can i track login and logout from ESXi 5.5?

At the moment i configured a Syslog to forward logs from ESXI to splunk but the logins are not tracked.

How can i solve this issue?

Thanks

gjanders · ‎08-04-2017

Here are some examples, I am finding it difficult to track logins or anything useful via these logs as well.

These will not be exact as I changed some of the data to anonymise it.

Web login:

2017-06-28T17:21:47.761+10:00 info vpxd[50692] [Originator@0000 sub=[SSO] opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) 
2017-06-28T17:21:47.824+10:00 info vpxd[50692] [Originator@0000 sub=[SSO] opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) res: DOMAIN\username 
2017-06-28T17:21:47.825+10:00 info vpxd[50692] [Originator@0000 sub=AuthorizeManager opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [Auth]: User DOMAIN\username

Failed login via website:

2017-06-28T18:12:49.076+10:00 error vpxd[53560] [Originator@0000 sub=User opID=90186654-00000004-ac] Failed to authenticate user <DOMAIN\username>
2017-06-28T18:12:54.085+10:00 info vpxd[53560] [Originator@0000 sub=Default opID=90186654-00000004-ac] [VpxLRO] -- ERROR task-internal-196035 -- SessionManager -- vim.SessionManager.login: vim.fault.InvalidLogin: --> Result: --> (vim.fault.InvalidLogin) { --> faultCause = (vmodl.MethodFault) null, --> msg = "" --> } --> Args: --> --> Arg userName: --> "DOMAIN\username" --> Arg password: --> (not shown) --> --> Arg locale: --> "en_US"

Thick client login

2017-06-28T18:13:27.734+10:00 info vpxd[60232] [Originator@0000 sub=AuthorizeManager opID=EC8E8DD2-00000004-5f] [Auth]: User DOMAIN\username

Thick client login via SSO:

2017-06-28T18:19:37.777+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) 
2017-06-28T18:19:37.865+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) res: DOMAIN\username 
2017-06-28T18:19:37.929+10:00 info vpxd[65192] [Originator@0000 sub=AuthorizeManager opID=5DFF3E13-00000005-cf] [Auth]: User DOMAIN\username
2017-06-28T18:19:37.940+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserFullName(DOMAIN\username, false) res: FirstName Lastname

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

mbarbaro · ‎08-04-2017

Hi,

thanks for the informations.

I have some problem to forward logs at the moment, do you suggest something? To get this type of logs i should configure syslog-ng on the vcenter right?

thanks

gjanders · ‎08-04-2017

The above example were mostly from the VCentre logs, esxi logs would be slightly different again.

The VMWare firewall appears to allow port 514 and 1514 by default (TCP and UDP I believe) so if you are using one of those ports it should just work...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

ESXI VMware Login Tracking

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout