WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / How to Create a vCenter Alarm to Monitor for root Logins

How to Create a vCenter Alarm to Monitor for root Logins

10.12.2011 by William Lam // 7 Comments

Another interesting question on the VMTN forums this week, a user was looking for a way to trigger a vCenter alarm when a someone would login to an ESX(i) host using the root account. By default there are several dozen pre-defined vCenter alarms that you can adjust or modify to your needs, but it does not cover every single condition/event that can be triggered via an alarm. This is where the power of the vSphere API comes in. If you browse through the available event types, you will find one that corresponds to sessions called sessionEvent and within that category of events, you will see a UserLoginSessionEvent.

Now that we have identified the particular event we are interested in, we simply just create a new custom alarm that monitors for this event and ensure that "userName" property matches "root" as the user we are trying to alarm on. I wrote a vSphere SDK for Perl script called monitorUserLoginAlarm.pl that can be used to create an alarm on any particular user login.

The script requires only two parameters: alarmname (name of the vCenter alarm) and user (username to alarm on). Here is a sample output for monitoring root user logins on an ESX(i) host:

The alarm will be created at the vCenter Server level and you should see the new alarm after executing the script.

Note: The alarm action is currently to alert within vCenter, if you would like it to perform other operations such as sending an email or an SNMP trap, you can edit the alarm after it has been created by the script.

Next it is time to test out the new alarm, if you click on the "Alarms" tab under "Triggered Alarms" and login to one of the managed ESX(i) host using a vSphere Client with the root account, you should see the new alarm trigger immediately.

If we view the "Tasks/Events" tab for more details, we can confirm the login event and that it was from someone using the root account.

As you can see even though this particular event was not available as a default selection, using the vSphere API, you can still create a custom alarm to monitor for this particular event.

I do not know what the original intent of monitoring for monitoring root logins, but if there is a fear of the root  account being used, the easiest way to prevent this is to enable vCenter Lockdown Mode for your ESXi host.

More from my site

  • How to Send vCenter Alarm Notification to Growl
  • Retrieving vscsiStats Using the vSphere 5.1 API
  • Retrieving ESXTOP Performance Data Using the vSphere 5.1 API
  • Creating SE Sparse Linked Clones Using the vSphere 5.1 API
  • How to Create an SE Sparse (Space-Efficient) Disk in vSphere 5.1

Categories // Uncategorized Tags // alarm, api, root, vsphere sdk for perl

Comments

  1. *protectedmark.williams says

    10/18/2011 at 8:37 pm

    Unfortunately this also Alerts when root logins via loopback (127.0.0.1) during internal maintenance.

    Any way to exclude the following entry:

    User [email protected] logged in

    Reply
  2. *protectedxmkox says

    10/25/2011 at 5:05 pm

    Thanks, implementing this to monitor root access.

    Is there a method for triggering an alarm if lockdown mode is disabled to also watch attempts on the backdoor? I can't find it in the default vCenter alarms.

    Reply
  3. *protectedxmkox says

    10/25/2011 at 5:09 pm

    grrr, found on google seconds after I posted.
    for anyone else looking, the host alarm text was a tiny bit vague, it's 'Host administrator access enabled'.

    Reply
  4. *protectedHakan Karabulut says

    04/10/2013 at 7:22 am

    thanks but i am taking some error.
    -----------------------------------------------------------------------------------
    /bin # sh monitorUserLoginAlarm.pl --server vcenter --username hk --alarmname root-login root
    monitorUserLoginAlarm.pl: line 32: use: not found
    monitorUserLoginAlarm.pl: line 33: use: not found
    monitorUserLoginAlarm.pl: line 34: use: not found
    monitorUserLoginAlarm.pl: line 35: use: not found
    monitorUserLoginAlarm.pl: line 37: syntax error: "(" unexpected
    ------------------------------------------------------------------------------------
    please help !!!
    best regards.

    Reply
  5. *protectedMarcus says

    10/27/2016 at 9:27 am

    How can I run this perl command if my vCenter is not deployed as VCSA?
    I am new to scripting and not sure how to get this running.

    any help is much appreciated

    Reply
  6. *protectedNaga says

    08/19/2021 at 9:52 am

    I dont see the script available. is there a direct link available ?

    Reply

Trackbacks

  1. esxi logon | Virtualization Gains says:
    10/09/2015 at 4:26 pm

    […] http://www.virtuallyghetto.com/2011/10/how-to-create-vcenter-alarm-to-monitor.html […]

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025