Getting Data In

ESXI VMware Login Tracking

mbarbaro
Path Finder

Hello,

how can i track login and logout from ESXi 5.5?

At the moment i configured a Syslog to forward logs from ESXI to splunk but the logins are not tracked.

How can i solve this issue?

Thanks

0 Karma

gjanders
SplunkTrust
SplunkTrust

Here are some examples, I am finding it difficult to track logins or anything useful via these logs as well.

These will not be exact as I changed some of the data to anonymise it.

Web login:

2017-06-28T17:21:47.761+10:00 info vpxd[50692] [Originator@0000 sub=[SSO] opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) 
2017-06-28T17:21:47.824+10:00 info vpxd[50692] [Originator@0000 sub=[SSO] opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) res: DOMAIN\username 
2017-06-28T17:21:47.825+10:00 info vpxd[50692] [Originator@0000 sub=AuthorizeManager opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [Auth]: User DOMAIN\username

Failed login via website:

2017-06-28T18:12:49.076+10:00 error vpxd[53560] [Originator@0000 sub=User opID=90186654-00000004-ac] Failed to authenticate user <DOMAIN\username>
2017-06-28T18:12:54.085+10:00 info vpxd[53560] [Originator@0000 sub=Default opID=90186654-00000004-ac] [VpxLRO] -- ERROR task-internal-196035 -- SessionManager -- vim.SessionManager.login: vim.fault.InvalidLogin: --> Result: --> (vim.fault.InvalidLogin) { --> faultCause = (vmodl.MethodFault) null, --> msg = "" --> } --> Args: --> --> Arg userName: --> "DOMAIN\username" --> Arg password: --> (not shown) --> --> Arg locale: --> "en_US"

Thick client login

2017-06-28T18:13:27.734+10:00 info vpxd[60232] [Originator@0000 sub=AuthorizeManager opID=EC8E8DD2-00000004-5f] [Auth]: User DOMAIN\username

Thick client login via SSO:

2017-06-28T18:19:37.777+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) 
2017-06-28T18:19:37.865+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) res: DOMAIN\username 
2017-06-28T18:19:37.929+10:00 info vpxd[65192] [Originator@0000 sub=AuthorizeManager opID=5DFF3E13-00000005-cf] [Auth]: User DOMAIN\username
2017-06-28T18:19:37.940+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserFullName(DOMAIN\username, false) res: FirstName Lastname 
0 Karma

mbarbaro
Path Finder

Hi,

thanks for the informations.

I have some problem to forward logs at the moment, do you suggest something? To get this type of logs i should configure syslog-ng on the vcenter right?

thanks

0 Karma

gjanders
SplunkTrust
SplunkTrust

The above example were mostly from the VCentre logs, esxi logs would be slightly different again.

The VMWare firewall appears to allow port 514 and 1514 by default (TCP and UDP I believe) so if you are using one of those ports it should just work...

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...