How to find out who login through [email protected] from which Machine using Vcenter logs
Article ID: 407698
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This is an Information article on how to track the user login events/details:
-
An activity has been performed in Vcenter web client through [email protected] credentials.
-
It is unclear which user performed the activity.
- /var/log/vmware/sso/websso.log contains the following information:
YYYY-MM-DDTHH:MM:SSINFO websso [52: tomcat-http -- 12] [CorId=######-##-######-#########] [auditlogger] {\"user\":\"[email protected]\", \"client\":\"<system/jump_server IP>\",\"timestamp\":\"MM/DD/YYYY HH:MM:SS GMT\",\"description\":\"User [email protected]@<system/jump_server IP> logged in with response code 200\", \"eventSeverity\":\"INFO\",\"type\":\"com.vmware.sso.LoginSuccess\"}
.YYYY-MM-DDTHH:MM:SSINFO websso [59: tomcat-http -- 19] [CorId=######-##-######-#########] [auditlogger] {\"user\":\"[email protected]\", \"client\":\"<system/jump_server IP\",\"timestamp\":\"MM/DD/YYYY HH:MM:SS GMT\", \"description\":\"User [email protected]@<system/jump_server IP> logged out\", \"eventSeverity\": \"INFO\", \"type\":\"com.vmware.sso.Logout\"}
Environment
VMware vCenter Server 7.x
VMware vCenter Server 8.x.
Resolution
- The logs have login & logout time stamps in GMT with the Local machine/Jump server IP address as highlighted in the logs above.
-
Further verification needs to be done from the respective machine's event viewer logs to find the user login details.
Feedback
Yes
No
Powered by
