ESX/ESXi reports in Task & Events: User root@127.0.0.1 logged in
search cancel

ESX/ESXi reports in Task & Events: User [email protected] logged in

book

Article ID: 320909

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • Under the Tasks & Events tab in vCenter Server or for a specific ESXi/ESX host you see the message:

    User [email protected] logged
     

  • The /var/log/messages log contains entries similar to:

    /usr/lib/vmware/hostd/vmware-hostd[29780]: Accepted password for user root from 127.0.0.1
    /usr/lib/vmware/hostd/vmware-hostd[29780]: Accepted password for user root from 127.0.0.1
    /usr/lib/vmware/hostd/vmware-hostd[29780]: Accepted password for user root from 127.0.0.1



Environment

VMware vSphere ESXi 6.0
VMware vSphere ESXi 5.1
VMware ESX 4.0.x
VMware vCenter Server 6.5.x
VMware vCenter Server 5.0.x
VMware vCenter Server 5.1.x
VMware vCenter Server 4.0.x
VMware ESXi 4.0.x Installable
VMware ESXi 4.0.x Embedded
VMware vCenter Server 6.0.x
VMware vCenter Server 6.7.x
VMware ESXi 4.1.x Installable
VMware ESXi 4.1.x Embedded
VMware ESX 4.1.x
VMware vSphere ESXi 6.5
VMware vSphere ESXi 5.0
VMware vSphere ESXi 6.7
VMware vCenter Server 4.1.x

Cause

This issue occurs when the hostd process in each ESXi/ESX host reports all logins made to the system. This is an expected behavior.

There are three components involved:
  1. Hostd. This sends an event for each login attempt.

    Note: The hostd process cannot be configured to stop or combine login events.
     
  2. Application. This is installed on the ESXi/ESX host via the hostd process over TCP ports 80 and 443.

    Note: As these applications are all running on ESXi/ESX, they may access hostd more frequently than external applications, thus generating a large number of login events.
     
  3. vCenter Server database. Events are collected and stored for each hostd agent sending events.

    Note: vCenter Server does not automatically combine login events. This can cause the events tables to grow and fill the database. An alarm or alert does not trigger in vCenter Server.

Resolution

The ESXi/ESX root account handles system changes required by vCenter Server. The vpxd service communicates the instructions to hostd and the root account on the local ESXi/ESX host, then executes the instructions.
 
These messages can be related to any of the vCenter Server or host related tasks and are benign.

In a default configuration of ESX Server host there is no process that repeatedly logs in as noted above in the Symptoms. Generally these repeated logins are caused by a custom script or third party management software installed on the service console.

Usually these programs are logging in to check the status of an entity from within ESX Server host. To resolve the events the recommended course of action is to talk to the vendor of the product. In the interim, disabling the agents stops the events from appearing.

To work around this issue, stop the CIM agent on the host.

If that does not resolve the issue then check the logs and find the cron job which is causing the issue. This event coincides with the root login attempts.

As a workaround for a cron job causing the issue, disable the job or stop the process. Contact the vendor for a permanent fix.


Additional Information

Powered by Wolken Software