VMware Cloud Community
Labcoat
Enthusiast
Enthusiast
‎11-30-2012 07:21 AM

User Authentication Log

I spent a significant amount of time googling/looking for what I assumed would be something simple: an authlog for my 2 VMware hosts, managed by vCenter.

I have 2 physical hosts.  One is running VMware 4.0 and the other 4.1 update 1.  Neither have the ubiquitous /var/log/auth.log that would easily show a shell session from ssh or telnet.

Ok, I then prowl my VM running vCenter.  I can find nothing there: nothing in event logs, in any .log file.

I did find where I can add a syslog server from vSphere client.  Is this what it takes?

I simply want to see when a user or admin connected with an IP showing from where that connection came.

0 Kudos
4 Replies
iw123
Commander
Commander
‎11-30-2012 08:07 AM

Have you checked out /var/log/secure and /var/log/messages ?

*Please, don't forget the awarding points for "helpful" and/or "correct" answers
0 Kudos
Labcoat
Enthusiast
Enthusiast
‎11-30-2012 08:22 AM

1st, I have no/show no /var/log/secure at all on either server.  [Rechecking now]  No.  I show no /var/log/secure on either box.

2nd, /var/log/messages indeed shows my putty login ("PAM password auth succeeded for [user]"), but I see no originating IP address, such as is found in /var/log/auth on any Linux server.

Also, I want to be able to see, primarily, vSphere authentication info.  I do not know if this would be located on my vCenter Windows server VM, or in some /var/log.

Again, vSphere has a place to setup a syslog server, and I'm wondering if that isn't the answer.

0 Kudos
iw123
Commander
Commander
‎11-30-2012 08:27 AM

The events for your vcenter should show the login information if its authenticated connections to vcenter you want to look out for. E.g:

vclog.jpg

*Please, don't forget the awarding points for "helpful" and/or "correct" answers
0 Kudos
Labcoat
Enthusiast
Enthusiast
‎12-04-2012 12:24 PM

You are correct.  I was able to save the security event log out to a .csv file, then do a findstr on it to output just the IP addresses of connecting clients to the vCenter windows server I run -- this is a VM of course.

I still have the issue of showing no logs on the 2 physicaly hosts, and do not have a secure section under /var/logs.

0 Kudos