Virtualization Pro

Jan 14 2008   4:25AM GMT

Monitor the Virtual Infrastructure Database for authentication attempts

Rick Vanover Rick Vanover Profile: Rick Vanover

Because VMware ESX and Virtual Center (VC) have great magnitude in the datacenter, I determined it would be a good idea to have an audit trail of authentication attempts in to the Virtual Infrastructure Client and SSH on the host. In my recently upgraded VC 2.5 environment, I made a quick trip to the database to query some of the authentication events. Here are some queries of the VC database running on Microsoft SQL Server that may be useful.

Failed authentication attempts

This query in Query Analyzer will show the failed authentication attempts into VC or the ESX host:

[Using VMware Database]
Where EVENT_TYPE = 'vim.event.BadUserNameSessionEvent'

This will show you the failed authentication attempts. What you want to look for is perpetual attempts, or attempts from usernames that you are not expecting to log into VC. If you want to run the same query with all fields, replace the EVENT_TYPE, CREATE_TIME, HOST_NAME with a ‘*’ or add additional criteria with time conditioning. You may consider putting in SQL monitors or alerts for this condition – or simply making a daily report for the failed authentication attempts that is accessible for audit purposes. Should you also have authentication attempts to the ESX host (SSH), those attempts would be failed and in this query result.

Successful authentication attempts
Just as it is important to monitor failed authentication attempts, you may have a need to have an audit trail of successful connections. Within the VC database, this query would run showing successful logon events within the Virtual Infrastructure Client or directly to the ESX host:

Where EVENT_TYPE = 'vim.event.UserLoginSessionEvent'

This will show the successful results within the Virtual Infrastructure Client and any logon attempts via SSH to the ESX host. This can provide a solid audit trail with some SQL jobs or other reporting that you can do against the SQL database.

Database general rule of thumb for safety
Whenever you get into the database, use extreme caution. A good safe practice would be to back up the database and restore it new somewhere else, and practice all queries, jobs or reporting you want to do against the VC database. This way, once you have your monitoring elements safe and clearly defined you can roll them into your live environment confidently.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: