6 Replies Latest reply on Aug 22, 2019 4:35 PM by pragg12

    vCenter IP Login audit

    pragg12 Enthusiast
    vExpert

      Hi Everyone,

      vCSA is 6.7 U1. I suspect someone used vSphere.local\Administrator account to do something stupid and I need to check from where the login came from for further tracking. Correct me if I'm wrong from here on out. AFAIK, only IP address can be retrieved from vCSA logs in such cases. I searched and tried a lot but only 1 script came close (My Google-fu can only take me this far..). For agent as PowerCLI, I can see proper machine IP address but for agents "web-client/6.5.0" and "h5-client/6.5.0", I get IP address as 127.0.0.1. Let me know:

      1. How the script can be optimized to get real IP address instead of 127.0.0.1 ?

      2. My host machine has UTC-6 Central Time timezone. Since the script will take time from host machine per script code while checking against vCSA logs where time is in UTC, how does the script work w.r.t time comparison? What is the time received in output ? UTC or CT ?

      I tried to post this in same forum but I'm getting permission denied. Link: Solved: need to find out login info in vcenter

      A bit modified code:

      $start = (Get-Date).AddDays(-9)

      foreach ($vc in $global:DefaultVIServers )

      {

         Get-VIEvent -Start $start -MaxSamples ([int]::MaxValue) -Server $vc |

         where { $_ -is [VMware.Vim.UserLoginSessionEvent] -and $_.UserName -eq 'VSPHERE.LOCAL\Administrator' } |

         Sort-Object -Property CreatedTime -Descending |

         select Username, IPAddress, createdtime, USeragent, @{N = 'vCenter'; E = { $vc.Name } } | export-csv C:\temp\vcsa_login.csv -append

      }