I spent a significant amount of time googling/looking for what I assumed would be something simple: an authlog for my 2 VMware hosts, managed by vCenter.
I have 2 physical hosts. One is running VMware 4.0 and the other 4.1 update 1. Neither have the ubiquitous /var/log/auth.log that would easily show a shell session from ssh or telnet.
Ok, I then prowl my VM running vCenter. I can find nothing there: nothing in event logs, in any .log file.
I did find where I can add a syslog server from vSphere client. Is this what it takes?
I simply want to see when a user or admin connected with an IP showing from where that connection came.
Have you checked out /var/log/secure and /var/log/messages ?
1st, I have no/show no /var/log/secure at all on either server. [Rechecking now] No. I show no /var/log/secure on either box.
2nd, /var/log/messages indeed shows my putty login ("PAM password auth succeeded for [user]"), but I see no originating IP address, such as is found in /var/log/auth on any Linux server.
Also, I want to be able to see, primarily, vSphere authentication info. I do not know if this would be located on my vCenter Windows server VM, or in some /var/log.
Again, vSphere has a place to setup a syslog server, and I'm wondering if that isn't the answer.
The events for your vcenter should show the login information if its authenticated connections to vcenter you want to look out for. E.g:
You are correct. I was able to save the security event log out to a .csv file, then do a findstr on it to output just the IP addresses of connecting clients to the vCenter windows server I run -- this is a VM of course.
I still have the issue of showing no logs on the 2 physicaly hosts, and do not have a secure section under /var/logs.