Solved: Re: User dcui 127.0.0.1 logged in

maksym007 · ‎07-06-2023

Hello everyone,

I would like to raise a very important topic for me. Such problem was discussed here earlier:

All our ESXi hosts spamming us in vCenter Events with such messages:

User dcui@127.0.0.1 logged in as VMware-client/6.5.0

User dcui@127.0.0.1 logged out

As you can see on Screenshot, such initiators are:

user=:vsanmgmtd
user=dcui:vsanmgmtd
ha-eventmgr user=dcui
ha-eventmgr user=dcui

vSAN is not configured/used in the entire environment. When it comes to Host Vendor - this is "Primergy" Servers.

The questions are:
How to disable/suppress these messages?
What exactly triggers such messages?
What the impact will cause of disabling it.

maksym007 · ‎08-17-2023

CIM Provider from Custom Image is the issue. Finally found out the reason.

View solution in original post

Lalegre · ‎07-06-2023

Hello @maksym007,

DCUI is the service that provides the integrated Management Console of ESXi, if you connect over IPMI or using SSH and type 'dcui' that is what I am talking about.

Then the vsanmgmtd is the service that provides Health and Performance metrics to vCenter and is always running even if you are not using it.

These are just extra-verbose logs that do not produce any harm and you will be seeing it always, they can be disabled by stopping the vsanmgmtd service and adding the host in lockdown mode which will disable dcui, however, you could lose access to the console if not properly configured.

If you ask me, I would not put attention to disabling as it does not cause any harm at all.

maksym007 · ‎07-06-2023

I will say you following: I have tried to put ESXi into Lockdown mode - and this was not the case.

Even with the lockdown messages keep coming.

I don't want to disable it at all - but our Security Team is a bit nervous and irritable from these messages.

ESXi 7.0.3 build from 31.01 of January.

benkeprashant · ‎07-07-2023

Hi @maksym007

As per the events this is related to pyVmomi which is the Python SDK for the VMware vSphere API that allows you to manage ESX, ESXi, and vCenter.

There might be pyvmomi management sdk is integrated please go thorough this links

https://vmware.github.io/pyvmomi-community-samples/#getting-started

https://github.com/vmware/pyvmomi/tree/master

I have seen this kind of events on Dell-EMC vxrail sddc hosts as well.

-----Please Mark Answer if you found this helpful-----

maksym007 · ‎07-07-2023

OK thx for pointing. This is already more closer and interesting.

Now is the question of how it can be suppressed. Let it work if needed - but how to disable such events?

maksym007 · ‎07-10-2023

Do you have any additional ideas?

maksym007 · ‎08-03-2023

So I have opened a Case to VMware Support as it became hot

maksym007 · ‎08-07-2023

Looks like the issue somewhere deeper - have opened a case again.

maksym007 · ‎08-17-2023

CIM Provider from Custom Image is the issue. Finally found out the reason.

markey165 · ‎08-17-2023

@maksym007

Would you mind confirming the steps you took to fix it, in case anyone else comes across this thread with the same issue

_____________________________________________
If this post helps you, please leave Kudo | or mark this reply as an answer

maksym007 · ‎08-18-2023

In my case, this was Fujitsu Primergy Server.

VMware Support identified that inside that CIM provider sits one script which triggers these alerts.

The script itself is not harmful - simply spamming too much.

VMware Support has forwarded me to Fujitsu Support since this CIM provider 3rd party vib.

Fujitsu told me to disable that vib. Commands will be provided to me

markey165 · ‎08-18-2023

Great thanks @maksym007 - i have no doubt that will help someone who might stumble across this thread at some future point

_____________________________________________
If this post helps you, please leave Kudo | or mark this reply as an answer

maksym007 · ‎08-20-2023

I have asked Fujitsu will it be possible to make some changes in the script to create their own user and not to use dcui or root.

let it be "cim_provider_fujitsu" or smth like that but not dcui or root.

It will be clear that no breach has place. because strict mode does not solve the problem.