This article describes how to audit or troubleshoot external integrations. Third-party API and SDK calls are recorded within specific profiler logs, capturing session IDs, usernames, and source client IP addresses. Identifying these records is essential for security auditing and isolating performance issues caused by external automation.

• vCenter Server 8.x

vCenter Server captures session-level statistics for all API interactions in the vpxd-profiler logs to maintain an audit trail of service interactions.

To view third-party API/SDK activity, examine the vpxd-profiler logs on the vCenter Server Appliance (VCSA).

1. Log in to the vCenter Server Appliance (VCSA) via SSH using root credentials.

2. Navigate to the vpxd log directory:

   cd /var/log/vmware/vpxd/
   

3. Use the zgrep command to search for session statistics. To find entries for a specific account (e.g., "readonly") within the latest profiler logs, execute:

   grep -E "Username='<REDACTED_PII>'|ClientIP=" vpxd-profiler-*.log
   

4. Analyze the output for lines matching the session statistics format: -->

/SessionStats/SessionPool/Session/Id='<REDACTED_API_KEY>'/Username='<REDACTED_PII>'/ClientIP='<REDACTED_IP>'/...

Data Interpretation:

• Username: Indicates the identity used by the third-party integration to authenticate.

• ClientIP: Identifies the source network address of the system initiating the API/SDK calls.