A couple of years back I had published a detailed analysis on vCenter Server's Authentication (AuthN) and Authorization (AuthZ) from an auditing and logging standpoint. This has been the go to reference for many of our customers and the posts also includes a number of log samples which I have documented in the following Github repository.
In addition to serving as a reference for our customers, it has also helped our Product and Engineering teams understand where we still had some gaps and how we could improve the overall user experience. As hinted in the recently announced vSphere 6.7 Update 2 release, which will be available soon, there are number of new auditing enhancements that have been made to both vCenter Server and the vCenter Single Sign-On (SSO) service that I think customers will really appreciate.
"Real" client IP address in Events
When you look at a login or logout Event in vCenter Server today, you may have noticed the user's client IP Address is actually of the vCenter Server rather than the actual remote client's address and the reason for this is explained here. In vSphere 6.7 Update 2, the real client IP Address is now captured and is included in all successful login/logout and failed logins. This information can now enable administrators to easily identify unauthorized access and be able to quickly track down the systems initiating the connections.
Below is a screenshot of a login/logout event for vSphere 6.7 which shows the IP Address of the vCenter Server and vSphere 6.7 Update 2 system which now shows the actual client IP Address logging into that vCenter Server. This information is accessible using both the vSphere UI and API. For customers who enable syslog on their vCenter Server Appliance (VCSA), these events will automatically be included and forwarded to their remote syslog target.
vCenter Single Sign-On Events
Historically, vCenter Server Events did not include any vCenter SSO details. If customers wanted some of this information, they would have to take additional steps to forward several SSO log files which still did not include everything. These logs were meant for troubleshooting/debugging and was not designed for auditing purposes. In vSphere 6.7 Update 2, all configuration changes or user activity that involves vCenter SSO will now have a vCenter Server Event that represents the specific operation.
The way this works is there is now a dedicated vCenter SSO Audit log at /var/log/audit/sso-events/audit_events.log for VCSA and C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\logs\audit_events.log for Windows VC which will capture all vCenter SSO related activities. Every 5 minutes, these SSO Events will then be published to vCenter Server which will then make them available in both the vSphere UI and API.
Here is a screenshot of the vSphere UI with various vCenter SSO Events that can now easily be viewed without having SSH'ing to the VCSA and manually looking at a log file.
Similarly, customers can use Automation Tools like PowerCLI or any other vSphere SDK to look up specific vCenter SSO Events such as the example below using PowerCLI.
Get-VIEvent | where {$_.EventTypeId -match "com.vmware.sso.*"} | select EventTypeId,FullFormattedMessage
For customers who enable syslog on their vCenter Server Appliance (VCSA), all vCenter SSO events will automatically be included and forwarded to their remote syslog target, as shown in the screenshot below using vRealize Log Insight. This means customers no longer have to manually configure their VCSA to forward specific SSO logs, this is now automatic for you by simply enabling syslog for your VCSA! Another reason to move to the VCSA if you are still running Windows VC.
For your convenience, below are all the different vCenter SSO Event types that can be generated. You can also get this information by simply viewing the audit_events.log which contains the logged event details and type.
| SSO Event | Description |
|---|---|
| com.vmware.sso.LoginSuccess | SSO Login Success |
| com.vmware.sso.LoginFailure | SSO Login Failure |
| com.vmware.sso.Logout | SSO Logout Success |
| com.vmware.sso.CertificateManager | Add/Remove Certificate |
| com.vmware.sso.ConfigurationManagement | Token Policy/Smart Card Configuration |
| com.vmware.sso.DomainManagement | Login Message/Banner Configuration |
| com.vmware.sso.IdentitySourceManagement | Identity Source Configuration |
| com.vmware.sso.LockoutPolicy | Lockout Policy Configuration |
| com.vmware.sso.PasswordPolicy | Password Policy Configuration |
| com.vmware.sso.PrincipalManagement | SSO User and Group Add/Remove/Update |
| com.vmware.sso.RoleManagement | SSO Role Configuration |
| com.vmware.sso.SmtpConfiguration | SSO Email Configuration |
| com.vmware.sso.SystemManagement | Active Directory Configuration |
| com.vmware.sso.Provisioning | Create/Remove IDP |
Global Permission Events
As you may have guessed from the header, we also now have Global Permission Events in vSphere 6.7 Update 2! When a user creates, updates or removes a Global Permission, a new vCenter Event will be published as shown in the screenshot below. For customers who enable syslog on their vCenter Server Appliance (VCSA), all Global Permissions events will automatically be included and forwarded to their remote syslog target, no additional configuration changes required.
Here are the two Global Permission Event types:
| Global Permission Event | Description |
|---|---|
| com.vmware.cis.CreateGlobalPermission | Add/Update Global Permission |
| com.vmware.cis.RemoveGlobalPermission | Remove Global Permission |
You can also use PowerCLI or any other vSphere SDK to look up these specific events:
Get-VIEvent | where {$_.EventTypeId -match "com.vmware.cis.*"} | select EventTypeId,FullFormattedMessage
vCenter and Tagging Permission Change Events
Lastly, for any type of permission modification on a vCenter Server Inventory Object (Virtual Machine, ESXi host, Network, etc.) including vSphere Tags and Categories, a vCenter Server Event will now be published. These permission events will be available using both the vSphere UI and API. For customers who enable syslog on their vCenter Server Appliance (VCSA), all permission events will automatically be included and forwarded to their remote syslog target, no additional configuration changes required.
Here are both the new and existing vCenter Permission Event types:
| vCenter & Tagging Permission Event | Description |
|---|---|
| com.vmware.cis.CreatePermission | Add Tag Permission |
| PermissionAddedEvent | Add vCenter Permission |
| PermissionUpdatedEvent | Update vCenter Permission |
| PermissionRemovedEvent | Remove vCenter Permission |
Requirements
In addition to upgrading to vSphere 6.7 Update 2 to get the new auditing enhancements, the new vCenter SSO Auditing Events will only be available for an Embedded vCenter Server (Windows or Appliance). For customers running vCenter with an External Platform Services (PSC), you can converge your deployment to an Embedded vCenter by using the new Convergence CLI Tool included in vSphere 6.7 Update 1 or directly in the vSphere UI with the upcoming vSphere 6.7 Update 2 release.
Really appreciate the info you put out. However, I'm not too comfortable with the command line and afraid to mess something up. I've done it before. Is there a easy way to clear the event logs in vCenter 6.7 web UI?
I know this is an old post, i need to setup an alert anytime anyone logs into the vCenter. I don't see a way to create a vCenter Alarm to send out an email on com.vmware.sso.LoginSuccess. Any idea on what's the easiest way to do this?
Easiest for this and many other Event-based Automation would be via the VMware Event Broker Appliance (VEBA) Fling. There's lots of articles on my blog + videos on microsite https://vmweventbroker.io/
Hello and thank you for this article. It has been a while since I have administered anything VMware so most of this is all new to me. One of my AD accounts keeps locking out and our AD/Security tools point to the IP of our Platform Services Controller. Where can I look to see where these attempted logons could be coming from? I assume I have a script or tool running on a PC/server that has my old credentials, but have zero clue where.
I believe we are running vCenter Appliance 6.7 Update 3f.
Thank you
Mike,
Did you take a look at the article above? It gives you exactly where you should look 🙂
I did! thanks for the condescending reply though. I am not an admin any longer so I have limited view into the environment. I am trying to pinpoint what where I can point my coworkers.
We only see two events in the past 7 days, while our tools are showing bad password attempts every 1-2 minutes. And they all point to the PSC.
We have opened a case with VMware and they have advised that there is no way to get this info..
Sorry if you feel my response is "condescending". It literally outlines where you can observe these various AuthN/AuthZ events. If you have already tried, then state as such as often time I get questions which is literally answered by carefully reading the blog posts and folks skim the blog posts. You mention "our tools" but don't spend any time referencing what its looking at and how its determining that there's bad password ... If you're not Administrator (vSphere), its very possible you're not seeing these events and you may need to talk to whoever has access or get access to take a closer look. If you're hitting vSphere layer, these things are indeed trapped as part of whats mentioned in the blog post
Hi, I know that the article is already some days old but I am searching information and cannot find it. I am a security analyst trying to correlate the sso-event "Adding users to local group xyz" with the information which user was added to that very group. The only additional info that I could find was a vmdird event that showed a "member add" log line but without any helpful indication that could be used to map it to the initial sso-event. And I was only finding that vmdird event because I already knew the name of the account that was added which might not be the case in day-2-day business. Any advice/ideas?
We do not use VMware Aria Operations for Logs not VEBA. I use a daemonized version of this tool (https://github.com/zbalkan/vmwarelog) on my SIEM server -I haven't updated the repository for a while. I filter logs via the request and batch process them. However I am suspicious of not collecting all related events where I need to enable them. But since syslog is disabled, many finctionality is disabled as well.
What may I be missing in the logs?