Performing SSH credential security scans on one or more vCenters as part of a security initiative, metrics/KPIs should be monitored during such scans (before/during the plan task)?

VMware Aria Operations 8.18.x

VMware vCenter Server 8.x

Monitoring the KPIs during an SSH credential scan on a vCenter Server Appliance (vCSA) is quite complex as it involves logging into the underlying Photon OS, enumerating installed packages (RPMs), and checking configurations:

• Critical Resource KPIs (System Stability): SSH scans typically cause spikes in CPU (encryption/decryption of SSH sessions + package database queries) and Disk Read (reading the filesystem).
• Service & Authentication KPIs (Scan Success & Security): Verify that the scanner is actually logging in and not locking out accounts due to failed attempts.
• Authentication Failures: Monitor /var/log/vmware/sso/webssso.log,  /var/log/vmware/vmdird/ or /var/log/messages for "Failed password" events.
• VPXD Health: Watch for "Heartbeat" alerts in the vCenter Events tab. If vpxd stops sending heartbeats, the service is hanging.

Note: This scans could spike resource usage so be caution of this.

The above are just recommendations, and will vary in all environment. Please engage your security team and PSO to be fully covered.