The password of SSO administrator account was changed. Need to trace the event to audit the operation.

The article is about how to get the audit log messages and which log file contains it.

VMware vCenter Server

1. SSH to vCenter

2. Run the following command:

    grep “Resetting password of local user 'Administrator'”  /var/log/vmware/sso/ssoAdminServer.log

    The following is a sample output:

# grep "Resetting password of local user 'Administrator'"  /var/log/vmware/sso/ssoAdminServer.log

[YYYY-MM-DDTHH:MM:SS] INFO ssoAdminServer[99:pool-2-thread-3] [OpId=f84203d1-2484-47ee-9c14-586176b806d5] [com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'] Resetting password of local user 'Administrator'.

Note:The administrator account ([email protected]) does not get locked out nor does its password expire. Proper security practice is to audit logins from this account and rotate the password regularly.
Please refer Edit the vCenter Single Sign-On Password Policy