WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Enhanced vCenter Server Audit Event & Logging in vSphere 6.7 Update 2

Enhanced vCenter Server Audit Event & Logging in vSphere 6.7 Update 2

04.08.2019 by William Lam // 9 Comments

A couple of years back I had published a detailed analysis on vCenter Server's Authentication (AuthN) and Authorization (AuthZ) from an auditing and logging standpoint. This has been the go to reference for many of our customers and the posts also includes a number of log samples which I have documented in the following Github repository.

In addition to serving as a reference for our customers, it has also helped our Product and Engineering teams understand where we still had some gaps and how we could improve the overall user experience. As hinted in the recently announced vSphere 6.7 Update 2 release, which will be available soon, there are number of new auditing enhancements that have been made to both vCenter Server and the vCenter Single Sign-On (SSO) service that I think customers will really appreciate.

"Real" client IP address in Events

When you look at a login or logout Event in vCenter Server today, you may have noticed the user's client IP Address is actually of the vCenter Server rather than the actual remote client's address and the reason for this is explained here. In vSphere 6.7 Update 2, the real client IP Address is now captured and is included in all successful login/logout and failed logins. This information can now enable administrators to easily identify unauthorized access and be able to quickly track down the systems initiating the connections.

Below is a screenshot of a login/logout event for vSphere 6.7 which shows the IP Address of the vCenter Server and vSphere 6.7 Update 2 system which now shows the actual client IP Address logging into that vCenter Server. This information is accessible using both the vSphere UI and API. For customers who enable syslog on their vCenter Server Appliance (VCSA), these events will automatically be included and forwarded to their remote syslog target.

vCenter Single Sign-On Events

Historically, vCenter Server Events did not include any vCenter SSO details. If customers wanted some of this information, they would have to take additional steps to forward several SSO log files which still did not include everything. These logs were meant for troubleshooting/debugging and was not designed for auditing purposes. In vSphere 6.7 Update 2, all configuration changes or user activity that involves vCenter SSO will now have a vCenter Server Event that represents the specific operation.

The way this works is there is now a dedicated vCenter SSO Audit log at /var/log/audit/sso-events/audit_events.log for VCSA and C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\logs\audit_events.log for Windows VC which will capture all vCenter SSO related activities. Every 5 minutes, these SSO Events will then be published to vCenter Server which will then make them available in both the vSphere UI and API.

Here is a screenshot of the vSphere UI with various vCenter SSO Events that can now easily be viewed without having SSH'ing to the VCSA and manually looking at a log file.


Similarly, customers can use Automation Tools like PowerCLI or any other vSphere SDK to look up specific vCenter SSO Events such as the example below using PowerCLI.

Get-VIEvent | where {$_.EventTypeId -match "com.vmware.sso.*"} | select EventTypeId,FullFormattedMessage


For customers who enable syslog on their vCenter Server Appliance (VCSA), all vCenter SSO events will automatically be included and forwarded to their remote syslog target, as shown in the screenshot below using vRealize Log Insight. This means customers no longer have to manually configure their VCSA to forward specific SSO logs, this is now automatic for you by simply enabling syslog for your VCSA! Another reason to move to the VCSA if you are still running Windows VC.


For your convenience, below are all the different vCenter SSO Event types that can be generated. You can also get this information by simply viewing the audit_events.log which contains the logged event details and type.

SSO Event Description
com.vmware.sso.LoginSuccess SSO Login Success
com.vmware.sso.LoginFailure SSO Login Failure
com.vmware.sso.Logout SSO Logout Success
com.vmware.sso.CertificateManager Add/Remove Certificate
com.vmware.sso.ConfigurationManagement Token Policy/Smart Card Configuration
com.vmware.sso.DomainManagement Login Message/Banner Configuration
com.vmware.sso.IdentitySourceManagement Identity Source Configuration
com.vmware.sso.LockoutPolicy Lockout Policy Configuration
com.vmware.sso.PasswordPolicy Password Policy Configuration
com.vmware.sso.PrincipalManagement SSO User and Group Add/Remove/Update
com.vmware.sso.RoleManagement SSO Role Configuration
com.vmware.sso.SmtpConfiguration SSO Email Configuration
com.vmware.sso.SystemManagement Active Directory Configuration
com.vmware.sso.Provisioning Create/Remove IDP

Global Permission Events

As you may have guessed from the header, we also now have Global Permission Events in vSphere 6.7 Update 2! When a user creates, updates or removes a Global Permission, a new vCenter Event will be published as shown in the screenshot below. For customers who enable syslog on their vCenter Server Appliance (VCSA), all Global Permissions events will automatically be included and forwarded to their remote syslog target, no additional configuration changes required.


Here are the two Global Permission Event types:

Global Permission Event Description
com.vmware.cis.CreateGlobalPermission Add/Update Global Permission
com.vmware.cis.RemoveGlobalPermission Remove Global Permission

You can also use PowerCLI or any other vSphere SDK to look up these specific events:

Get-VIEvent | where {$_.EventTypeId -match "com.vmware.cis.*"} | select EventTypeId,FullFormattedMessage

vCenter and Tagging Permission Change Events

Lastly, for any type of permission modification on a vCenter Server Inventory Object (Virtual Machine, ESXi host, Network, etc.) including vSphere Tags and Categories, a vCenter Server Event will now be published. These permission events will be available using both the vSphere UI and API. For customers who enable syslog on their vCenter Server Appliance (VCSA), all permission events will automatically be included and forwarded to their remote syslog target, no additional configuration changes required.


Here are both the new and existing vCenter Permission Event types:

vCenter & Tagging Permission Event Description
com.vmware.cis.CreatePermission Add Tag Permission
PermissionAddedEvent Add vCenter Permission
PermissionUpdatedEvent Update vCenter Permission
PermissionRemovedEvent Remove vCenter Permission

Requirements

In addition to upgrading to vSphere 6.7 Update 2 to get the new auditing enhancements, the new vCenter SSO Auditing Events will only be available for an Embedded vCenter Server (Windows or Appliance). For customers running vCenter with an External Platform Services (PSC), you can converge your deployment to an Embedded vCenter by using the new Convergence CLI Tool included in vSphere 6.7 Update 1 or directly in the vSphere UI with the upcoming vSphere 6.7 Update 2 release.

More from my site

  • Quick Tip - How to disable viewing of vSphere Tags?
  • vSphere Tag Attach/Detach events now in VMware Cloud on AWS
  • How to automatically log all VM configuration changes using a vCenter Server Alarm?
  • How To Add A Tag (Log prefix) To Syslog Entries
  • Quick Tip - Listing vSphere Global Permissions using PowerShell

Categories // Automation, Security, vSphere Tags // audit, audit_events.log, event, global permission, sso, syslog, tag, vSphere 6.7 Update 2

Comments

  1. *protectedVas Duba says

    02/26/2020 at 9:57 am

    Really appreciate the info you put out. However, I'm not too comfortable with the command line and afraid to mess something up. I've done it before. Is there a easy way to clear the event logs in vCenter 6.7 web UI?

    Reply
  2. *protectedPorter says

    08/04/2020 at 10:27 am

    I know this is an old post, i need to setup an alert anytime anyone logs into the vCenter. I don't see a way to create a vCenter Alarm to send out an email on com.vmware.sso.LoginSuccess. Any idea on what's the easiest way to do this?

    Reply
    • William Lam says

      08/04/2020 at 12:54 pm

      Easiest for this and many other Event-based Automation would be via the VMware Event Broker Appliance (VEBA) Fling. There's lots of articles on my blog + videos on microsite https://vmweventbroker.io/

      Reply
  3. *protectedMike Boyle says

    03/15/2021 at 9:05 am

    Hello and thank you for this article. It has been a while since I have administered anything VMware so most of this is all new to me. One of my AD accounts keeps locking out and our AD/Security tools point to the IP of our Platform Services Controller. Where can I look to see where these attempted logons could be coming from? I assume I have a script or tool running on a PC/server that has my old credentials, but have zero clue where.
    I believe we are running vCenter Appliance 6.7 Update 3f.
    Thank you

    Reply
    • William Lam says

      03/15/2021 at 9:25 am

      Mike,

      Did you take a look at the article above? It gives you exactly where you should look 🙂

      Reply
      • *protectedMike Boyle says

        03/15/2021 at 12:42 pm

        I did! thanks for the condescending reply though. I am not an admin any longer so I have limited view into the environment. I am trying to pinpoint what where I can point my coworkers.
        We only see two events in the past 7 days, while our tools are showing bad password attempts every 1-2 minutes. And they all point to the PSC.
        We have opened a case with VMware and they have advised that there is no way to get this info..

        Reply
        • William Lam says

          03/15/2021 at 1:00 pm

          Sorry if you feel my response is "condescending". It literally outlines where you can observe these various AuthN/AuthZ events. If you have already tried, then state as such as often time I get questions which is literally answered by carefully reading the blog posts and folks skim the blog posts. You mention "our tools" but don't spend any time referencing what its looking at and how its determining that there's bad password ... If you're not Administrator (vSphere), its very possible you're not seeing these events and you may need to talk to whoever has access or get access to take a closer look. If you're hitting vSphere layer, these things are indeed trapped as part of whats mentioned in the blog post

          Reply
  4. *protectedMichael says

    02/21/2022 at 2:58 pm

    Hi, I know that the article is already some days old but I am searching information and cannot find it. I am a security analyst trying to correlate the sso-event "Adding users to local group xyz" with the information which user was added to that very group. The only additional info that I could find was a vmdird event that showed a "member add" log line but without any helpful indication that could be used to map it to the initial sso-event. And I was only finding that vmdird event because I already knew the name of the account that was added which might not be the case in day-2-day business. Any advice/ideas?

    Reply
  5. *protectedZafer B. says

    02/10/2025 at 1:11 pm

    We do not use VMware Aria Operations for Logs not VEBA. I use a daemonized version of this tool (https://github.com/zbalkan/vmwarelog) on my SIEM server -I haven't updated the repository for a while. I filter logs via the request and batch process them. However I am suspicious of not collecting all related events where I need to enable them. But since syslog is disabled, many finctionality is disabled as well.

    What may I be missing in the logs?

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...