VMware Cloud Community
pragg12
Hot Shot
Hot Shot

vCenter IP Login audit

Hi Everyone,

vCSA is 6.7 U1. I suspect someone used vSphere.local\Administrator account to do something stupid and I need to check from where the login came from for further tracking. Correct me if I'm wrong from here on out. AFAIK, only IP address can be retrieved from vCSA logs in such cases. I searched and tried a lot but only 1 script came close (My Google-fu can only take me this far..). For agent as PowerCLI, I can see proper machine IP address but for agents "web-client/6.5.0" and "h5-client/6.5.0", I get IP address as 127.0.0.1. Let me know:

1. How the script can be optimized to get real IP address instead of 127.0.0.1 ?

2. My host machine has UTC-6 Central Time timezone. Since the script will take time from host machine per script code while checking against vCSA logs where time is in UTC, how does the script work w.r.t time comparison? What is the time received in output ? UTC or CT ?

I tried to post this in same forum but I'm getting permission denied. Link: Solved: need to find out login info in vcenter

A bit modified code:

$start = (Get-Date).AddDays(-9)

foreach ($vc in $global:DefaultVIServers )

{

   Get-VIEvent -Start $start -MaxSamples ([int]::MaxValue) -Server $vc |

   where { $_ -is [VMware.Vim.UserLoginSessionEvent] -and $_.UserName -eq 'VSPHERE.LOCAL\Administrator' } |

   Sort-Object -Property CreatedTime -Descending |

   select Username, IPAddress, createdtime, USeragent, @{N = 'vCenter'; E = { $vc.Name } } | export-csv C:\temp\vcsa_login.csv -append

}

Consider marking this response as "Correct" or "Helpful" if you think my response helped you in any way.
Reply
0 Kudos
6 Replies
LucD
Leadership
Leadership

1. When you use the Web Client, your connection is made from the server mentioned in the URI.

From there localhost (127.0.0.1) seems to logical.

You'll probably have to look at the web server logs to find out from where these Gets are submitted.

2. These times are in UTC.

You can convert to your localtime with

select Username, IPAddress,

createdtime,

@{N = 'CreatedLocalTime'; E = {$_.CreatedTime.ToLocalTime()} },

USeragent, @{N = 'vCenter'; E = { $vc.Name } }


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
pragg12
Hot Shot
Hot Shot

Hi LucD,

Thanks for your input on point 2. I will test it and let you know.

127.0.0.1 seems OK when you say it like that. However, I am a bit clueless about what you mean by "You'll probably have to look at the web server logs to find out from where these Gets are submitted." Exactly where should I check since that's what I am trying to find out that from which IPs the web client connections are made to vCSA.

I believe the audit logs are more properly baked in 6.7 U2 per here: https://www.virtuallyghetto.com/2019/04/enhanced-vcenter-server-audit-event-logging-in-vsphere-6-7-u...

But is there something that can be done on 6.7 U1 ?

Consider marking this response as "Correct" or "Helpful" if you think my response helped you in any way.
Reply
0 Kudos
LucD
Leadership
Leadership

I don't have a 6.7U1 running in my lab, but can you check if /var/log/audit/sso-events/audit_events.log contains the info?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
pragg12
Hot Shot
Hot Shot

I already checked but no such log file exists in vCSA 6.7 U1.

Hence I mentioned in my previous response that per article, dedicated vCenter SSO Audit log is created at the path you mentioned.

Any other way I can try ?

Consider marking this response as "Correct" or "Helpful" if you think my response helped you in any way.
Reply
0 Kudos
LucD
Leadership
Leadership

Not that I know of I'm afraid.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
pragg12
Hot Shot
Hot Shot

Thank you for your efforts, LucD.

Consider marking this response as "Correct" or "Helpful" if you think my response helped you in any way.
Reply
0 Kudos