Getting Data In

ESXI VMware Login Tracking

mbarbaro
Path Finder

Hello,

how can i track login and logout from ESXi 5.5?

At the moment i configured a Syslog to forward logs from ESXI to splunk but the logins are not tracked.

How can i solve this issue?

Thanks

0 Karma

gjanders
SplunkTrust
SplunkTrust

Here are some examples, I am finding it difficult to track logins or anything useful via these logs as well.

These will not be exact as I changed some of the data to anonymise it.

Web login:

2017-06-28T17:21:47.761+10:00 info vpxd[50692] [Originator@0000 sub=[SSO] opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) 
2017-06-28T17:21:47.824+10:00 info vpxd[50692] [Originator@0000 sub=[SSO] opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) res: DOMAIN\username 
2017-06-28T17:21:47.825+10:00 info vpxd[50692] [Originator@0000 sub=AuthorizeManager opID=c2c6af008-0000-457a-83d3-002dfe600e05-090-ngc-00] [Auth]: User DOMAIN\username

Failed login via website:

2017-06-28T18:12:49.076+10:00 error vpxd[53560] [Originator@0000 sub=User opID=90186654-00000004-ac] Failed to authenticate user <DOMAIN\username>
2017-06-28T18:12:54.085+10:00 info vpxd[53560] [Originator@0000 sub=Default opID=90186654-00000004-ac] [VpxLRO] -- ERROR task-internal-196035 -- SessionManager -- vim.SessionManager.login: vim.fault.InvalidLogin: --> Result: --> (vim.fault.InvalidLogin) { --> faultCause = (vmodl.MethodFault) null, --> msg = "" --> } --> Args: --> --> Arg userName: --> "DOMAIN\username" --> Arg password: --> (not shown) --> --> Arg locale: --> "en_US"

Thick client login

2017-06-28T18:13:27.734+10:00 info vpxd[60232] [Originator@0000 sub=AuthorizeManager opID=EC8E8DD2-00000004-5f] [Auth]: User DOMAIN\username

Thick client login via SSO:

2017-06-28T18:19:37.777+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) 
2017-06-28T18:19:37.865+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserInfo(DOMAIN\username, false) res: DOMAIN\username 
2017-06-28T18:19:37.929+10:00 info vpxd[65192] [Originator@0000 sub=AuthorizeManager opID=5DFF3E13-00000005-cf] [Auth]: User DOMAIN\username
2017-06-28T18:19:37.940+10:00 info vpxd[65192] [Originator@0000 sub=[SSO] opID=5DFF3E13-00000005-cf] [UserDirectorySso] GetUserFullName(DOMAIN\username, false) res: FirstName Lastname 
0 Karma

mbarbaro
Path Finder

Hi,

thanks for the informations.

I have some problem to forward logs at the moment, do you suggest something? To get this type of logs i should configure syslog-ng on the vcenter right?

thanks

0 Karma

gjanders
SplunkTrust
SplunkTrust

The above example were mostly from the VCentre logs, esxi logs would be slightly different again.

The VMWare firewall appears to allow port 514 and 1514 by default (TCP and UDP I believe) so if you are using one of those ports it should just work...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...