Many instances of "User root@127.0.0.1 logged in as pyvmomi Python" are observed for ESXi hosts in the vCenter Events tab
search cancel

Many instances of "User [email protected] logged in as pyvmomi Python" are observed for ESXi hosts in the vCenter Events tab

book

Article ID: 414911

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

The following event logs are observed in hostd.log or in the Events tab for the host in the vCenter vSphere GUI(Graphical User Interface):

hostd.1:
<YYYY-MM-DD>T<HH:MM:SS>.413Z info hostd[#######] [Originator@#### sub=Vimsvc.ha-eventmgr opID=esxcli-##-####] Event ###### : User [email protected] logged in as pyvmomi Python/3.8.18 (VMkernel; 7.0.3; x86_64)
......
<YYYY-MM-DD>T<HH:MM:SS>.474Z info hostd[#######] [Originator@#### sub=Vimsvc.ha-eventmgr opID=esxcli-##-#### user=root] Event ###### : User [email protected] logged out (login time: <TIME_STAMP>, number of API invocations: 7, user agent: pyvmomi Python/3.8.18 (VMkernel; 7.0.3; x86_64))

Environment

VMware vCenter Server 8.0.x

VMware vSphere ESXi 8.0.x

Cause

During the login, a command, such as "esxcli network nic list", was executed via an SSH(Secure Shell) session, which triggers the logging.

For example, this command could generate the event log: ssh root@<ESXi_HOST> -t "esxcli network nic list"

auth.log:
<YYYY-MM-DD>T<HH:MM:SS>.021Z sshd[#######]: Connection from ###.###.###.### port #####
<YYYY-MM-DD>T<HH:MM:SS>.060Z sshd[#######]: Accepted publickey for root from ###.###.###.### port ##### ssh2: RSA SHA256:......
<YYYY-MM-DD>T<HH:MM:SS>.076Z sshd[#######]: pam_unix(sshd:session): session opened for user root by (uid=0)
<YYYY-MM-DD>T<HH:MM:SS>.117Z sshd[#######]: User 'root' running command 'esxcli network nic list'
<YYYY-MM-DD>T<HH:MM:SS>.518Z sshd[#######]: Received disconnect from ###.###.###.### port #####:11: disconnected by user
<YYYY-MM-DD>T<HH:MM:SS>.518Z sshd[#######]: Disconnected from user root ###.###.###.### port #####
<YYYY-MM-DD>T<HH:MM:SS>.536Z sshd[#######]: pam_unix(sshd:session): session closed for user root

Resolution

Check the IP(Internet Protocol) address in auth.log for the relevant time to determine if it corresponds to expected behavior from user or automation script activities.

<YYYY-MM-DD>T<HH:MM:SS>.021Z sshd[9583874]: Connection from ###.###.###.### port #####

One workaround is to disable the SSH service on the ESXi host, which will significantly reduce such login and logout messages.

Powered by Wolken Software