4 Replies Latest reply on Mar 24, 2011 10:58 AM by aorady

    vCenter session - find origin of login

    Matt.B Enthusiast

      I have a user that can't tell me what is logging into vCenter with his credentials.  The account will go idle for several hours.  If I kill the session, it comes right back.  How can I find something more identifiable like an IP of where the session originates?  I tried http://nickapedia.com/2010/02/15/vsphere-mini-monitor-now-with-more-cowbell/ on my Win 7 x64 desktop but it crashes in various ways when trying to login to my vCenter.  I know there are PowerCLI scripts to kill idle sessions but this "service" will just log right back in immediately.  Thanks.

        • 1. Re: vCenter session - find origin of login
          lamw Guru
          Community WarriorsVMware Employees

          This is something that you can easily track by using vCenter's vpxd.logs. You will need to know the session key which you can query from the APIs or using the vCenter MOB under sessionManager object. You also need to change your vCenter logging _tempoairly_ to verbose if it isn't already, by defaul the logging output is configured as "info" which doesn't go into detail on the actual client agents which is where you'll identify the IP Address in which it is logging into.

           

          Once you're ready, enable the verbose logging and terminate the existing connection. Wait until it re-connects, then grab the session key, this way you don't have to search through all your vpxd.logs looking for the actual login. Search the main vpxd log and you should see something of the following:

           

          [2010-12-21 19:27:33.115 01456 info 'Libs'] [ADS] Account primp found, but not local
          [2010-12-21 19:27:33.115 01456 info 'App'] Error 1326 authenticating user .\primp.
          [2010-12-21 19:27:33.131 01456 info 'App'] [Auth]: User PRIMP-IND\primp
          [2010-12-21 19:27:33.131 01456 verbose 'App'] [VpxdUser] Registering session with cnxId=49C1F429-8403-4D0D-B319-7C79C2708FF1
          [2010-12-21 19:27:33.131 01456 verbose 'PropertyProvider'] RecordOp ADD: sessionList["3B655744-E886-41AE-89AC-DFF691901A1B"], SessionManager

           

          You should see the user name and specifically the sessionList which is your session key. From here, you will key off of the 3rd column and in my example this is "01456" which is the actual thread number. You will use this to identify all entries with respect to your session and search for all these entries, you should see something of the following not too far from the session details which should look something like this:

           

          [2010-12-21 19:27:36.053 01456 verbose 'ProxySvc Req70068'] New client SSL(TCPStreamWin32(socket=TCP(fd=3592) local=172.30.0.60:443,  peer=172.30.0.218:53893
          ))

           

          This is the actual request and you'll see "local" which should be the IP Address of your vCenter server and "peer" which is the actual client. In my example, I simulated this by logging into the MOB from my local desktop and that is the IP Address of my system.

           

          If you transfer your vpxd-log to a Linux host, you can do something of the following to save you time from search using Windows You just need to define the two variables VPX_LOG which is the actual log file and SESSION_ID which is the session key

          VPX_LOG=vpxd-198.log;SESSION_ID=3B655744-E886-41AE-89AC-DFF691901A1B;grep $(grep "${SESSION_ID}" $VPX_LOG | awk '{print $3}') $VPX_LOG | grep peer

           

          This should hopefully help you identify the culprit

          • 2. Re: vCenter session - find origin of login
            idle-jam Champion
            User Moderators

            Good Info! It comes useful for me too. Thanks.

            • 3. Re: vCenter session - find origin of login
              Matt.B Enthusiast

              Thanks, that was it!  I set vCenter to verbose, terminated the user, it came right back in and I went straight to the latest vpxd.log file on the vCenter server.  I had to copy it since it will still in use.  I scrolled down to just before I disconnected the session, searched for TCPStream and did a nslookup on each peer IP.  I quickly found an IP that makes sense.  Thanks again!

              • 4. Re: vCenter session - find origin of login
                aorady Lurker

                Doesn't your Events tab show the origin of the connection?
                I am attaching a pic of what I see on my VC (4.1)