Hi,
We recently had an support case with VMware, because our root logins started to fail, across several hosts.
I was pretty sure it was due to some monitoring server, trying to login with the wrong password, and they confirmed that.
But we had to dig through several logfiles (auth.log and vobd), to find the source IP.
Using this article, im able to see the failed logins, for our root account.
Use PowerCLI to See ESXi Host Failed Login Errors - Virtualization Howto
But the Get-ViEvent function, does not present the entries in the auth.log file, which i also need. The reason is that we (apparently) have lots of products trying to login to the ESXi hosts for various purposes. So entries like this, is often present in the auth.log file:
2021-10-29T06:30:24Z sshd[2221034]: FIPS mode initialized
2021-10-29T06:30:36Z sshd[2221034]: Invalid user security_product_scanner from 10.193.10.29 port 64494
2021-10-29T06:30:36Z sshd[2221034]: Postponed keyboard-interactive for invalid user security_product_scanner from 10.193.10.29 port 64494 ssh2 [preauth]
2021-10-29T06:30:38Z sshd[2221039]: pam_unix(sshd:auth): check pass; user unknown
2021-10-29T06:30:38Z sshd[2221039]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.193.10.29
2021-10-29T06:30:38Z sshd[2221039]: [module:pam_lsass]pam_do_authenticate: error [login:security_product_scanner][error code:2]
2021-10-29T06:30:38Z sshd[2221039]: [module:pam_lsass]pam_sm_authenticate: failed [error code:2]
2021-10-29T06:30:43Z sshd[2221034]: error: PAM: Authentication failure for illegal user security_product_scanner from 10.193.10.29
2021-10-29T06:30:43Z sshd[2221034]: Failed keyboard-interactive/pam for invalid user security_product_scanner from 10.193.10.29 port 64494 ssh2
2021-10-29T06:30:43Z sshd[2221034]: Postponed keyboard-interactive for invalid user security_product_scanner from 10.193.10.29 port 64494 ssh2 [preauth]
So i need these entries to be gathered, so that i can ask the monitoring team, to stop this 🙂
How do i accomplish this?
