SSHD and PAM session logs missing from Aria Operations for Logs when sent from Aria Automation appliances
search cancel

SSHD and PAM session logs missing from Aria Operations for Logs when sent from Aria Automation appliances

book

Article ID: 399447

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

SSH login and session activity logs (e.g., sshd, systemd-user, PAM messages) may not be visible in VMware Aria Operations for Logs (vRLI), even though other system logs from the same appliances are arriving normally.

Environment

  • VMware Aria Automation 8.18.x
  • VMware Aria Operations for Logs 8.18.x

Cause

SSH-related logs (from sshd, pam_unix, etc.) on Aria Automation appliances are forwarded by FluentD rather than the Log Insight Agent. As a result, these events do not include an app tag that can be used for field-based filtering in vRLI.

Resolution

Locate SSH session events from Aria Automation appliances:

  1. Open vRLI (Aria Operations for Logs)
  2. Use the top search bar (free text search) Enter:
    pam_unix
  3. In the filters section below, use: hostname contains <shortname of appliance>

This search returns PAM/SSHD events even though they are not tagged with app:sshd.

Powered by Wolken Software