In certain scenarios, such as internal security reviews or company compliance audits, administrators may be required to verify when specific ESXi services were enabled or disabled and whether these actions occurred before or after a host reboot.

This article describes how to confirm and compare the enable/disable timestamps of an ESXi service with the ESXi host reboot time by reviewing system log files. The SSH service is used as an example.

VMware ESXi 8.0

VMware vCenter Server 8.0

The following steps demonstrate how to confirm and compare the SSH service enable/disable time with the ESXi host reboot time.

Step 1: Confirm ESXi Host Reboot Time

Review the /var/run/log/vmksummary.log file to identify the ESXi host reboot events.

Example log entries:

YYYY-MM-DDTHH:MM:SS No(13) bootstop[2503991]: Host is rebooting
YYYY-MM-DDTHH:MM:SS No(13) bootstop[2102540]: Host has booted

• Host is rebooting indicates the reboot start time

• Host has booted indicates the reboot completion time

These timestamps can be used as the reference reboot window.

Step 2: Confirm SSH Service Enable Time

Review the /var/run/log/hostd.log file to identify when the SSH service was enabled.

Example log entries:

YYYY-MM-DDTHH:MM:SS In(166) Hostd[2101023]: [Originator@6876 sub=Hostsvc.VmkVprobSource] VmkVprobSource::Post event: (vim.event.EventEx) {
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    key = 195,
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    chainId = 671621120,
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    createdTime = "YYYY-MM-DDTHH:MM:SS",
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    userName = "",
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    host = (vim.event.HostEventArgument) {
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->       name = "##-###-###-######-domain.name",
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->       host = 'vim.HostSystem:##-####'
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    },
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    eventTypeId = "esx.audit.<services_name>.enabled",
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    objectId = "##-####",
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    objectType = "vim.HostSystem",
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: --> }
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2101023]: [Originator@6876 sub=Vimsvc.##-########] Event 527 : <services_name> access has been enabled.
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2101030]: [Originator@6876 sub=Hostsvc.ServiceSystem opID=########-######-####-####-##:########-##-#-#### sid=5247d207 user=vpxuser:Domain_name\Username] <services_name> running status is true
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2101030]: [Originator@6876 sub=Vimsvc.##-######## opID=########-######-####-####-##:########-##-#-#### sid=5247d207 user=vpxuser:Domain_name\Username] Event 528 : <services_name> for the host ##-###-###-######-domain.name has been enabled
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2101030]: [Originator@6876 sub=Vimsvc.TaskManager opID=########-######-####-####-##:########-##-#-#### sid=5247d207 user=vpxuser:Domain_name\Username] Task Completed : ######-##-####-###.host.ServiceSystem.#####-########## Status success

Key indicators:

• eventTypeId = "esx.audit.ssh.enabled"

• Event messages confirming SSH access has been enabled

• Task completion with Status success

The createdTime field in the event section represents the exact enablement timestamp.

Step 3: Confirm SSH Service Disable Time

Continue reviewing /var/run/log/hostd.log to identify when the SSH service was disabled.

Example log entries:

YYYY-MM-DDTHH:MM:SS In(166) Hostd[2101016]: [Originator@6876 sub=Vimsvc.TaskManager opID=########-######-####-####-##:########-##-##-#### sid=5247d207 user=vpxuser:Domain_name\Username] Task Created : ######-##-####-###.host.ServiceSystem.####-#####
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2101028]: [Originator@6876 sub=Hostsvc.VmkVprobSource] VmkVprobSource::Post event: (vim.event.EventEx) {
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    key = 195,
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    chainId = 0,
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    createdTime = "YYYY-MM-DDTHH:MM:SS",
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    userName = "",
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    host = (vim.event.HostEventArgument) {
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->       name = "##-###-###-######-domain.name",
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->       host = 'vim.HostSystem:##-####'
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    },
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    eventTypeId = "esx.audit.<services_name>.disabled",
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    objectId = "##-####",
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: -->    objectType = "vim.HostSystem",
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2100986]: --> }
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2101028]: [Originator@6876 sub=Vimsvc.##-########] Event 2253 : <services_name> access has been disabled.
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2101008]: [Originator@6876 sub=Hostsvc.ServiceSystem opID=########-######-####-####-##:########-##-##-#### sid=5247d207 user=vpxuser:Domain_name\Username] <services_name> running status is false
YYYY-MM-DDTHH:MM:SS In(166) Hostd[2101008]: [Originator@6876 sub=Vimsvc.TaskManager opID=########-######-####-####-##:########-##-##-#### sid=5247d207 user=vpxuser:Domain_name\Username] Task Completed : ######-##-####-###.host.ServiceSystem.####-##### Status success

Key indicators:

• eventTypeId = "esx.audit.ssh.disabled"

• Event messages confirming SSH access has been disabled

• Service running status set to false

• Successful task completion

The createdTime field reflects the exact disablement time.

Step 4: Compare Timestamps

Finally, compare the timestamps collected from:

• ESXi host reboot events (vmksummary.log)

• SSH service enable/disable events (hostd.log)

This comparison ensures the correct sequence of events, allowing administrators and auditors to confirm whether:

• The service was enabled or disabled before or after a host reboot

• Actions comply with internal security or audit requirements