List of failed logins in case of esxi 6.5

zsoltesz · ‎03-12-2018

How can I list the failed logins to an esxi host using PowerCLI? I try to use this KB article VMware Knowledge Base , but It doesn't work with version 6.5.

There is an annoying root account lock error on a few hosts.

Thanks in advance!

Zoli

kwhornlcs · ‎03-12-2018

Do you get an error message, or just no hits?

Ran the script in my environment (6.5.1) and it seems to work fine.

zsoltesz · ‎03-19-2018

I got this error:

Get-VIEvent : 2018.03.19. 9:57:21 Get-VIEvent Error in deserializing body of reply message for operation 'ReadPreviousEvents'.

Despite the error I got some events, but there is no 'Cannot Login' events between them.

LucD · ‎03-19-2018

That is unfortunately a known issue, and is most probably a vCenter/VCSA issue as I understood it.

Currently no real fix afaik.

You can try a number of things, which sometimes seem to help:

stop/start your PowerShell/PowerCLI session
connect to the vCenter with the FQDN
restart your vCenter

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

zsoltesz · ‎03-19-2018

Thank you LucD!!

Despite of the error I got lot of events. But I cannot find the failed logins. A find only 'Remote access for ESXi local user account 'root' has been locked for 900 seconds after 2480 failed login attempts' rows, but nothing about the causing failed logins.

LucD · ‎03-19-2018

One more tip for Get-VIEvent and that error, do the retrieval in batches, not all in one go.

If you need a further analysis of the failed logons, you need to have a look at William's Forwarding AuthN/AuthZ activities from vSphere 6.0 & 6.5 to Syslog

The examples on the github repo William refers to give you that extra info you would need to analyse why a login failed.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

All

List of failed logins in case of esxi 6.5