Older events "Failed login" to vCenter arise in each 5 mins
search cancel

Older events "Failed login" to vCenter arise in each 5 mins

book

Article ID: 413929

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • "Failed login" events are found under vCenter/Monitor/Tasks and Events/Events and syslog monitoring in each 5 mins
  • NO related IP address is accessing vCenter when events arises by packets capturing in vCenter
  • The Timestamps for  "Failed Login" events are mismatched under vCenter/Monitor/Tasks and Events/Events and journalctl -b log

vpxd[6622]: Event [20450002] [1-1] [Current_Timestamp] [vim.event.EventEx] [info] [[email protected]] [] [20450002] [Failed login [email protected] from IP_Address at  Older_Timestamp GMT in SSO]               

  • The Older "Failed Login" logs could be found in audit_events.log under /var/log/audit/sso-events/audit_events.log

Older_Timestamp {"user":"[email protected]","client":"IP_Address","timestamp":"Older_Timestamp GMT","description":"User [email protected]@IP_Address failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}

  • The Older Timestamp could be Months ago

Environment

VMware vCenter Server

Cause

Corner issue that audit_events.log is read infinitely

Resolution

To resolve this issue by:

1: Move audit_events.log and audit_events.control under /var/log/audit/sso-events to another folder

2: Reboot vCenter

3: Login and Logout vCenter to ensure login/logout messages are recorded into audit_events.log 

Powered by Wolken Software