VMware Cloud Community
Finikiez
Champion
Champion

how to check who assigned\deleted permission on an object in vcenter inventory

Hello!

I'm trying to figure out how to find who assigned\deleted permissions in VC's inventory.

I use VCSA 6.5 build 7312210 and 7515524

I read William's article https://www.virtuallyghetto.com/2017/06/auditinglogging-vcenter-server-authentication-authorization-...

A big problem that whenever you create\delete pemission, related Event shows that vcenter solution user did this and not a real user. (Screenshots in the article show the same behaviour).

Here the example

1. Permission for user 'test' created on vcenter level and Read-only role is assigned

pastedImage_2.png

2. Then this permission is removed

pastedImage_3.png

Actually this was administrator@vsphere.local user who did this.

What I checked:

1. vpxd.log shows nothig for this action

2. SSO logs show nothig also.

3. Gettings events using PowerCLI shows the same

pastedImage_6.png

Any suggestion how can I get real user who assigned\deleted permissions?

10 Replies
daphnissov
Immortal
Immortal

Do you have logs being captured by vRLI? If so, that should have it.

Reply
0 Kudos
Finikiez
Champion
Champion

I do, but Loginsight shows the same events and it also can show me the same logs which I can read manually Smiley Happy

I did another test with domain users

here evets from vRLI

pastedImage_1.png

Reply
0 Kudos
Finikiez
Champion
Champion

But actually I don't send VCSA logs like vpxd and others to loginsight.

However SSO and vpxd logs show nothing for this actions.

Reply
0 Kudos
daphnissov
Immortal
Immortal

Hmm, yes I see. It may not be possible to recollect in that case if there's solution user substitution. Is this something you know of, mikefoley​?

mikefoley
VMware Employee
VMware Employee

Have you configured syslog on vCenter to send to Log Insight? (Not the vpxd logs, actually setting it at the VAMI)

You'll get the vCenter Events, the same content you see in the event viewer in the web client.

mike

Reply
0 Kudos
daphnissov
Immortal
Immortal

As pointed out, the source logs don't seem to contain this information (check Finikiez's post at the top).

Reply
0 Kudos
Finikiez
Champion
Champion

Ok, I've double checked the vpxd.log and it seems I missed some lines when checked it before.

2018-04-27T17:29:04.875+03:00 info vpxd[7F79F9602700] [Originator@6876 sub=vpxLro opID=21231cff-af64-4799-8bfc-1dc5e777b12c-cd] [VpxLRO] -- BEGIN lro-1529846 -- AuthorizationManager -- vim.AuthorizationManager.fetchUserPrivilegeOnEntities -- 522facb3-f8d0-e789-c380-2fc1968c463b(5243dfe1-44ac-57f6-e479-022835c2959a)

2018-04-27T17:29:04.875+03:00 info vpxd[7F79F9602700] [Originator@6876 sub=[SSO] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-cd] [UserDirectorySso] GetUserInfo(VSPHERE.LOCAL\test, false)

2018-04-27T17:29:04.909+03:00 info vpxd[7F79F9602700] [Originator@6876 sub=[SSO] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-cd] [UserDirectorySso] GetUserInfo(VSPHERE.LOCAL\test, false) res: VSPHERE.LOCAL\test

2018-04-27T17:29:04.910+03:00 info vpxd[7F79F9602700] [Originator@6876 sub=[SSO][GroupcheckAdapter] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-cd] [FindAllParentGroups]

2018-04-27T17:29:04.930+03:00 info vpxd[7F79F9602700] [Originator@6876 sub=AuthorizeManager opID=21231cff-af64-4799-8bfc-1dc5e777b12c-cd] [Auth]: User VSPHERE.LOCAL\test

2018-04-27T17:29:04.930+03:00 info vpxd[7F79F9602700] [Originator@6876 sub=vpxLro opID=21231cff-af64-4799-8bfc-1dc5e777b12c-cd] [VpxLRO] -- FINISH lro-1529846

2018-04-27T17:29:04.934+03:00 info vpxd[7F79FA29B700] [Originator@6876 sub=vpxLro opID=21231cff-af64-4799-8bfc-1dc5e777b12c-f1] [VpxLRO] -- BEGIN lro-1529847 -- AuthorizationManager -- vim.AuthorizationManager.hasUserPrivilegeOnEntities -- 5239060e-38e5-8cbc-6a78-1a5c049e362c(526eb8b0-e98c-8a9d-34d8-a6f78e5bde99)

2018-04-27T17:29:04.934+03:00 info vpxd[7F79FA29B700] [Originator@6876 sub=[SSO] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-f1] [UserDirectorySso] GetUserInfo(VSPHERE.LOCAL\Administrator, false)

2018-04-27T17:29:04.976+03:00 info vpxd[7F79FA29B700] [Originator@6876 sub=[SSO] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-f1] [UserDirectorySso] GetUserInfo(VSPHERE.LOCAL\Administrator, false) res: VSPHERE.LOCAL\Administrator

2018-04-27T17:29:04.976+03:00 info vpxd[7F79FA29B700] [Originator@6876 sub=[SSO][GroupcheckAdapter] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-f1] [FindAllParentGroups]

2018-04-27T17:29:05.030+03:00 info vpxd[7F79FA29B700] [Originator@6876 sub=vpxLro opID=21231cff-af64-4799-8bfc-1dc5e777b12c-f1] [VpxLRO] -- FINISH lro-1529847

2018-04-27T17:29:05.033+03:00 info vpxd[7F79FA826700] [Originator@6876 sub=vpxLro opID=21231cff-af64-4799-8bfc-1dc5e777b12c-ff] [VpxLRO] -- BEGIN lro-1529848 -- AuthorizationManager -- vim.AuthorizationManager.removeEntityPermission -- 52246423-9537-1d0a-738c-ec90594dc7d2(5273d5ec-ad08-80ca-2c37-cbddb57dbdb7)

2018-04-27T17:29:05.033+03:00 info vpxd[7F79FA826700] [Originator@6876 sub=[SSO] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-ff] [UserDirectorySso] GetUserInfo(VSPHERE.LOCAL\test, false)

2018-04-27T17:29:05.071+03:00 info vpxd[7F79FA826700] [Originator@6876 sub=[SSO] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-ff] [UserDirectorySso] GetUserInfo(VSPHERE.LOCAL\test, false) res: VSPHERE.LOCAL\test

2018-04-27T17:29:05.074+03:00 info vpxd[7F79FA826700] [Originator@6876 sub=vpxLro opID=21231cff-af64-4799-8bfc-1dc5e777b12c-ff] [VpxLRO] -- FINISH lro-1529848

It's not so obvious but seems that vpxd checks user who tries to remove permission before removing permissions for another user.

Reply
0 Kudos
daphnissov
Immortal
Immortal

So if vpxd.log is capturing it, you need to install the vRLI agent on your vCSA and configure an agent group which has that definition (from the vSphere content pack). It should then parse all those log streams.

Finikiez
Champion
Champion

I guess that it's better to fill up a feature request to make this process much easier in future Smiley Happy

Thanks )

Reply
0 Kudos
daphnissov
Immortal
Immortal

Agreed, although good luck with that Smiley Wink

Feature request form is here, BTW:  https://www.vmware.com/company/contact/contactus.html?department=prod_request