• You see an alarm similar to the following:
  
  An application on an edge node crashed, resulting in a core dump file of vim.tiny being generated.
  
  
• It is confirmed the core dump is generated when opening "/etc/default/kdump-tools" file using vim.tiny tool.
  
  Core was generated by `vim.tiny /etc/default/kdump-tools'.
Program terminated with signal SIGSEGV, Segmentation fault.

• The syslog indicates that the core dump is generated in the ssh session from the specific client.
  
  <DATE_TIME> <HOSTNAME> kernel - - - [78725.005151] get_sigframe: 13 callbacks suppressed
<DATE_TIME> <HOSTNAME> kernel - - - [78725.005153] signal: vim.tiny[57850] overflowed sigaltstack
<DATE_TIME> <HOSTNAME> kernel - - - [78725.005156] signal: vim.tiny[57850] overflowed sigaltstack
 
<DATE_TIME> <HOSTNAME> kernel - - - [78725.005164] grsec: From <CLIENT_IP_ADDRESS>: Segmentation fault occurred at 0000000000000000 in /usr/bin/vim.tiny[vim.tiny:57850] uid/euid:0/0 gid/egid:0/0, parent /[bash:57561] uid/euid:0/0 gid/egid:0/0
<DATE_TIME> <HOSTNAME> NSX 691637 - [nsx@6876 comp="nsx-edge" subcomp="node-mgmt" username="root" level="WARNING"] Core file generated: /var/log/core/core.vim.tiny.1721816611.57850.0.11.gz
  
  
• The audit log also shows that the creation/close time of the ssh session.
  
  <DATE_TIME> <HOSTNAME> sshd 57540 - -  Accepted password for root from <CLIENT_IP_ADDRESS> port 56516 ssh2
<DATE_TIME> <HOSTNAME> sshd 57540 - -  pam_unix(sshd:session): session opened for user root by (uid=0)
<DATE_TIME> <HOSTNAME> systemd-logind 3039 - -  New session <SESSION_ID> of user root.
 
<DATE_TIME> <HOSTNAME> sshd 57540 - -  pam_unix(sshd:session): session closed for user root
<DATE_TIME> <HOSTNAME> sshd 57540 - -  pam_systemd(sshd:session): Failed to release session: Interrupted system call
<DATE_TIME> <HOSTNAME> systemd-logind 3039 - -  Removed session <SESSION_ID>.

VMware NSX-T Data Center 3.2.3.0.1

It is not recommended to do any operations using root user on NSX appliances.