Audit the Client Information for Virtual Machine Power states from vCenter Server Tasks
search cancel

Audit the Client Information for Virtual Machine Power states from vCenter Server Tasks

book

Article ID: 380006

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article is to guide how to determine the client that change the power states of virtual machine.

It is not meant as an exhaustive guide to auditing all vCenter Server tasks.

Environment

VMware vCenter Server 7.x

VMware vCenter Server 8.x

Resolution

Scenario 1:

 
A user connects using vSphere Client. In this scenario a task is generated in the vCenter Server service (vpxd) with 2 session IDs and an opID (operation ID).
The first of the two session IDs is the vpxd session:
 
/var/log/vmware/vpxd/vpxd-###.log
..
<YY-MM-DD> info vpxd[20621] [Originator@6876 sub=vpxLro opID=m1zzn130-45960-auto-zgq-h5:70013532-eb] [VpxLRO] -- BEGIN task-380 -- vm-<ID> -- vim.VirtualMachine.powerOff -- 52882c20-####-####6d830(52520bbd-####-####-####22b8)
..
 
 
In this example the vpxd session ID is 52882c20-####-####6d830 and the opID is 70013532
Using this information, you can identify the source information for the task in the vpxd-profiler log, by looking for entries that contain the session ID as well as the string "ClientIP":

/var/log/vmware/vpxd/vpxd-profiler-###.log
..
/Session/Id='52882c20-####-####6d830'/Username='VSPHERE.LOCAL\<UserName>'/ClientIP='127.0.0.1'/PropertyCollector/LastVersionNum/total 
..

 

The vpxd-profiler.log shows session was created by <userName>. The source IP in this example is the local loopback address of the vCenter Server, because the task originates in vSphere Client, which is another local service. To identify the actual source, the system where the user <userName> logged in to vSphere Client from, we need to review the localhost_access*.log of the vSphere Client service and match the opID:

/var/log/vmware/vsphere-ui/logs/access/localhost_access_log.txt
..
127.0.0.1 <Client_IP>- - [<YY-MM-DD> +0000] "POST /ui/mutation/applyOnMultiEntity HTTP/1.1" 200 400 200043 70013532 http-nio-127.0.0.1-5090-exec-148 12
..

The actual source of the task will be <Client_IP>.

 

Scenario 2:

This is basically the same as scenario 1, but since the call did not go through vSphere Client, there won't be any related entries in the vSphere Client localhost_access*.log. 

Instead, the ClientIP in the vpxd-profiler-###.log will now be the actual source IP of the task, rather than the local loopback address 127.0.0.1. Additionally you can review the access logs of the VAPI endpoint service and look for the task to find the source IP address similar to the example line below:

/var/log/vmware/vapi/endpoint/endpoint-access.log
..
<YY-MM-DD>| vcenter-shim-activity-8 | <Client_IP> - - [<YY-MM-DD> +0000] "POST /rest/vcenter/vm/vm-<ID>/power/stop HTTP/1.1" 200 0 "... ...
..

 

 

Powered by Wolken Software