VMware Cloud Community
Finikiez
Champion
Champion
‎04-27-2018 06:40 AM

how to check who assigned\deleted permission on an object in vcenter inventory

Hello!

I'm trying to figure out how to find who assigned\deleted permissions in VC's inventory.

I use VCSA 6.5 build 7312210 and 7515524

I read William's article https://www.virtuallyghetto.com/2017/06/auditinglogging-vcenter-server-authentication-authorization-...

A big problem that whenever you create\delete pemission, related Event shows that vcenter solution user did this and not a real user. (Screenshots in the article show the same behaviour).

Here the example

1. Permission for user 'test' created on vcenter level and Read-only role is assigned

pastedImage_2.png

2. Then this permission is removed

pastedImage_3.png

Actually this was administrator@vsphere.local user who did this.

What I checked:

1. vpxd.log shows nothig for this action

2. SSO logs show nothig also.

3. Gettings events using PowerCLI shows the same

pastedImage_6.png

Any suggestion how can I get real user who assigned\deleted permissions?

10 Replies
daphnissov
Immortal
Immortal
‎04-27-2018 06:50 AM

Do you have logs being captured by vRLI? If so, that should have it.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
Finikiez
Champion
Champion
‎04-27-2018 07:10 AM

I do, but Loginsight shows the same events and it also can show me the same logs which I can read manually Smiley Happy

I did another test with domain users

here evets from vRLI

pastedImage_1.png

0 Kudos
Finikiez
Champion
Champion
‎04-27-2018 07:13 AM

But actually I don't send VCSA logs like vpxd and others to loginsight.

However SSO and vpxd logs show nothing for this actions.

0 Kudos
daphnissov
Immortal
Immortal
‎04-27-2018 07:16 AM

Hmm, yes I see. It may not be possible to recollect in that case if there's solution user substitution. Is this something you know of, mikefoley​?

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
mikefoley
VMware Employee
VMware Employee
‎04-27-2018 07:21 AM

Have you configured syslog on vCenter to send to Log Insight? (Not the vpxd logs, actually setting it at the VAMI)

You'll get the vCenter Events, the same content you see in the event viewer in the web client.

mike

0 Kudos
daphnissov
Immortal
Immortal
‎04-27-2018 07:22 AM

As pointed out, the source logs don't seem to contain this information (check Finikiez's post at the top).

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
Finikiez
Champion
Champion
‎04-27-2018 07:35 AM

Ok, I've double checked the vpxd.log and it seems I missed some lines when checked it before.

2018-04-27T17:29:04.875+03:00 info vpxd[7F79F9602700] [Originator@6876 sub=vpxLro opID=21231cff-af64-4799-8bfc-1dc5e777b12c-cd] [VpxLRO] -- BEGIN lro-1529846 -- AuthorizationManager -- vim.AuthorizationManager.fetchUserPrivilegeOnEntities -- 522facb3-f8d0-e789-c380-2fc1968c463b(5243dfe1-44ac-57f6-e479-022835c2959a)

2018-04-27T17:29:04.875+03:00 info vpxd[7F79F9602700] [Originator@6876 sub=[SSO] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-cd] [UserDirectorySso] GetUserInfo(VSPHERE.LOCAL\test, false)

2018-04-27T17:29:04.909+03:00 info vpxd[7F79F9602700] [Originator@6876 sub=[SSO] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-cd] [UserDirectorySso] GetUserInfo(VSPHERE.LOCAL\test, false) res: VSPHERE.LOCAL\test

2018-04-27T17:29:04.910+03:00 info vpxd[7F79F9602700] [Originator@6876 sub=[SSO][GroupcheckAdapter] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-cd] [FindAllParentGroups]

2018-04-27T17:29:04.930+03:00 info vpxd[7F79F9602700] [Originator@6876 sub=AuthorizeManager opID=21231cff-af64-4799-8bfc-1dc5e777b12c-cd] [Auth]: User VSPHERE.LOCAL\test

2018-04-27T17:29:04.930+03:00 info vpxd[7F79F9602700] [Originator@6876 sub=vpxLro opID=21231cff-af64-4799-8bfc-1dc5e777b12c-cd] [VpxLRO] -- FINISH lro-1529846

2018-04-27T17:29:04.934+03:00 info vpxd[7F79FA29B700] [Originator@6876 sub=vpxLro opID=21231cff-af64-4799-8bfc-1dc5e777b12c-f1] [VpxLRO] -- BEGIN lro-1529847 -- AuthorizationManager -- vim.AuthorizationManager.hasUserPrivilegeOnEntities -- 5239060e-38e5-8cbc-6a78-1a5c049e362c(526eb8b0-e98c-8a9d-34d8-a6f78e5bde99)

2018-04-27T17:29:04.934+03:00 info vpxd[7F79FA29B700] [Originator@6876 sub=[SSO] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-f1] [UserDirectorySso] GetUserInfo(VSPHERE.LOCAL\Administrator, false)

2018-04-27T17:29:04.976+03:00 info vpxd[7F79FA29B700] [Originator@6876 sub=[SSO] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-f1] [UserDirectorySso] GetUserInfo(VSPHERE.LOCAL\Administrator, false) res: VSPHERE.LOCAL\Administrator

2018-04-27T17:29:04.976+03:00 info vpxd[7F79FA29B700] [Originator@6876 sub=[SSO][GroupcheckAdapter] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-f1] [FindAllParentGroups]

2018-04-27T17:29:05.030+03:00 info vpxd[7F79FA29B700] [Originator@6876 sub=vpxLro opID=21231cff-af64-4799-8bfc-1dc5e777b12c-f1] [VpxLRO] -- FINISH lro-1529847

2018-04-27T17:29:05.033+03:00 info vpxd[7F79FA826700] [Originator@6876 sub=vpxLro opID=21231cff-af64-4799-8bfc-1dc5e777b12c-ff] [VpxLRO] -- BEGIN lro-1529848 -- AuthorizationManager -- vim.AuthorizationManager.removeEntityPermission -- 52246423-9537-1d0a-738c-ec90594dc7d2(5273d5ec-ad08-80ca-2c37-cbddb57dbdb7)

2018-04-27T17:29:05.033+03:00 info vpxd[7F79FA826700] [Originator@6876 sub=[SSO] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-ff] [UserDirectorySso] GetUserInfo(VSPHERE.LOCAL\test, false)

2018-04-27T17:29:05.071+03:00 info vpxd[7F79FA826700] [Originator@6876 sub=[SSO] opID=21231cff-af64-4799-8bfc-1dc5e777b12c-ff] [UserDirectorySso] GetUserInfo(VSPHERE.LOCAL\test, false) res: VSPHERE.LOCAL\test

2018-04-27T17:29:05.074+03:00 info vpxd[7F79FA826700] [Originator@6876 sub=vpxLro opID=21231cff-af64-4799-8bfc-1dc5e777b12c-ff] [VpxLRO] -- FINISH lro-1529848

It's not so obvious but seems that vpxd checks user who tries to remove permission before removing permissions for another user.

0 Kudos
daphnissov
Immortal
Immortal
‎04-27-2018 07:38 AM

So if vpxd.log is capturing it, you need to install the vRLI agent on your vCSA and configure an agent group which has that definition (from the vSphere content pack). It should then parse all those log streams.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
Finikiez
Champion
Champion
‎04-27-2018 07:42 AM

I guess that it's better to fill up a feature request to make this process much easier in future Smiley Happy

Thanks )

0 Kudos
daphnissov
Immortal
Immortal
‎04-27-2018 07:44 AM

Agreed, although good luck with that Smiley Wink

Feature request form is here, BTW:  https://www.vmware.com/company/contact/contactus.html?department=prod_request

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net