Investigating abnormal vCenter Server login sources in VMware Aria Operations for Logs
search cancel

Investigating abnormal vCenter Server login sources in VMware Aria Operations for Logs

book

Article ID: 426979

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Unusual login activities are detected within the VMware Aria Operations for Logs UI, as shown in the following screenshot:

On the vCenter Server side:

  1. Locate the following log entry in commands/journalctl_-b--0.txt:

    MMM DD HH:MM:SS DOMAIN_FQDN vpxd[5979]: Event [3418744] [#-#] [YYYY-MM-DDTHH:MM:SS] [vim.event.UserLoginSessionEvent] [info] [<Domain>\<Account>] [] [3418744] [User <Domain>\<Account>@<IP ADDRESS> logged in as VMware ###-#### 1.0]

  2. Identify session details in vpxd-profiler.log:

    --> /SessionStats/SessionPool/Session/Id='########-####-####-####-############'/Username='<Domain>\<Account>'/ClientIP='<IP ADDRESS>'/HttpSessionObject/Hidden/total 0

  3. Cross-reference the Session ID ( ########-####-####-####-############) within vpxd.log to track specific tasks:

    YYYY-MM-DDTHH:MM:SS info vpxd[06455] [Originator@6876 sub=vpxLro opID=56aa62f5] [VpxLRO] -- BEGIN lro-######### -- SessionManager -- vim.SessionManager.cloneSession -- ########-####-####-####-############ YYYY-MM-DDTHH:MM:SS info vpxd[06955] [Originator@6876 sub=vpxLro opID=4e3c664a] [VpxLRO] -- BEGIN lro-######### -- SessionManager -- vim.SessionManager.logout -- ########-####-####-####-############(########-####-####-####-############)

Environment

vCenter Server 8.0

Cause

The identified IP address originates from a third-party backup appliance or integrated service performing automated session cloning and management tasks.

Resolution

 

  • Identify the physical or virtual device associated with the logged IP address.

  • Engage the backup software vendor or relevant third-party solution provider to investigate the frequency and necessity of these login events.

  • Review service account permissions to ensure they align with the vendor's documented best practices.

 

 

Additional Information

Note that the reported IP address is not exclusively limited to backup software. Identify the specific device owning the IP address and conduct a thorough diagnostic review of that hardware or service to conclude the investigation.

Powered by Wolken Software