How to check audit info about changing password of SSO administrator account
search cancel

How to check audit info about changing password of SSO administrator account

book

Article ID: 367386

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The password of SSO administrator account was changed. Need to trace the event to audit the operation. The article is about how to get the audit log messages and which log file contains it.

Environment

vCenter Server

Resolution

1. SSH to vCenter

2. Run the following command:

    grep “Resetting password of local user 'Administrator'”  /var/log/vmware/sso/ssoAdminServer.log

    The following is a sample output:

# grep "Resetting password of local user 'Administrator'"  /var/log/vmware/sso/ssoAdminServer.log

2024-05-06T09:10:25.612Z INFO ssoAdminServer[99:pool-2-thread-3] [OpId=f84203d1-2484-47ee-9c14-586176b806d5] [com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'] Resetting password of local user 'Administrator'.

Additional Information

Note:The administrator account ([email protected]) does not get locked out nor does its password expire. Proper security practice is to audit logins from this account and rotate the password regularly.
Please refer Edit the vCenter Single Sign-On Password Policy