<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: ESXi 7.0 ssh session logs filling vcsa database in VMware vCenter™ Discussions</title>
    <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2865735#M43941</link>
    <description>&lt;P&gt;You can't disable the SSH service on a Nutanix-backed ESXi cluster. SSH is required for the CVM to communicate with ESXi. I am not saying it is a good or bad decision, it is just a fact.&lt;/P&gt;</description>
    <pubDate>Tue, 07 Sep 2021 17:20:40 GMT</pubDate>
    <dc:creator>DavidGriswoldeB</dc:creator>
    <dc:date>2021-09-07T17:20:40Z</dc:date>
    <item>
      <title>ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2834441#M42363</link>
      <description>&lt;P&gt;&lt;SPAN&gt;I recently&amp;nbsp;discovered&amp;nbsp;that, in VMware ESXi 7.0, event logging has been changed to include ssh login and logout events. These events then get captured and logged in the /storage/seat partition of the vCenter appliance. We have a busy enough environment&amp;nbsp;that these SSH connections to the ESXi hosts generate a significantly high number of events that are filling up the vCenter database (see attached image) and I can see a h&lt;/SPAN&gt;&lt;SPAN&gt;uge number of events in the&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;esx.audit.ssh.session.opened&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN&gt;and&lt;/SPAN&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;esx.audit.ssh.session.closed&lt;/STRONG&gt;&lt;FONT face="inherit"&gt;&amp;nbsp;tables in the vCenter database.&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;FONT face="inherit"&gt;Of course this &lt;/FONT&gt;brought&lt;FONT face="inherit"&gt;&amp;nbsp;our vCenter appliance down and I followed&amp;nbsp;&lt;/FONT&gt;&lt;SPAN&gt;the instructions from&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://kb.vmware.com/s/article/2119809" target="_blank" rel="noopener"&gt;https://kb.vmware.com/s/article/2119809&lt;/A&gt;&lt;SPAN&gt;&amp;nbsp;to reduce the disk space usage of the /storage/seat partition. I also i&lt;/SPAN&gt;ncreased the disk space for the vCenter appliance /storage/seat&amp;nbsp;partition per&amp;nbsp;&lt;A href="https://kb.vmware.com/s/article/2145603" target="_blank" rel="noopener"&gt;https://kb.vmware.com/s/article/2145603&lt;/A&gt;&lt;SPAN&gt;&amp;nbsp;.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Will there be an option to filter out specific&amp;nbsp;events such as SSH events in future releases of ESXi? In the meantime, can I create some type of a cron job to regularly&amp;nbsp;purge these specific types of events from the database?&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 08 Mar 2021 14:03:36 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2834441#M42363</guid>
      <dc:creator>AnonAdmin</dc:creator>
      <dc:date>2021-03-08T14:03:36Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849429#M43164</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;/P&gt;&lt;P&gt;Did you find a solution for your problem? I have same...&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Rgds&lt;/P&gt;</description>
      <pubDate>Thu, 27 May 2021 08:43:13 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849429#M43164</guid>
      <dc:creator>gibou13</dc:creator>
      <dc:date>2021-05-27T08:43:13Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849463#M43165</link>
      <description>&lt;P&gt;Unfortunately not - I continue to periodically monitor&lt;FONT face="inherit"&gt;&amp;nbsp;the partition sizes on each of my vcsa &lt;/FONT&gt;appliance's&lt;FONT face="inherit"&gt;&amp;nbsp;and follow kb 2119809&amp;nbsp;&lt;/FONT&gt;&lt;SPAN&gt;to reduce the space usage of the /storage/seat partition when needed. I'm concerned that this issue is low on the priority&amp;nbsp;list and may even have been engineered on purpose since VMware competes with Nutanix.&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 27 May 2021 11:45:19 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849463#M43165</guid>
      <dc:creator>AnonAdmin</dc:creator>
      <dc:date>2021-05-27T11:45:19Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849465#M43166</link>
      <description>&lt;P&gt;Not really sure what that would have to do with Nutanix?&amp;nbsp; Sounds like this would affect any vcenter depending on the number of ssh sessions. Its more likely they don't expect a large number of ssh sessions since most things can be done with other tools.&lt;/P&gt;</description>
      <pubDate>Thu, 27 May 2021 11:50:27 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849465#M43166</guid>
      <dc:creator>sjesse</dc:creator>
      <dc:date>2021-05-27T11:50:27Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849467#M43167</link>
      <description>&lt;P&gt;Yes, I have the same problems. Nutanix hosts generate these ssh connection but I don't find yet the way to disable audit for ssh connection...&lt;/P&gt;</description>
      <pubDate>Thu, 27 May 2021 11:55:50 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849467#M43167</guid>
      <dc:creator>gibou13</dc:creator>
      <dc:date>2021-05-27T11:55:50Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849476#M43169</link>
      <description>&lt;P&gt;&lt;a href="https://communities.vmware.com/t5/user/viewprofilepage/user-id/2901199"&gt;@sjesse&lt;/a&gt;&amp;nbsp;That's a fair point - I may be reading into it too much.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 27 May 2021 12:31:11 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849476#M43169</guid>
      <dc:creator>AnonAdmin</dc:creator>
      <dc:date>2021-05-27T12:31:11Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849497#M43172</link>
      <description>&lt;P&gt;This issue was reported few months back by a customer where in Nutanix Controller VM's kept on login to the hosts and creating the below sessions rapidly.&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;esx.audit.ssh.session.closed and&amp;nbsp; &amp;nbsp;esx.audit.ssh.session.opened.&amp;nbsp; &amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;SSH to VCSA:&amp;nbsp; cd to&amp;nbsp; &amp;nbsp;/storage/seat/vpostgres&amp;nbsp; and run&amp;nbsp; &amp;nbsp; du -shc * and share output.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Can u connect to vcdb (/opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres&amp;nbsp;)and run the below:&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;SELECT COUNT(EVENT_ID) AS NUMEVENTS, EVENT_TYPE, USERNAME FROM VPXV_EVENT_ALL GROUP BY EVENT_TYPE, USERNAME ORDER BY NUMEVENTS DESC LIMIT 5;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Note:- This query can take some time.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;I am quite certain Nutanix is making this connections and filling up vcdb faster. Last I remember VMware&amp;nbsp; Engineering asking Nutanix involvement as to why so many connections r made.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 27 May 2021 14:02:44 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849497#M43172</guid>
      <dc:creator>Ajay1988</dc:creator>
      <dc:date>2021-05-27T14:02:44Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849526#M43174</link>
      <description>&lt;P&gt;I have truncated vpx_event* tables this morning and this query result for now :&lt;/P&gt;&lt;P&gt;97241 esx.audit.ssh.session.opened&lt;BR /&gt;97188 esx.audit.ssh.session.closed&lt;BR /&gt;13259 vim.event.UserLogoutSessionEvent root&lt;BR /&gt;13259 vim.event.UserLoginSessionEvent root&lt;BR /&gt;2082 com.vmware.vc.EventBurstStartedEvent&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 27 May 2021 15:20:20 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2849526#M43174</guid>
      <dc:creator>gibou13</dc:creator>
      <dc:date>2021-05-27T15:20:20Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2850105#M43191</link>
      <description>&lt;P&gt;Almost 1lakh in a day is too high. I suppose Nutanix needs to&amp;nbsp; tell why are they doing so many login and logout&lt;/P&gt;</description>
      <pubDate>Mon, 31 May 2021 16:14:21 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2850105#M43191</guid>
      <dc:creator>Ajay1988</dc:creator>
      <dc:date>2021-05-31T16:14:21Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2852467#M43332</link>
      <description>&lt;P&gt;The reason why this is happening is because VMware changed their logging behaviour in vSphere 7.&lt;BR /&gt;This could affect any other platform in theory but I guess less likely. Nutanix uses SSH excessively for communication between the CVM and the hypervisor. I am not sure why VMware decided to start logging this and I do not know whether you can disable these events from logging.&lt;BR /&gt;The workaround is to increase the SEAT partition and/or reduce retention.&lt;BR /&gt;Also, set up vCenter alerts to monitor health.&lt;/P&gt;&lt;P&gt;I have attached a Nutanix KB that explains it in more detail&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sun, 13 Jun 2021 22:22:08 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2852467#M43332</guid>
      <dc:creator>AllBlack</dc:creator>
      <dc:date>2021-06-13T22:22:08Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2852886#M43368</link>
      <description>&lt;P&gt;Recommendation is always to keep the SSH service down on the ESXi hosts and only bring it up for ad-hoc tasks.&lt;BR /&gt;Good that VMware started logging these information. This was long pending.&lt;/P&gt;&lt;P&gt;I would say reduce retention . Increasing seat partition would increase the storage requirement for a future upgrade but you can still do it if not bother about space.&lt;BR /&gt;&lt;A href="https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vcenter.install.doc/GUID-FB268055-5D36-4624-A64C-9800D3FCB689.html" target="_blank"&gt;https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vcenter.install.doc/GUID-FB268055-5D36-4624-A64C-9800D3FCB689.html&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 16 Jun 2021 01:13:59 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2852886#M43368</guid>
      <dc:creator>Ajay1988</dc:creator>
      <dc:date>2021-06-16T01:13:59Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2865735#M43941</link>
      <description>&lt;P&gt;You can't disable the SSH service on a Nutanix-backed ESXi cluster. SSH is required for the CVM to communicate with ESXi. I am not saying it is a good or bad decision, it is just a fact.&lt;/P&gt;</description>
      <pubDate>Tue, 07 Sep 2021 17:20:40 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2865735#M43941</guid>
      <dc:creator>DavidGriswoldeB</dc:creator>
      <dc:date>2021-09-07T17:20:40Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2876293#M44414</link>
      <description>&lt;P&gt;Increasing any of the drives of the VCSA forces a move to a larger deployment model in a future upgrade and if you enlarge enough it goes to the max, so it is more than just space, it is CPU and Memory too.&lt;/P&gt;&lt;P&gt;I don't recommend enlarging the drives unless you have no other choice, we have seen negative consequences of doing so.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 04 Nov 2021 13:01:09 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2876293#M44414</guid>
      <dc:creator>gatornut2</dc:creator>
      <dc:date>2021-11-04T13:01:09Z</dc:date>
    </item>
    <item>
      <title>Re: ESXi 7.0 ssh session logs filling vcsa database</title>
      <link>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2893481#M45129</link>
      <description>&lt;P&gt;Nutanix Consistency Checker (NCC) runs its health check about every minute or so and uses SSH to run its host health collection routines. The more Nutanix hosts you have managed by VC, the more login/logout events it will capture. IMO we should request a feature to add SEAT granularity by event type to VC so we can capture just what we need.&lt;/P&gt;</description>
      <pubDate>Mon, 14 Feb 2022 15:50:47 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-7-0-ssh-session-logs-filling-vcsa-database/m-p/2893481#M45129</guid>
      <dc:creator>mmi9567</dc:creator>
      <dc:date>2022-02-14T15:50:47Z</dc:date>
    </item>
  </channel>
</rss>

