Identify who accessed the VM console from the ESXi host client
Article ID: 393192
Updated On:
Products
Issue/Introduction
Identify who accessed the VM console from the ESXi host client
Resolution
vmx logs - /vmfs/volumes/<Volume UUID>/Vm_home/vmware.log
YYYY-MM-DD hh:mm:ss.zzzZ In(05) vmx - VigorTransportProcessClientPayload: opID=esxui-e635-5319 seq=130977: Receiving MKS.IssueTicket request.YYYY-MM-DD hh:mm:ss.zzzZ In(05) vmx esxui-e635-5319 SOCKET 3483 (159) creating new listening socket on port -1YYYY-MM-DD hh:mm:ss.zzzZ In(05) vmx esxui-e635-5319 Issuing new webmks ticket 275696... (120 seconds)YYYY-MM-DD hh:mm:ss.zzzZ In(05) vmx esxui-e635-5319 VigorTransport_ServerSendResponse opID=esxui-e635-5319 seq=130977: Completed MKS.IssueTicket request with messages in 895 US.
Find the OpID in hostd.log
/var/run/log/hostd.log
2025-04-04T14:04:30.721Z In(166) Hostd[1050479]: [Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/vsan:529bbc9cedc617f4-04c800f9241622d0/ca52b567-2b55-53ad-6cf5-005056af2e39/nsx02.vmx opID=esxui-e635-5319 sid=5299f079 user=root] Ticket issued for webmks service to user: root
Find the above sid in hostd:
YYYY-MM-DD hh:mm:ss.zzzZ In(166) Hostd[1050458]: [Originator@6876 sub=Vimsvc.HaSessionManager opID=esxui-66c5-52aa sid=5299f079] Accepted password for user root from <IP_Address> - session=5299f079-80b9-6f68-8607-8d7da36da976YYYY-MM-DD hh:mm:ss.zzzZ In(166) Hostd[1050458]: [Originator@6876 sub=Vimsvc opID=esxui-66c5-52aa sid=5299f079] [Auth]: User rootYYYY-MM-DD hh:mm:ss.zzzZ Wa(164) Hostd[1050458]: [Originator@6876 sub=Vimsvc opID=esxui-66c5-52aa sid=5299f079] Refresh function is not configured.User data can't be added to scheduler.User name: rootYYYY-MM-DD hh:mm:ss.zzzZ In(166) Hostd[1050458]: [Originator@6876 sub=Vimsvc.ha-eventmgr opID=esxui-66c5-52aa sid=5299f079] Event 2537 : User root@<IP_Address> logged in as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36YYYY-MM-DD hh:mm:ss.zzzZ In(166) Hostd[1050461]: [Originator@6876 sub=Libs opID=esxui-4c6b-52b7 sid=5299f079 user=root] NetstackInstanceImpl: congestion control algorithm: newreno
User root has accessed the VM console from the given client IP.
Feedback
