Getting Data In
Highlighted

ESXI VMware Login Tracking

Path Finder

Hello,

how can i track login and logout from ESXi 5.5?

At the moment i configured a Syslog to forward logs from ESXI to splunk but the logins are not tracked.

How can i solve this issue?

Thanks

0 Karma
Highlighted

Re: ESXI VMware Login Tracking

SplunkTrust
SplunkTrust

Here are some examples, I am finding it difficult to track logins or anything useful via these logs as well.

These will not be exact as I changed some of the data to anonymise it.

Web login:

2017-06-28T17:21:47.761+10:00 info vpxd[50692] [Originator@0000 sub=[SSO] opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) 
2017-06-28T17:21:47.824+10:00 info vpxd[50692] [Originator@0000 sub=[SSO] opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) res: DOMAIN\username 
2017-06-28T17:21:47.825+10:00 info vpxd[50692] [Originator@0000 sub=AuthorizeManager opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [Auth]: User DOMAIN\username

Failed login via website:

2017-06-28T18:12:49.076+10:00 error vpxd[53560] [Originator@0000 sub=User opID=90186654-00000004-ac] Failed to authenticate user <DOMAIN\username>
2017-06-28T18:12:54.085+10:00 info vpxd[53560] [Originator@0000 sub=Default opID=90186654-00000004-ac] [VpxLRO] -- ERROR task-internal-196035 -- SessionManager -- vim.SessionManager.login: vim.fault.InvalidLogin: --> Result: --> (vim.fault.InvalidLogin) { --> faultCause = (vmodl.MethodFault) null, --> msg = "" --> } --> Args: --> --> Arg userName: --> "DOMAIN\username" --> Arg password: --> (not shown) --> --> Arg locale: --> "en_US"

Thick client login

2017-06-28T18:13:27.734+10:00 info vpxd[60232] [Originator@0000 sub=AuthorizeManager opID=EC8E8DD2-00000004-5f] [Auth]: User DOMAIN\username

Thick client login via SSO:

2017-06-28T18:19:37.777+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) 
2017-06-28T18:19:37.865+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) res: DOMAIN\username 
2017-06-28T18:19:37.929+10:00 info vpxd[65192] [Originator@0000 sub=AuthorizeManager opID=5DFF3E13-00000005-cf] [Auth]: User DOMAIN\username
2017-06-28T18:19:37.940+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserFullName(DOMAIN\username, false) res: FirstName Lastname 
0 Karma
Highlighted

Re: ESXI VMware Login Tracking

Path Finder

Hi,

thanks for the informations.

I have some problem to forward logs at the moment, do you suggest something? To get this type of logs i should configure syslog-ng on the vcenter right?

thanks

0 Karma
Highlighted

Re: ESXI VMware Login Tracking

SplunkTrust
SplunkTrust

The above example were mostly from the VCentre logs, esxi logs would be slightly different again.

The VMWare firewall appears to allow port 514 and 1514 by default (TCP and UDP I believe) so if you are using one of those ports it should just work...

0 Karma