ESXi and VCSA - Failed login Audit report - moved ...

Rayjay888 · ‎02-12-2018

Hi all,

I need to do reports on failed logins ( as I'm sure many do )

I'm in a simple environment with several esxi5.5 boxes reporting to a VCSA 6.0

I can get most of the failures ( ESXi ssh, webclient and C# fat client , VCSA ssh and C# fat client ) that are logged in the VCSA event console through PowerCLI Get-VIEvent

e.g ( apologies in advance for the simplistic PS code )

connect-viserver -server xxx.xxx.xxx.xxx

$hostevents = Get-VIEvent -start 08/02/2018 -finish 28/02/2018 -maxsamples 10000 | where-object {$_.Host.Name -notlike ""}
$VChostevents = Get-VIEvent -start 08/02/2018 -finish 28/02/2018 -maxsamples 10000 | where-object {$_.Host.Name -like ""}

foreach ($event in $hostevents)
{if (
($event.fullFormattedMessage -match "(.*)Cannot login(.*)")
) {Write-Host ( "----ESX----" + $event.fullFormattedMessage + " from " + $event.Host.Name + " at: " + $event.createdTime)} }

foreach ($event in $VChostevents)
{if (
($event.fullFormattedMessage -match "(.*)Cannot login(.*)")
) {Write-Host ("----VCE----" + $event.fullFormattedMessage + " from " + $event.Host.Name + " at: " + $event.createdTime)} }

So far so good.

But I need to also get the failed webclient/sso logins for the VCSA that appear to be logged in /var/log/vmware/sso/vmware-sts-idmd.log

# tail -20000 /var/log/vmware/sso/vmware-sts-idmd.log | grep -e "Login failed" -e "Authentication failed"

Seems to do what I want but I'd like to extract it into a windows environment.

Even if I get the /var/log/vmware/sso/vmware-sts-idmd.log into PS / Windows, I should also really get the the .gz file/s too as it may have just archived.

I then have to extract by time period.

Is there any cli stuff that can help ?

I do have Vrealize log insight running but just the free version so cannot add dashboards, I'd have to create my own queries and I haven't quite got my head around it yet.

Has anyone some insights they could share or do users that need to do these audit reports just buy something commercial like GFILog ?

cheers and regards,
Ray

LucD · ‎02-13-2018

Besides forwarding these logs to a syslog server, or by capturing them through LogInsight, I have no knowledge of a procedure for automating the retrieval and analysis of these logs.

As seems to be confirmed by William's post Auditing/Logging vCenter Server authentication & authorization activities

For me the simplest solution would be to use LogInsight (which will do all the heavy lifting for you), and send queries from PowerShell to VLI.

See for example my LogInsight Module (which I need to update/expand one of these days)

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Rayjay888 · ‎02-15-2018

Thanks Luc.

I'll have a look at your Loginsight Module.

I does seem strange ( and very annoying ) that an excellent product like ESXi doesn't provide an easier way to capture data that is a fairly standard corporate requirement.

regards,

Ray

LucD · ‎02-15-2018

I think it would be a VCSA, or better a SSO, feature, not as much an ESXi feature.

But yes, I agree, this should be easier to query.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

Rayjay888 · ‎09-13-2018

*** UPDATE - I've moved from VCSA 6.0 / esxi 5.5 to VCSA 6.7 / esxi 6.5

now the failed logins don't seem to be retrieved at all by Get=VIEvent 😞

they used to be in the form

Cannot login someuser@xxx.xxx.xxx.xxx from at: 09/03/2018 06:34:4

for VCSA

They are in /var/log/sso/websso.log and /var/log/vmware/messages ( at least for VCSA ) .

can I access / extract / query these files from the PowerCLI ?

cheers,

Ray

LucD · ‎09-13-2018

You could use Posh-Ssh to connect to the VCSA and collect the logs.

And then use the System.IO.Compression class to extract the logs form the archive.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

All

ESXi and VCSA - Failed login Audit report - moved from vSphere noobs