I need to audit whenever a console is opened on any virtual machine running within a certain cluster. The cluster has 3 hosts. The information is readily available through the GUI in the "events" tab, but I need to be able to find it in either a vcenter log, or an ESXi host log that I can send to a centralized logger. In the ESXi hostd.log, I see the console connection to the virtual machine, but the userid is always vpxuser: Ticket issued for mks service to user: vpxuser
In the vmauthd.log I can also see the connection, but the user name is not included: Local connection for mks established.
In the host vpxa.log and in the vCenter server vpxd.log I see vim.VirtualMachine.acquireTicket but nowhere can I find the userid as it is shown in the client GUI (both the fat client and the web client) where it shows the connection and the user. I've searched all the host level logs, and the vCenter logs, but can't seem to find it. Does anyone have any idea?
Thanks very much,
this is a limitation upto vSphere 5.5
but in vSphere 6.0 that has been covered.
Improved Auditability of ESXi Administrator Actions
Prior to vSphere 6.0, actions at the vCenter Server level by a named user appeared in ESXi logs with the “vpxuser” username—for example, [user=vpxuser].
In vSphere 6.0, all actions at the vCenter Server level against an ESXi server appear in the ESXi logs with the vCenter Server username—for example, [user=vpxuser:DOMAIN\User].
This provides a better audit trail of actions that were run on a vCenter Server instance that conducted corresponding tasks on the ESXi hosts.
ref: http://www.vmware.com/files/pdf/vsphere/VMW-WP-vSPHR-Whats-New-6-0-PLTFRM.pdf
You can get the detail by powercli command get-visession
You need to connect to VC than you need to run this to get detail.
this is a limitation upto vSphere 5.5
but in vSphere 6.0 that has been covered.
Improved Auditability of ESXi Administrator Actions
Prior to vSphere 6.0, actions at the vCenter Server level by a named user appeared in ESXi logs with the “vpxuser” username—for example, [user=vpxuser].
In vSphere 6.0, all actions at the vCenter Server level against an ESXi server appear in the ESXi logs with the vCenter Server username—for example, [user=vpxuser:DOMAIN\User].
This provides a better audit trail of actions that were run on a vCenter Server instance that conducted corresponding tasks on the ESXi hosts.
ref: http://www.vmware.com/files/pdf/vsphere/VMW-WP-vSPHR-Whats-New-6-0-PLTFRM.pdf