Tracking ESX host user logins and activities
search cancel

Tracking ESX host user logins and activities

book

Article ID: 308601

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides commands to track user information on users that log in to the Service Console of the ESX host.

Environment

VMware ESX 4.1.x
VMware ESX 4.0.x
VMware ESX Server 3.5.x
VMware ESX Server 3.0.x

Resolution

Note: This article does not apply to ESXi hosts.

The /var/log/messages and /var/log/secure log files track attempted user logins, as well as whether or not an attempt is successful.
Use the grep command to filter the processes for SSH (sshd) or VMware Infrastructure/vSphere Client and Web Access (vmware-authd):

# grep 'sshd' /var/log/messages* /var/log/secure*

# grep 'vmware-authd' /var/log/messages* /var/log/secure*

On the ESX Service Console, use the following commands to gather additional information on users that are logged in:
  • w

    The w command displays a list of logged in users and their actions.
    The output appears similar to:

    # w
    13:38:57 up 88 days, 12:38, 3 users, load average: 0.06, 0.12, 0.16
    USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
    root pts/1 10.0.0.12 Mon 1pm 45:39m 0.17s 0.17s -bash
    username pts/2 myname-laptop.do 12:12pm 0.00s 0.06s 0.01s sshd: username [priv]
    root pts/3 hostname.domain. Sun 6pm 3days 0.05s 0.05s -bash

  • last

    The last command searches the /var/log/wtmp file and displays a list of all users that have logged in and out since the file was created.
    The output appears similar to:

    # last
    username pts/2 myname-laptop.do Thu Apr 3 12:12 still logged in
    root pts/2 myname-laptop.do Thu Apr 3 11:25 - 11:40 (00:14)

    Note: Run last reboot to display a list of all reboots since var/log/wtmp was created.

  • who

    The who command displays a list of users that are currently logged into the server.
    The output appears similar to:

    # who
    root pts/1 Mar 31 13:52 (10.0.0.12)
    username pts/2 Apr 3 12:12 (myname-laptop.domain.com)
    root pts/3 Mar 30 18:48 (hostname.domain.com)

  • fuser

    The fuser command is used to terminate unwanted sessions (that is, sessions that the w or last commands report as open).
    Note: the fuser command may not be available on earlier versions of ESX 3.5.

    The output appears similar to:

    # w
    13:50:54 up 88 days, 12:50, 3 users, load average: 0.52, 0.40, 0.24
    USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
    root pts/1 10.0.0.12 Mon 1pm 45:51m 0.17s 0.17s -bash
    username pts/2 myname-laptop.do 12:12pm 0.00s 0.05s 0.01s sshd: username [priv]
    root pts/3 hostname.domain. Sun 6pm 3days 0.05s 0.05s -bash

    # fuser -k /dev/pts/1
    /dev/pts/1 1699

    # w
    username pts/2 myname-laptop.vm 12:12pm 0.00s 0.05s 0.01s sshd: username [priv]
    root pts/3 hostname.domain. Sun 6pm 3days 0.05s 0.05s -bash

    The fuser command can also be used to associate a process ID with an application that has an open network port. Use the fuser command to map process IDs with network ports (like SSH). If you know a process ID and what it is doing (rebooting, for example) and associate it to an SSH port, you can identify the connection means of a user that initiated a reboot.
    The output appears similar to:

    # fuser ssh/tcp
    ssh/tcp: 1031 4622 12190 29655 29670

    # ps -ef |grep 1031
    root 1031 1 0 Jan06 ? 00:00:00 /usr/sbin/sshd
    root 4622 1031 0 Mar30 ? 00:00:00 sshd:
    root@pts/3
    root 12190 1031 0 Mar31 ? 00:00:08 sshd:
    root@pts/1
    root 29655 1031 0 12:12 ? 00:00:00 sshd: username [priv]
    root 1312 29778 0 14:04 pts/2 00:00:00 grep 1031



Additional Information

跟踪 ESX 主机用户登录和活动