VMware Cloud Community
SuSTech
Contributor
Contributor

User "User" is shutting down ESXi Host

Hi community,
I'm running a 5.5 ESXi host and 2 clients on it. One is a domain controller (DC-Parkett) and the other one is a Terminalserver (Terminal-Parkett).
For the past few weeks there is something I can't really get my head around:
the DC-Parkett server is being shut down by some user account named "user". This happens almost every day at 12:09 P.M.
Then I connected to the host via ssh to look at passwd, because the log (see Attachment PH1) says that the shutdown was triggerd by "User" my expectation was to see a user named "User" there... but no sign of "User".
So I thought "why not..." and changed all passwords of the existing users, but the error is still present. I don't really have any expirence with ESXi and I wasn't the one that installed and configured the current setup.

I hope you can help me out Smiley Happy

Greetings and with the best regards,

Max Lotz

Reply
0 Kudos
6 Replies
snj
Enthusiast
Enthusiast

Reply
0 Kudos
brunofernandez1

enable ssh on the server and log on to it.

then have a look on this logfile:

here you see command that where set in the shell:

cat /var/log/shell.log

logging for vSphere Client authentication on the esxi server (here you see ip and user)

cat /var/log/hostd.log

logging for SSH and console authentication

cat /var/log/auth.log

maybe with this logs you see someone who logged in?

------------------------------------------------------------------------------- If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards from Switzerland, B. Fernandez http://vpxa.info/
Reply
0 Kudos
brunofernandez1

lockdown mode is not possible as he seems to connect directly to the esx server.

that probabely means that he hasn't a vcenter

------------------------------------------------------------------------------- If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards from Switzerland, B. Fernandez http://vpxa.info/
Reply
0 Kudos
SuSTech
Contributor
Contributor

Thank you for your fast response, it seems to log only a certain number of days and the log starts at 2015-10-13T19:12:25 and the last known shutdown would be around 2015-10-13T12:07:00 so I can't look at what actually happend... yet.
But I'm positiv that those logs will help me to figure it out. So Thanks Smiley Happy
But how come that the vSphere Client tells me that the shutdown was triggerd by a user that as far as I know doesn't even exist..?!
And why does the shutdown appear to be at 12:09 AM most of the time, it can't be a human so what, program or service does it?


Greetings Max Lotz

Reply
0 Kudos
brunofernandez1

hi max

I really dont know why the logs are showing that user that even exists. But i have found a nice KB with another log that you can check:

VMware KB: Determining why a virtual machine was powered off or restarted

------------------------------------------------------------------------------- If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards from Switzerland, B. Fernandez http://vpxa.info/
Reply
0 Kudos
nadupalliramesh
Contributor
Contributor

I think its guest which is triggering the action, not the esxi host. Please check if there any schduled jobs/system crashes around that time.

Reply
0 Kudos