vCenter is getting powered off by a service account, identity the IP Address which initiated the vCenter shutdown task
search cancel

vCenter is getting powered off by a service account, identity the IP Address which initiated the vCenter shutdown task

book

Article ID: 433835

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • vCenter Server is getting powered off by a service account.
  • Virtual Machine -> Monitor -> Tasks shows the "Initiate Guest OS Shutdown" task with the user account which initiated the task.



  • vCenter logs shows the task details as below:

    /var/log/vmware/vpxd/vpxd.log

    YYYY-MM-DDTHH:MM:SS.###Z info vpxd[PID] [Originator@6876 sub=vpxLro opID=6#######4] [VpxLRO] -- BEGIN task-3##9##6 -- vm-##### -- vim.VirtualMachine.shutdownGuest -- 5######6-2##c-1##4-1##5-a##########2(5######8-e##b-1##c-2##2-5##########6)

Environment

  • vCenter Server 7.x.
  • vCenter Server 8.x.
  • vCenter 9.x.

Resolution

When a user connects to vCenter Server (vpxd service) through API's or the vSphere Client, a Session ID is created and vCenter Server logs the username and IP address for each session created. Identity the source IP details by reviewing the logs mentioned below:

  1. Login to vSphere Client.
  2. Select the vCenter Server VM from the Inventory and note down the MoID of the VC VM from the browser URL. In the sample screenshot pasted below, the MoID of the VM is "vm-10008".




  3. Login to vCenter via SSH session.
  4. VPXD log will show the details of the shutdown task, use grep command to locate the shutdown task:

    grep -i "vim.VirtualMachine.shutdownGuest" vpxd.log | grep -i vm-10008

    YYYY-MM-DDTHH:MM:SS.###Z info vpxd[PID] [Originator@6876 sub=vpxLro opID=6#######4] [VpxLRO] -- BEGIN task-3##9##6 -- vm-10008 -- vim.VirtualMachine.shutdownGuest -- 5######6-2##c-1##4-1##5-a##########2(5######8-e##b-1##c-2##2-5##########6)

    Note: In this example, the VM MoID 'vm=10008' is used to filter the logs.

  5. Above log entry contains a virtual machine shutdown task that was created with a Session ID of 5######6-2##c-1##4-1##5-a##########2.
  6. Search for the Session ID in vpxd-profiler log as shown below:

    grep "5######6-2##c-1##4-1##5-a##########2" vpxd-profiler.log | grep ClientIP

    /SessionStats/SessionPool/Session/Id='5######6-2##c-1##4-1##5-a##########2'/Username='Example.com\username'/ClientIP='192.###.###.###'

  7. The vpxd-profiler.log shows the Session ID 5######6-2##c-1##4-1##5-a##########2 created by the user Example.com\username from the IP address '192.###.###.###'.
Powered by Wolken Software