VMware Cloud Community
fitzie22
Contributor
Contributor

Audit Logon Attempts

I have an ESXi 3.5 update 4 host that I have been asked by management to be able to audit if someone tries to logon to that box through the VC client directly or through VC Server. I have been testing it and I know that if I try to connect to it directly and it fails I can see an event in the events tab in the VC management server. The problem is that it just says failed and gives the account but not the server that was trying to be accessed. If look at the events by connecting directly to the server itself there is nothing there. Any help would be greatly appreciated

Reply
0 Kudos
3 Replies
mehul96
Enthusiast
Enthusiast

For auditing, I would rely on the OS logs in the service console. You can ssh to the ESX host and look at /var/log/messages and /var/log/secure, there will be lines that give to timestamp, account attempted and ip of the machine attempting access (everything you need to call the police!)

tail /var/log/secure

Jun 24 13:08:17 XXXXXXXXX xinetd[1026]: START: vmware-authd pid=27435 from=

Mehul

PS: if you find responses correct or helpful, please consider awarding points by marking the response correct or helpful

Reply
0 Kudos
fitzie22
Contributor
Contributor

Thanks for your response. I have esxi so I don't have teh SC to log into. That is where I am stuck..

Reply
0 Kudos
DSTAVERT
Immortal
Immortal

You can put the management port (VMKernel) on a separate subnet behind a router/firewall. Access only via VPN. Use whatever logging, traps etc to capture failed login attempts etc. You can also set up a logging server and capture all ESXi logging for monitoring.

-- David -- VMware Communities Moderator
Reply
0 Kudos