Search the VMware Knowledge Base (KB)
View by Article ID

Auditing ESXi Shell logins and commands (2004810)

  • 6 Ratings

Purpose

ESXi 5.0 and higher maintains a history of all commands entered in the ESXi Shell, whether accessed at the console or via SSH. This shell command history is maintained in the shell.log file. Within the transcription of commands, the command issuer is identified by the process or world ID. This article describes how to correlate authentication information from the auth.log file with the history of commands executed in the ESXi Shell.

For more information on the locations of the log files described, see Location of ESXi 5.0 log files (2004201) and Location of log files for VMware products (1021806).

Resolution

To determine the commands executed in the ESXi Shell, and which user and client issued the request:

  1. Obtain access to the auth.log and shell.log log files.
    • Consume logs via syslog in vRealize Log Insight, and filter on appname=login,sshd,shell
    • Log in to the ESXi Shell and open each log using the less command.
    • Use a web browser to access https://ESXiHostnameOrIP/host/auth.log and https://ESXiHostnameOrIP/host/shell.log.
    • Use the vifs command line utility in the vCLI to copy the logs to a client and review the logs.
    • Read the files from within a vm-support log bundle.

  2. Open the log file /var/log/auth.log in a text viewer.

  3. Identify the authentication record, including the Username, Time stamp, and World ID for the session:

    • ESXi Shell login at the console appears similar to:

      2011-08-29T18:01:00Z login[64386]: root login on 'char/tty/1'

    • ESXi Shell login via interactive SSH appears similar to:

      2011-08-29T18:01:00Z sshd[12345]: Connection from 10.11.12.13 port 2605
      2011-08-29T18:01:00Z sshd[12345]: Accepted keyboard-interactive/pam for root from 10.11.12.13 port 2605 ssh2
      2011-08-29T18:01:00Z sshd[64386]: Session opened for 'root' on /dev/char/pty/t0
      2011-08-29T18:01:00Z sshd[12345]: Session closed for 'root' on /dev/char/pty/t0
      ...
      2011-08-29T18:35:05Z sshd[12345]: Session closed for 'root' 2

    • ESXi Shell login via SSH with public key appears similar to:

      2011-08-29T18:01:00Z sshd[12345]: Connection from 10.11.12.13 port 2605
      2011-08-29T18:01:00Z sshd[12345]: Accepted publickey for root from 10.11.12.13 port 2605 ssh2
      2011-08-29T18:01:00Z sshd[64386]: Session opened for 'root' on /dev/char/pty/t0
      2011-08-29T18:01:00Z sshd[12345]: Session closed for 'root' on /dev/char/pty/t0
      ...
      2011-08-29T18:35:05Z sshd[12345]: Session closed for 'root' 2

    Each of these authentication records indicate a successful authentication for the user root on August 29th at 18:01 GMT. The SSH methods also include the IP address that the connection was initiated from. The shell session is being handled by world 64386.

  4. Close the /var/log/auth.log file.

  5. Open the /var/log/shell.log file in a text viewer.

  6. Identify commands entered which contain the same World ID as identified in Step 3, appearing similar to:

    2011-08-29T18:01:01Z shell[64386]: Interactive shell session started
    2011-08-29T18:05:02Z shell[64386]: cd /var/log
    2011-08-29T18:05:03Z shell[64386]: ls
    2011-08-29T18:13:04Z shell[64386]: vmware -v
    2011-08-29T18:35:05Z shell[64386]: exit

    Because the commands were entered in the console session handled by world ID 64386, they correspond to the authentication session established by user root as described in Step 3.

Additional Information

For more information, see the VMware vSphere 5.5 Documentation Center.

Tags

esxi-shell-5.0  esxi-shell command-audit esxi-shell-commands-login

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 6 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 6 Ratings
Actions
KB: