Getting Data In

ESXI VMware Login Tracking

mbarbaro
Path Finder

Hello,

how can i track login and logout from ESXi 5.5?

At the moment i configured a Syslog to forward logs from ESXI to splunk but the logins are not tracked.

How can i solve this issue?

Thanks

0 Karma

gjanders
SplunkTrust
SplunkTrust

Here are some examples, I am finding it difficult to track logins or anything useful via these logs as well.

These will not be exact as I changed some of the data to anonymise it.

Web login:

2017-06-28T17:21:47.761+10:00 info vpxd[50692] [Originator@0000 sub=[SSO] opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) 
2017-06-28T17:21:47.824+10:00 info vpxd[50692] [Originator@0000 sub=[SSO] opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) res: DOMAIN\username 
2017-06-28T17:21:47.825+10:00 info vpxd[50692] [Originator@0000 sub=AuthorizeManager opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [Auth]: User DOMAIN\username

Failed login via website:

2017-06-28T18:12:49.076+10:00 error vpxd[53560] [Originator@0000 sub=User opID=90186654-00000004-ac] Failed to authenticate user <DOMAIN\username>
2017-06-28T18:12:54.085+10:00 info vpxd[53560] [Originator@0000 sub=Default opID=90186654-00000004-ac] [VpxLRO] -- ERROR task-internal-196035 -- SessionManager -- vim.SessionManager.login: vim.fault.InvalidLogin: --> Result: --> (vim.fault.InvalidLogin) { --> faultCause = (vmodl.MethodFault) null, --> msg = "" --> } --> Args: --> --> Arg userName: --> "DOMAIN\username" --> Arg password: --> (not shown) --> --> Arg locale: --> "en_US"

Thick client login

2017-06-28T18:13:27.734+10:00 info vpxd[60232] [Originator@0000 sub=AuthorizeManager opID=EC8E8DD2-00000004-5f] [Auth]: User DOMAIN\username

Thick client login via SSO:

2017-06-28T18:19:37.777+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) 
2017-06-28T18:19:37.865+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) res: DOMAIN\username 
2017-06-28T18:19:37.929+10:00 info vpxd[65192] [Originator@0000 sub=AuthorizeManager opID=5DFF3E13-00000005-cf] [Auth]: User DOMAIN\username
2017-06-28T18:19:37.940+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserFullName(DOMAIN\username, false) res: FirstName Lastname 
0 Karma

mbarbaro
Path Finder

Hi,

thanks for the informations.

I have some problem to forward logs at the moment, do you suggest something? To get this type of logs i should configure syslog-ng on the vcenter right?

thanks

0 Karma

gjanders
SplunkTrust
SplunkTrust

The above example were mostly from the VCentre logs, esxi logs would be slightly different again.

The VMWare firewall appears to allow port 514 and 1514 by default (TCP and UDP I believe) so if you are using one of those ports it should just work...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...