• When reviewing the events in vCenter you see that the hosts are reporting login events for the user [email protected] every 5 minutes

  "User [email protected] logged in as VMware-client/8.0.3"

• Reviewing the hostd.log in /var/run/log, you see that there are no related tasks in-between the user logging in and out, but that there was one API invoked:

  <timestamp> In(166) Hostd[2100112]: [Originator@6876 sub=Vimsvc.ha-eventmgr opID=######## sid=########] Event 29498 : User [email protected] logged in as VMware-client/8.0.3
  <timestamp> In(166) Hostd[2100102]: [Originator@6876 sub=Vimsvc.ha-eventmgr opID=######## sid=######## user=root] Event 29499 : User [email protected] logged out (login time: <date_and_time>
  09:02:08 AM, number of API invocations: 1, user agent: VMware-client/8.0.3)

VMware ESXi 8.0.3

These logins are caused by the VSAN health feature in the ESXi hosts healthd service, which is always enabled, even if the host is not part of a VSAN cluster.

This issue is fixed in vSphere 8.0 Update 3e.

Starting in this version, the vSAN health feature no longer uses the ESXi root account to authenticate, but instead works with the internal vpxuser account. As this is an internal account, ESXi will not create login events for it, other than for the root account, for which every login needs to be auditable.