• This article helps to investigate SSH logins for user root and can help admins to find IP address used for failed login attempts.

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

• For vCenter 7.x, The login information for SSH is logged in /var/log/audit/sshinfo.log
• For vCenter 8.x, The login information for SSH is logged in /var/log/messages

• A successful authentication will have the following logging,

     YYYY-MM-DDTHH:MM:SS VCSA sshd[####]: Accepted password for root from #.#.#.# port 58745 ssh2
     YYYY-MM-DDTHH:MM:SS VCSA sshd[####]: pam_unix(sshd:session): session opened for user root by (uid=0)

• A failed authentication will have the following logging 

     YYYY-MM-DDTHH:MM:SS VCSA sshd[####]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=#.#.#.#  user=root
     YYYY-MM-DDTHH:MM:SS VCSA sshd[####]: error: PAM: Authentication failure for root from #.#.#.#

• A locked root account will have the following log after multiple failed authentications,

     YYYY-MM-DDTHH:MM:SS VCSA sshd[####]: pam_faillock (sshd: auth) : Consecutive login failures for user root account temporarily locked

In case the root account is temporarily locked, Please refer to the following KB article. Resetting root password in vCenter Server Appliance 7.x / 8.x