VMware Cloud Community
nicolaj
Enthusiast
Enthusiast
‎06-03-2015 06:14 AM
Jump to solution

How do I audit console sessions including user name?

I need to audit whenever a console is opened on any virtual machine running within a certain cluster. The cluster has 3 hosts. The information is readily available through the GUI in the "events" tab, but I need to be able to find it in either a vcenter log, or an ESXi host log that I can send to a centralized logger. In the ESXi hostd.log, I see the console connection to the virtual machine, but the userid is always vpxuser: Ticket issued for mks service to user: vpxuser

In the vmauthd.log I can also see the connection, but the user name is not included: Local connection for mks established.  

In the host vpxa.log and in the vCenter server vpxd.log I see vim.VirtualMachine.acquireTicket but nowhere can I find the userid as it is shown in the client GUI (both the fat client and the web client) where it shows the connection and the user. I've searched all the host level logs, and the vCenter logs, but can't seem to find it. Does anyone have any idea?

Thanks very much,

0 Kudos
1 Solution

Accepted Solutions
npadmani
Virtuoso
Virtuoso
‎06-03-2015 06:49 AM
Jump to solution

this is a limitation upto vSphere 5.5

but in vSphere 6.0 that has been covered.

Improved Auditability of ESXi Administrator Actions

Prior to vSphere 6.0, actions at the vCenter Server level by a named user appeared in ESXi logs with the “vpxuser” username—for example, [user=vpxuser].

In vSphere 6.0, all actions at the vCenter Server level against an ESXi server appear in the ESXi logs with the vCenter Server username—for example, [user=vpxuser:DOMAIN\User].

This provides a better audit trail of actions that were run on a vCenter Server instance that conducted corresponding tasks on the ESXi hosts.

ref: http://www.vmware.com/files/pdf/vsphere/VMW-WP-vSPHR-Whats-New-6-0-PLTFRM.pdf

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified

View solution in original post

0 Kudos
2 Replies
CoolRam
Expert
Expert
‎06-03-2015 06:45 AM
Jump to solution

You can get the detail by powercli command get-visession

You need to connect to VC than you need to run this to get detail.

If you find any answer useful. please mark the answer as correct or helpful.
npadmani
Virtuoso
Virtuoso
‎06-03-2015 06:49 AM
Jump to solution

this is a limitation upto vSphere 5.5

but in vSphere 6.0 that has been covered.

Improved Auditability of ESXi Administrator Actions

Prior to vSphere 6.0, actions at the vCenter Server level by a named user appeared in ESXi logs with the “vpxuser” username—for example, [user=vpxuser].

In vSphere 6.0, all actions at the vCenter Server level against an ESXi server appear in the ESXi logs with the vCenter Server username—for example, [user=vpxuser:DOMAIN\User].

This provides a better audit trail of actions that were run on a vCenter Server instance that conducted corresponding tasks on the ESXi hosts.

ref: http://www.vmware.com/files/pdf/vsphere/VMW-WP-vSPHR-Whats-New-6-0-PLTFRM.pdf

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified
0 Kudos