Log Insight

vSphere audit trail with Log Insight

Had a talk with a former colleague of mine, a month or two ago, about a customer that wished to use Log Insight to do audit trail of there vSphere environment and if this was possible. My first reaction was I couldn’t see why it shouldn’t be possible to do audit trail with Log Insight. I mean it’s getting it’s logs from the different logs in a VMware environment so it should be pretty easy.


A week or so later I had a moment and looked into if it was indeed possible – As it turns out it is, I think I used around 30 min. for finding the right fields to include.


So the way it work is that I check to see if two field exist and matches on the appname “shell”, meaning ESXi shell commands executed and if ANY of them is a match it’s include in the search.


Log Insight audit trail explained

The field are as follows

"vmw_vc_auth_user" - This catches login events, with username and source ip address. 
"appname" - This is set to "shell", so that we can catch all commands executed via ESXi shell. 
"vc_username" - This catches all the events a user executes, this is equal to the events tab in the vSphere client.


With this you should be able to see, who logged in, from where and what they did (and obviously also when).

Log Insight Audit Trail


The only thing left now is to find a useful way to plot the data – Guess why the color changes in the graph doing off peak hours – You guessed it, backup jobs are starting. If you want to narrow down your search, it should go with out saying, you just type in the info (ip, username, command, event etc.) that triggered your need to do an audit trail, to help you find the needle.


Happy hunting

3 thoughts on “vSphere audit trail with Log Insight

    1. The export feature lets you export up to 20.000 lines as RAW entries or JSON formatted. The reporting part is more tricky… But seems that VMware has aligned vCops/vRop to be the monitor and report part of the vSphere stack. So best guess is to make an “alert” on a query and send it to vCops/vRop – Just set the severity accordingly (none or info would fit best here). Then it should be a part of the vCops/vRob data and then you could make an nice report.

      That’s my best guess on how to over come this problem

Leave a Reply

Your email address will not be published. Required fields are marked *