├── README.md
├── global-permission-created-67u2.png
├── global-permission-remove-67u2.png
├── global-permission-update-67u2.png
├── permission-created-67u2.png
├── permission-remove-67u2.png
├── permission-update-67u2.png
├── role-create-67u2.png
├── role-remove-67u2.png
├── role-update-67u2.png
├── successful-vsphere-web-client-login.png
├── successful-vsphere-web-client-logout.png
├── vc-login-67u2.png
└── vc-logout-67u2.png


/README.md:
--------------------------------------------------------------------------------
  1 | # Log examples of vCenter Server Authentication & Authorization activities
  2 | 
  3 | For more information and context, please refer to this blog post [here](http://www.virtuallyghetto.com/2019/04/enhanced-vcenter-server-audit-event-logging-in-vsphere-6-7-update-2.html).
  4 | 
  5 | ## Table of Contents
  6 | 
  7 | * [vSphere 6.7 Update 2](#vsphere-67-update-2)
  8 |   * Single Sign-On Activities
  9 |     * Successful SSO Login
 10 |     * Successful SSO Logout
 11 |     * Successful SSO Active Directory Login
 12 |     * Successful SSO Active Directory Logout
 13 |     * Failed SSO Login
 14 |     * Failed SSO Login (User not found)
 15 |     * Failed SSO Active Directory Login
 16 |     * Failed SSO Active Directory Login (User not found)
 17 |     * SSO User Creation
 18 |     * SSO User Password Change
 19 |     * SSO User Deletion
 20 |     * SSO Group Creation
 21 |     * SSO Group Assignment
 22 |     * SSO Group Deletion
 23 |     * SSO Password policy update
 24 |   * vCenter Server Activities
 25 |     * Successful vCenter Server Login
 26 |     * Successful vCenter Server Logout
 27 |     * vSphere Permission Created
 28 |     * vSphere Permission Updated
 29 |     * vSphere Permission Deleted
 30 |     * vSphere Global Permission Created
 31 |     * vSphere Global Permission Updated
 32 |     * vSphere Global Permission Deleted
 33 |     * vSphere Role Creation
 34 |     * vSphere Role Update
 35 |     * vSphere Role Deletion
 36 | 
 37 | * [vSphere 6.5](#vsphere-65)
 38 |   * Single Sign-On Activities
 39 |     * Successful SSO Login
 40 |     * Successful SSO Logout
 41 |     * Successful SSO Active Directory Login
 42 |     * Successful SSO Active Directory Logout
 43 |     * Failed SSO Login
 44 |     * Failed SSO Login (User not found)
 45 |     * Failed SSO Active Directory Login
 46 |     * Failed SSO Active Directory Login (User not found)
 47 |     * SSO User Creation
 48 |     * SSO User Password Change
 49 |     * SSO User Deletion
 50 |     * SSO Group Creation
 51 |     * SSO Group Assignment
 52 |     * SSO Group Deletion
 53 |     * SSO Password policy update
 54 |   * vCenter Server Activities
 55 |     * Successful vCenter Server Login
 56 |     * Successful vCenter Server Logout
 57 |     * vSphere Permission Created
 58 |     * vSphere Permission Updated
 59 |     * vSphere Permission Deleted
 60 |     * vSphere Role Creation
 61 |     * vSphere Role Update
 62 |     * vSphere Role Deletion
 63 | 
 64 | * [vSphere 6.0 Update 3](#vsphere-60-update-3)
 65 |   * Single Sign-On Activities
 66 |     * Successful SSO Login
 67 |     * Successful SSO Logout
 68 |     * Successful SSO Active Directory Login
 69 |     * Successful SSO Active Directory Logout
 70 |     * Failed SSO Login
 71 |     * Failed SSO Login (User not found)
 72 |     * Failed SSO Active Directory Login
 73 |     * Failed SSO Active Directory Login (User not found)
 74 |     * SSO User Creation
 75 |     * SSO User Password Change
 76 |     * SSO User Deletion
 77 |     * SSO Group Creation
 78 |     * SSO Group Assignment
 79 |     * SSO Group Deletion
 80 |     * SSO Password policy update
 81 |   * vCenter Server Activities
 82 |     * Successful vCenter Server Login
 83 |     * Successful vCenter Server Logout
 84 |     * vSphere Permission Created
 85 |     * vSphere Permission Updated
 86 |     * vSphere Permission Deleted
 87 |     * vSphere Role Creation
 88 |     * vSphere Role Update
 89 |     * vSphere Role Deletion
 90 | 
 91 | * [Additional Resources](#additional-resources)
 92 | 
 93 | ## vSphere 6.7 Update 2
 94 | 
 95 | ### Single Sign-On Activities
 96 | 
 97 | * **Successful SSO Login**
 98 | 
 99 | Log Location: /var/log/audit/sso-events/audit_events.log
100 | 
101 | ```code
102 | 2019-04-06T12:08:50.250Z {"user":"administrator@vsphere.local","client":"192.168.30.182","timestamp":"04/06/2019 12:08:50 UTC","description":"User administrator@vsphere.local@192.168.30.182 logged in with response code 200","eventSeverity":"INFO","type":"com.vmware.sso.LoginSuccess"}
103 | ```
104 | 
105 | * **Successful SSO Logout**
106 | 
107 | Log Location: /var/log/audit/sso-events/audit_events.log
108 | 
109 | ```code
110 | 2019-04-06T12:08:44.813Z {"user":"Administrator@VSPHERE.LOCAL","client":"192.168.30.182","timestamp":"04/06/2019 12:08:44 UTC","description":"User Administrator@VSPHERE.LOCAL@192.168.30.182 logged out","eventSeverity":"INFO","type":"com.vmware.sso.Logout"}
111 | ```
112 | 
113 | * **Successful SSO Active Directory Login**
114 | 
115 | Log Location: /var/log/audit/sso-events/audit_events.log
116 | 
117 | ```code
118 | 2019-04-06T12:51:56.988Z {"user":"william@PRIMP-INDUSTRIES.COM","client":"192.168.30.182","timestamp":"04/06/2019 12:51:56 UTC","description":"User william@PRIMP-INDUSTRIES.COM@192.168.30.182 logged in with response code 200","eventSeverity":"INFO","type":"com.vmware.sso.LoginSuccess"}
119 | ```
120 | 
121 | * **Successful SSO Active Directory Logout**
122 | 
123 | Log Location: /var/log/audit/sso-events/audit_events.log
124 | 
125 | ```code
126 | 2019-04-06T12:52:23.974Z {"user":"william@PRIMP-INDUSTRIES.COM","client":"192.168.30.182","timestamp":"04/06/2019 12:52:23 UTC","description":"User william@PRIMP-INDUSTRIES.COM@192.168.30.182 logged out","eventSeverity":"INFO","type":"com.vmware.sso.Logout"}
127 | ```
128 | 
129 | * **Failed SSO Login**
130 | 
131 | Log Location: /var/log/audit/sso-events/audit_events.log
132 | 
133 | ```code
134 | 2019-04-06T12:47:50.424Z {"user":"administrator@vsphere.local","client":"192.168.30.182","timestamp":"04/06/2019 12:47:50 UTC","description":"User administrator@vsphere.local@192.168.30.182 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}
135 | ```
136 | 
137 | * **Failed SSO Login (User not found)**
138 | 
139 | Log Location: /var/log/audit/sso-events/audit_events.log
140 | 
141 | ```code
142 | 2019-04-06T12:48:29.060Z {"user":"rogue-user@vsphere.local","client":"192.168.30.182","timestamp":"04/06/2019 12:48:29 UTC","description":"User rogue-user@vsphere.local@192.168.30.182 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}
143 | ```
144 | 
145 | * **Failed SSO Active Directory Login**
146 | 
147 | Log Location: /var/log/audit/sso-events/audit_events.log
148 | 
149 | ```code
150 | 2019-04-06T12:53:05.908Z {"user":"william@primp-industries.com","client":"192.168.30.182","timestamp":"04/06/2019 12:53:05 UTC","description":"User william@primp-industries.com@192.168.30.182 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}
151 | ```
152 | 
153 | * **Failed SSO Active Directory Login (User not found)**
154 | 
155 | Log Location: /var/log/audit/sso-events/audit_events.log
156 | 
157 | ```code
158 | 2019-04-06T12:52:46.170Z {"user":"rogue-ad-user@primp-industries.com","client":"192.168.30.182","timestamp":"04/06/2019 12:52:46 UTC","description":"User rogue-ad-user@primp-industries.com@192.168.30.182 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}
159 | ```
160 | 
161 | * **SSO User Creation**
162 | 
163 | Log Location: /var/log/audit/sso-events/audit_events.log
164 | 
165 | ```code
166 | 2019-04-06T12:37:29.992Z {"user":"Administrator@VSPHERE.LOCAL","client":"","timestamp":"04/06/2019 12:37:29 UTC","description":"Creating local person user 'lamw' with details ('Adding Local SSO User','lamw@virtuallyghetto.com','William','Lam','lamw@vsphere.local')","eventSeverity":"INFO","type":"com.vmware.sso.PrincipalManagement"}
167 | ```
168 | 
169 | * **SSO User Password Change**
170 | 
171 | Log Location: /var/log/audit/sso-events/audit_events.log
172 | 
173 | ```code
174 | 2019-04-06T12:41:52.190Z {"user":"Administrator@VSPHERE.LOCAL","client":"","timestamp":"04/06/2019 12:41:52 UTC","description":"Resetting local person user 'lamw' password","eventSeverity":"INFO","type":"com.vmware.sso.PrincipalManagement"}
175 | ```
176 | 
177 | * **SSO User Deletion**
178 | 
179 | Log Location: /var/log/audit/sso-events/audit_events.log
180 | 
181 | ```code
182 | 2019-04-06T12:42:15.724Z {"user":"Administrator@VSPHERE.LOCAL","client":"","timestamp":"04/06/2019 12:42:15 UTC","description":"Deleting principal 'lamw'","eventSeverity":"INFO","type":"com.vmware.sso.PrincipalManagement"}
183 | ```
184 | 
185 | * **SSO Group Creation**
186 | 
187 | Log Location: /var/log/audit/sso-events/audit_events.log
188 | 
189 | ```code
190 | 2019-04-06T12:37:45.560Z {"user":"Administrator@VSPHERE.LOCAL","client":"","timestamp":"04/06/2019 12:37:45 UTC","description":"Creating local group 'vGhetto' with details ('Adding Local SSO Group')","eventSeverity":"INFO","type":"com.vmware.sso.PrincipalManagement"}
191 | ```
192 | 
193 | * **SSO Group Assignment**
194 | 
195 | Log Location: /var/log/audit/sso-events/audit_events.log
196 | 
197 | ```code
198 | 2019-04-06T12:41:12.939Z {"user":"Administrator@VSPHERE.LOCAL","client":"","timestamp":"04/06/2019 12:41:12 UTC","description":"Adding users to local group 'virtuallyGhetto'","eventSeverity":"INFO","type":"com.vmware.sso.PrincipalManagement"
199 | ```
200 | 
201 | * **SSO Group Deletion**
202 | 
203 | Log Location: /var/log/audit/sso-events/audit_events.log
204 | 
205 | ```code
206 | 2019-04-06T12:40:24.037Z {"user":"Administrator@VSPHERE.LOCAL","client":"","timestamp":"04/06/2019 12:40:24 UTC","description":"Deleting principal 'virtuallyGhetto'","eventSeverity":"INFO","type":"com.vmware.sso.PrincipalManagement"}
207 | ```
208 | 
209 | * **SSO Password policy update**
210 | 
211 | Log Location: /var/log/audit/sso-events/audit_events.log
212 | 
213 | ```code
214 | 2019-04-06T12:36:52.811Z {"user":"Administrator@VSPHERE.LOCAL","client":"","timestamp":"04/06/2019 12:36:52 UTC","description":"Updating local password policy","eventSeverity":"INFO","type":"com.vmware.sso.PasswordPolicy"}
215 | ```
216 | 
217 | ### vCenter Server Activities
218 | 
219 | * **Successful vCenter Server Login**
220 | 
221 | Log Location: (included as part of the VC Event Syslog stream)
222 | 
223 | ![](vc-login-67u2.png)
224 | 
225 | * **Successful vCenter Server Logout**
226 | 
227 | Log Location: (included as part of the VC Event Syslog stream)
228 | 
229 | ![](vc-logout-67u2.png)
230 | 
231 | * **vSphere Permission Created**
232 | 
233 | Log Location: (included as part of the VC Event Syslog stream)
234 | 
235 | ![](permission-created-67u2.png)
236 | 
237 | * **vSphere Permission Updated**
238 | 
239 | Log Location: (included as part of the VC Event Syslog stream)
240 | 
241 | ![](permission-update-67u2.png)
242 | 
243 | * **vSphere Permission Deleted**
244 | 
245 | Log Location: (included as part of the VC Event Syslog stream)
246 | 
247 | ![](permission-remove-67u2.png)
248 | 
249 | * **vSphere Global Permission Created**
250 | 
251 | Log Location: (included as part of the VC Event Syslog stream)
252 | 
253 | ![](global-permission-created-67u2.png)
254 | 
255 | * **vSphere Global Permission Updated**
256 | 
257 | Log Location: (included as part of the VC Event Syslog stream)
258 | 
259 | ![](global-permission-update-67u2.png)
260 | 
261 | * **vSphere Global Permission Deleted**
262 | 
263 | Log Location: (included as part of the VC Event Syslog stream)
264 | 
265 | ![](global-permission-remove-67u2.png)
266 | 
267 | * **vSphere Role Creation**
268 | 
269 | Log Location: (included as part of the VC Event Syslog stream)
270 | 
271 | ![](role-create-67u2.png)
272 | 
273 | * **vSphere Role Update**
274 | 
275 | Log Location: (included as part of the VC Event Syslog stream)
276 | 
277 | ![](role-update-67u2.png)
278 | 
279 | * **vSphere Role Deletion**
280 | 
281 | Log Location: (included as part of the VC Event Syslog stream)
282 | 
283 | ![](role-remove-67u2.png)
284 | 
285 | ## vSphere 6.5
286 | 
287 | ### Single Sign-On Activities
288 | 
289 | * **Successful SSO Login**
290 | 
291 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
292 | 
293 | ```code
294 | [2017-06-16T12:46:14.520Z vsphere.local d6cd47de-9bf1-4bf4-b53e-495b60366cbd INFO ] [IdentityManager] Authentication succeeded for user [administrator@vsphere.local] in tenant [vsphere.local] in [4] milliseconds with provider [vsphere.local] of type [com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider]
295 | ```
296 | 
297 | Log Location: /var/log/vmware/sso/ssoAdminServer.log
298 | 
299 | ```code
300 | [2017-06-16T12:51:48.931Z pool-9-thread-5 opId=f6912d25-8a52-4ff6-a42d-8b61faf1ccbd-89783-ngc INFO  com.vmware.identity.vlsi.SessionManagerImpl] User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator' logged in successfully.
301 | ```
302 | 
303 | * **Successful SSO Logout**
304 | 
305 | Log Location: /var/log/vmware/sso/ssoAdminServer.log
306 | 
307 | ```code
308 | [2017-06-16T12:49:55.733Z pool-9-thread-1 opId=f6912d25-8a52-4ff6-a42d-8b61faf1ccbd-89746-ngc INFO  com.vmware.identity.vlsi.SessionManagerImpl]  User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator' logged out.
309 | [2017-06-16T12:49:55.733Z VLSI-session-reaper opId= DEBUG com.vmware.identity.vlsi.AuthorizationData] Session closed for User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'.
310 | ```
311 | 
312 | * **Successful SSO Active Directory Login**
313 | 
314 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
315 | 
316 | ```code
317 | [2017-06-16T12:58:55.638Z vsphere.local 963d4db2-e902-4c4c-b3e8-a32f198239fb INFO ] [IdentityManager] Authentication succeeded for user [primp@primp-industries.com] in tenant [vsphere.local] in [117] milliseconds with provider [primp-industries.com] of type [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider]
318 | ```
319 | 
320 | * **Successful SSO Active Directory Logout**
321 | 
322 | Log Location: /var/log/vmware/sso/ssoAdminServer.log
323 | 
324 | ```code
325 | [2017-06-16T13:00:19.200Z pool-9-thread-5 opId=f6912d25-8a52-4ff6-a42d-8b61faf1ccbd-90410-ngc INFO  com.vmware.identity.vlsi.SessionManagerImpl]  User {Name: primp, Domain: PRIMP-INDUSTRIES.COM} with role 'GuestUser' logged out.
326 | ```
327 | 
328 | * **Failed SSO Login**
329 | 
330 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
331 | 
332 | ```code
333 | [2017-06-16T13:02:53.268Z vsphere.local 296857de-90c4-407e-af0f-b30c0d7f3470 ERROR] [IdentityManager] Failed to authenticate principal [administrator@vsphere.local] for tenant [vsphere.local]
334 | javax.security.auth.login.LoginException: Login failed
335 | [2017-06-16T13:02:53.282Z vsphere.local 296857de-90c4-407e-af0f-b30c0d7f3470 INFO ] [VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.local], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_IDM], text=[SimpleMessage[message=Failed to authenticate principal [administrator@vsphere.local]. Login failed]], detailText=[Login failed], corelationId=[296857de-90c4-407e-af0f-b30c0d7f3470], timestamp=[1497618173282]
336 | ```
337 | 
338 | * **Failed SSO Login (User not found)**
339 | 
340 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
341 | 
342 | ```code
343 | [2017-06-16T13:11:04.533Z vsphere.local 9aff5155-e5f3-49b4-8b55-4d7c1789c23b ERROR] [IdentityManager] Failed to authenticate principal [william@vsphere.local] for tenant [vsphere.local]
344 | javax.security.auth.login.LoginException: Login failed
345 | ```
346 | 
347 | * **Failed SSO Active Directory Login**
348 | 
349 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
350 | 
351 | ```code
352 | [2017-06-16T13:06:35.039Z vsphere.local 0697b604-7509-418f-aec7-890884b4a0c6 ERROR] [IdentityManager] Failed to authenticate principal [primp@primp-industries.com] for tenant [vsphere.local]
353 | com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: -1765328360][null][null]
354 | [2017-06-16T13:06:35.041Z vsphere.local 0697b604-7509-418f-aec7-890884b4a0c6 INFO ] [VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.local], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_IDM], text=[SimpleMessage[message=Failed to authenticate principal [primp@primp-industries.com]. Native platform error [code: -1765328360][null][null]]], detailText=[Native platform error [code: -1765328360][null][null]], corelationId=[0697b604-7509-418f-aec7-890884b4a0c6], timestamp=[1497618395041]
355 | ```
356 | 
357 | * **Failed SSO Active Directory Login (User not found)**
358 | 
359 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
360 | 
361 | ```code
362 | [2017-06-16T13:16:08.098Z vsphere.local 0c82a1ca-747d-4b4b-8370-4dc3265f6382 INFO ] [ActiveDirectoryProvider] Failed to retrieve default UPN for principal vghetto@primp-industries.com
363 | com.vmware.identity.idm.InvalidPrincipalException: Principal id vghetto@primp-industries.com does not exist
364 | ```
365 | 
366 | * **SSO User Creation**
367 | 
368 | Log Location: /var/log/vmware/sso/ssoAdminServer.log
369 | 
370 | ```code
371 | [2017-06-16T13:27:42.542Z pool-9-thread-5 opId=SsoNewUserViewMediator-add-90607-ngc INFO  com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'] Creating local person user 'william' with details {'For Mr. vGhetto','wlam@virtuallyghetto.com','William','Lam','null'}
372 | ```
373 | 
374 | * **SSO User Password Change**
375 | 
376 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
377 | 
378 | ```code
379 | [2017-06-16T13:36:09.880Z pool-9-thread-2 opId=SsoChangePasswordViewMediator-apply-91193-ngc INFO  com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: william, Domain: vsphere.local} with role 'GuestUser'] Resetting password of local user 'william'.
380 | ```
381 | 
382 | * **SSO User Deletion**
383 | 
384 | Log Location: /var/log/vmware/sso/ssoAdminServer.log
385 | 
386 | ```code
387 | [2017-06-16T22:15:19.929Z pool-9-thread-2 opId=UsersActionCommand-remove-109576-ngc INFO  com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'] Deleting principal 'william'
388 | ```
389 | 
390 | * **SSO Group Creation**
391 | 
392 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
393 | 
394 | ```code
395 | [2017-06-16T22:20:16.996Z pool-9-thread-1 opId=SsoNewGroupViewMediator-add-109931-ngc INFO  com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'] Creating local group 'vGhetoSSOGroup' with details {''}
396 | ```
397 | 
398 | * **SSO Group Assignment**
399 | 
400 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
401 | 
402 | ```code
403 | [2017-06-16T22:24:21.817Z pool-9-thread-4 opId=SsoAddGroupPrincipalsViewMediator-apply-110228-ngc INFO  com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'] Adding users to local group 'vGhetoSSOGroup'
404 | ```
405 | 
406 | * **SSO Group Deletion**
407 | 
408 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
409 | 
410 | ```code
411 | [2017-06-16T22:23:26.941Z pool-9-thread-4 opId=GroupsActionCommand-apply-110158-ngc INFO  com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'] Removing principals from local group 'vGhetoSSOGroup'
412 | ```
413 | 
414 | * **SSO Password policy update**
415 | 
416 | Log Location: /var/log/vmware/sso/ssoAdminServer.log
417 | 
418 | ```code
419 | [2017-06-19T13:28:30.437Z pool-9-thread-4 opId=SsoUpdatePasswordPoliciesViewMediator-apply-120658-ngc INFO  com.vmware.identity.admin.vlsi.PasswordPolicyServiceImpl] [User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'] Updating local password policy
420 | ```
421 | 
422 | ### vCenter Server Activities
423 | 
424 | * **Successful vCenter Server Login**
425 | 
426 | Log Location: /var/log/vmware/vpx/vpxd.log (must enable remote syslog, see [here](http://www.virtuallyghetto.com/2017/02/what-logs-do-i-get-when-i-enable-syslog-in-vcsa-6-5.html) for details)
427 | 
428 | ![](successful-vsphere-web-client-login.png)
429 | 
430 | * **Successful vCenter Server Logout**
431 | 
432 | Log Location: /var/log/vmware/vpx/vpxd.log (must enable remote syslog, see [here](http://www.virtuallyghetto.com/2017/02/what-logs-do-i-get-when-i-enable-syslog-in-vcsa-6-5.html) for details)
433 | 
434 | ![](successful-vsphere-web-client-logout.png)
435 | 
436 | * **vSphere Permission Created**
437 | 
438 | Log Location: /var/log/vmware/vpxd-svcs/vpxd-svcs.log
439 | 
440 | ```code
441 | 2017-06-16T16:31:13.400Z [tomcat-exec-43  INFO  AuthorizationService.AuditLog  opId=571a0705-11ca-4fa6-ad5e-a4915b91cbaf] Action performed by principal(name=VSPHERE.LOCAL\Administrator,isGroup=false):Added access control [ Principal=Name=VSPHERE.LOCAL\william,isGroup=false,roles=[-1],propogating=true ] to document urn:vmomi:Folder:group-d1:d245fd02-fdd7-4632-ac80-84de521a9140
442 | ```
443 | 
444 | * **vSphere Permission Updated**
445 | 
446 | Log Location: /var/log/vmware/vpxd-svcs/vpxd-svcs.log
447 | 
448 | ```code
449 | 2017-06-16T16:31:34.653Z [tomcat-exec-65  INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VSPHERE.LOCAL\Administrator,isGroup=false):Added access control [ Principal=Name=VSPHERE.LOCAL\william,isGroup=false,roles=[-2],propogating=true ] to document urn:vmomi:Folder:group-d1:d245fd02-fdd7-4632-ac80-84de521a9140
450 | ```
451 | 
452 | * **vSphere Permission Deleted**
453 | 
454 | Log Location: /var/log/vmware/vpxd-svcs/vpxd-svcs.log
455 | 
456 | ```code
457 | 2017-06-16T16:31:58.982Z [tomcat-exec-69  INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VSPHERE.LOCAL\Administrator,isGroup=false):Remove access control for principals [ Name=VSPHERE.LOCAL\william,isGroup=false ] on document urn:vmomi:Folder:group-d1:d245fd02-fdd7-4632-ac80-84de521a9140
458 | ```
459 | 
460 | * **vSphere Role Creation**
461 | 
462 | Log Location: /var/log/vmware/vpxd-svcs/vpxd-svcs.log
463 | 
464 | ```code
465 | 2017-06-16T16:32:24.851Z [tomcat-exec-96  INFO  AuthorizationService.AuditLog  opId=fa50ba35-1839-4557-aa07-a6c81a1edb5e] Action performed by principal(name=VSPHERE.LOCAL\Administrator,isGroup=false):Add role Id=295755225,Name=YouShouldNotBeAllowedToLogin,Description=,Tenant=Privileges=[System.Anonymous, System.Read, System.View]
466 | ```
467 | 
468 | * **vSphere Role Update**
469 | 
470 | Log Location: /var/log/vmware/vpxd-svcs/vpxd-svcs.log
471 | 
472 | ```code
473 | 2017-06-16T16:32:46.947Z [tomcat-exec-129  INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VSPHERE.LOCAL\Administrator,isGroup=false):Update role Id=295755225,Name=YouShouldNotBeAllowedToLogin,Description=,Tenant=Privileges=[System.Anonymous, System.Read, System.View, Alarm.Acknowledge, Alarm.Create, Alarm.DisableActions, Alarm.Edit, Alarm.Delete, Alarm.SetStatus]
474 | ```
475 | 
476 | * **vSphere Role Deletion**
477 | 
478 | Log Location: /var/log/vmware/vpxd-svcs/vpxd-svcs.log
479 | 
480 | ```code
481 | 2017-06-16T16:33:02.929Z [tomcat-exec-153  INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VSPHERE.LOCAL\Administrator,isGroup=false):Delete role 295755225
482 | ```
483 | 
484 | ## vSphere 6.0 Update 3
485 | 
486 | ### Single Sign-On Activities
487 | 
488 | * **Successful SSO Login**
489 | 
490 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
491 | 
492 | ```code
493 | [2017-06-16T12:45:16.392Z vghetto.local f31156bd-f84f-4728-aaa1-556045c9c6bc INFO ] [IdentityManager] Authentication succeeded for user [administrator@vghetto.local] in tenant [vghetto.local] in [6] milliseconds with provider [vghetto.local] of type [com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider]
494 | ```
495 | 
496 | * **Successful SSO Logout**
497 | 
498 | Log Location: /var/log/vmware/sso/ssoAdminServer.log
499 | 
500 | ```code
501 | [2017-06-16T12:48:17.539Z pool-9-thread-1 opId=f6912d25-8a52-4ff6-a42d-8b61faf1ccbd-89518-ngc INFO  com.vmware.identity.vlsi.SessionManagerImpl] User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator' logged in successfully.
502 | ```
503 | 
504 | * **Successful SSO Active Directory Login**
505 | 
506 | Log Location: /var/log/vmware/sso/ssoAdminServer.log
507 | 
508 | ```code
509 | [2017-06-16T12:55:39.611Z pool-3-thread-1 opId=51b5470c-d116-438e-a3cc-6975f4c4c6f9 INFO  com.vmware.identity.vlsi.SessionManagerImpl] User {Name: Administrator, Domain: VGHETTO.LOCAL} with role 'Administrator' logged out.
510 | ```
511 | 
512 | * **Successful SSO Active Directory Logout**
513 | 
514 | Log Location: /var/log/vmware/sso/ssoAdminServer.log
515 | 
516 | ```code
517 | [2017-06-16T12:58:14.195Z vghetto.local 55e0df54-27da-4e5a-b6bd-23c7433f119d INFO ] [IdentityManager] Authentication succeeded for user [primp@primp-industries.com] in tenant [vghetto.local] in [192] milliseconds with provider [primp-industries.com] of type [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider
518 | ```
519 | 
520 | * **Failed SSO Login**
521 | 
522 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
523 | 
524 | ```code
525 | [2017-06-16T13:02:25.875Z vghetto.local b5da6cc1-a44f-446b-93f3-49cfd41c8437 ERROR] [IdentityManager] Failed to authenticate principal [administrator@vghetto.local] for tenant [vghetto.local]
526 | javax.security.auth.login.LoginException: Login failed
527 | ```
528 | 
529 | * **Failed SSO Login (User not found)**
530 | 
531 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
532 | 
533 | ```code
534 | [2017-06-16T13:09:44.985Z vghetto.local 440666fd-b866-440a-90b9-38479d870715 INFO ] [ActiveDirectoryProvider] Failed to retrieve default UPN for principal william@vsphere.local
535 | com.vmware.identity.idm.InvalidPrincipalException: Principal id william@vsphere.local does not exist
536 | ```
537 | 
538 | * **Failed SSO Active Directory Login**
539 | 
540 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
541 | 
542 | ```code
543 | [2017-06-16T13:05:26.676Z vghetto.local 73a21ff6-547b-4f26-94e4-2c08588d27d8 ERROR] [IdentityManager] Failed to authenticate principal [primp@primp-industries.com] for tenant [vghetto.local]
544 | com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: -1765328360][null][null]
545 | ```
546 | 
547 | ```code
548 | [2017-06-16T13:05:26.679Z vghetto.local 73a21ff6-547b-4f26-94e4-2c08588d27d8 INFO ] [VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vghetto.local], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_IDM], text=[Failed to authenticate principal [primp@primp-industries.com]. Native platform error [code: -1765328360][null][null]], detailText=[com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: -1765328360][null][null]
549 | ```
550 | 
551 | * **Failed SSO Active Directory Login (User not found)**
552 | 
553 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
554 | 
555 | ```code
556 | [2017-06-16T13:15:38.622Z vghetto.local dc12010a-1d65-4ae1-8521-a50077a1d6d2 INFO ] [ActiveDirectoryProvider] Failed to retrieve default UPN for principal vghetto@primp-industries.com
557 | com.vmware.identity.idm.InvalidPrincipalException: Principal id vghetto@primp-industries.com does not exist
558 | ```
559 | 
560 | * **SSO User Creation**
561 | 
562 | Log Location: /var/log/vmware/sso/ssoAdminServer.log
563 | 
564 | ```code
565 | [2017-06-16T13:25:39.718Z pool-3-thread-1 opId=bc67fcc4-4170-4a16-a02c-560476adf2f8 INFO  com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: Administrator, Domain: VGHETTO.LOCAL} with role 'Administrator'] Creating local person user 'william' with details {'For Mr. vGhetto','wlam@virtuallyghetto.com','William','Lam','null'}
566 | ```
567 | 
568 | * **SSO User Password Change**
569 | 
570 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
571 | 
572 | ```code
573 | [2017-06-16T13:31:01.309Z pool-3-thread-3 opId=845e0011-386e-471f-9787-d2c75a2a6f5f INFO  com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: william, Domain: vghetto.local} with role 'GuestUser'] Resetting password of local user 'william'.
574 | ```
575 | 
576 | * **SSO User Deletion**
577 | 
578 | Log Location: /var/log/vmware/sso/ssoAdminServer.log
579 | 
580 | ```code
581 | [2017-06-16T22:15:19.929Z pool-9-thread-2 opId=UsersActionCommand-remove-109576-ngc INFO  com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: Administrator, Domain: VSPHERE.LOCAL} with role 'Administrator'] Deleting principal 'william'
582 | ```
583 | 
584 | * **SSO Group Creation**
585 | 
586 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
587 | 
588 | ```code
589 | [2017-06-16T15:28:58.067Z pool-3-thread-2 opId=3f6da356-7369-461a-ab34-060a1f4edc8d INFO  com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: Administrator, Domain: VGHETTO.LOCAL} with role 'Administrator'] Creating local group 'vGhetto-Group' with details {''}
590 | ```
591 | 
592 | * **SSO Group Assignment**
593 | 
594 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
595 | 
596 | ```code
597 | [2017-06-16T15:30:04.731Z pool-3-thread-1 opId=2296cc54-5a08-4b50-b554-4872aa5e2b0d INFO  com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: Administrator, Domain: VGHETTO.LOCAL} with role 'Administrator'] Adding users to local group 'vGhetto-Group'
598 | ```
599 | 
600 | * **SSO Group Deletion**
601 | 
602 | Log Location: /var/log/vmware/sso/vmware-sts-idmd.log
603 | 
604 | ```code
605 | [2017-06-16T15:31:24.999Z pool-3-thread-1 opId=7b4bf623-9b06-41c1-9661-e16f90e1fe2d INFO  com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: Administrator, Domain: VGHETTO.LOCAL} with role 'Administrator'] Deleting principal 'vGhetto-Group'
606 | ```
607 | 
608 | ### vCenter Server Activities
609 | 
610 | * **Successful vCenter Server Login**
611 | 
612 | Log Location: /var/log/vmware/vpx/vpxd.log (must enable remote syslog, see [here](http://www.virtuallyghetto.com/2017/02/what-logs-do-i-get-when-i-enable-syslog-in-vcsa-6-5.html) for details)
613 | 
614 | ![](successful-vsphere-web-client-login.png)
615 | 
616 | * **Successful vCenter Server Logout**
617 | 
618 | Log Location: /var/log/vmware/vpx/vpxd.log (must enable remote syslog, see [here](http://www.virtuallyghetto.com/2017/02/what-logs-do-i-get-when-i-enable-syslog-in-vcsa-6-5.html) for details)
619 | 
620 | ![](successful-vsphere-web-client-logout.png)
621 | 
622 | * **vSphere Permission Created**
623 | 
624 | Log Location: /var/log/vmware/invsvc/authz-event.log
625 | 
626 | ```code
627 | 2017-06-16T16:23:19.148Z [tomcat-exec-291  INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VGHETTO.LOCAL\Administrator,isGroup=false):Added access control [ Principal=Name=VGHETTO.LOCAL\william,isGroup=false,roles=[-1],propogating=true ] to document urn:vmomi:Folder:group-d1:cd607b82-913a-4d82-9c00-875829f5afb7
628 | ```
629 | 
630 | * **vSphere Permission Updated**
631 | 
632 | Log Location: /var/log/vmware/invsvc/authz-event.log
633 | 
634 | ```code
635 | 2017-06-16T16:23:37.988Z [tomcat-exec-75  INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VGHETTO.LOCAL\Administrator,isGroup=false):Added access control [ Principal=Name=VGHETTO.LOCAL\william,isGroup=false,roles=[-2],propogating=true ] to document urn:vmomi:Folder:group-d1:cd607b82-913a-4d82-9c00-875829f5afb7
636 | ```
637 | 
638 | * **vSphere Permission Deleted**
639 | 
640 | Log Location: /var/log/vmware/invsvc/authz-event.log
641 | 
642 | ```code
643 | 2017-06-16T16:23:59.911Z [tomcat-exec-108  INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VGHETTO.LOCAL\Administrator,isGroup=false):Remove access control for principals [ Name=VGHETTO.LOCAL\william,isGroup=false ] on document urn:vmomi:Folder:group-d1:cd607b82-913a-4d82-9c00-875829f5afb7
644 | ```
645 | 
646 | * **vSphere Role Creation**
647 | 
648 | Log Location: /var/log/vmware/invsvc/authz-event.log
649 | 
650 | ```code
651 | 2017-06-16T16:25:21.154Z [tomcat-exec-282  INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VGHETTO.LOCAL\Administrator,isGroup=false):Add role Id=429606320,Name=YouShouldNotBeAllowedToLoginRole,Description=,Tenant=Privileges=[System.Read, System.View, System.Anonymous]
652 | ```
653 | 
654 | * **vSphere Role Update**
655 | 
656 | Log Location: /var/log/vmware/invsvc/authz-event.log
657 | 
658 | ```code
659 | 2017-06-16T16:25:47.999Z [tomcat-exec-16  INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VGHETTO.LOCAL\Administrator,isGroup=false):Update role Id=429606320,Name=YouShouldNotBeAllowedToLoginRole,Description=,Tenant=Privileges=[System.Read, System.View, System.Anonymous, Alarm.Acknowledge, Alarm.Create, Alarm.DisableActions, Alarm.Edit, Alarm.Delete, Alarm.SetStatus]
660 | ```
661 | 
662 | * **vSphere Role Deletion**
663 | 
664 | Log Location: /var/log/vmware/invsvc/authz-event.log
665 | 
666 | ```code
667 | 2017-06-16T16:26:07.531Z [tomcat-exec-298  INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VGHETTO.LOCAL\Administrator,isGroup=false):Delete role 429606320
668 | ```
669 | 
670 | * **SSO Password policy update**
671 | 
672 | Log Location: /var/log/vmware/sso/ssoAdminServer.log
673 | 
674 | ```code
675 | [2017-06-19T13:26:56.505Z pool-3-thread-3 opId=d55c6ca3-a2b2-41e6-b1a7-e54f2b92d939 INFO  com.vmware.identity.admin.vlsi.PasswordPolicyServiceImpl] [User {Name: Administrator, Domain: VGHETTO.LOCAL} with role 'Administrator'] Updating local password policy
676 | ```
677 | 
678 | ## Aditional Resources
679 | 
680 | * [What logs do I get when I enable syslog in VCSA 6.5?](http://www.virtuallyghetto.com/2017/02/what-logs-do-i-get-when-i-enable-syslog-in-vcsa-6-5.html)
681 | * [How to forward additional logs using vCenter Server Appliance 6.5](http://www.virtuallyghetto.com/2017/02/how-to-forward-other-vcsa-6-5-logs-to-remote-syslog-server.html)
682 | * [A preview of native syslog support in VCSA 6.0](http://www.virtuallyghetto.com/2015/03/a-preview-of-native-syslog-support-in-vcsa-6-0.html)
683 | * [How to forward additional logs using vCenter Server Appliance 6.0](http://www.virtuallyghetto.com/2012/08/forwarding-vcenter-server-logs-to.html)


--------------------------------------------------------------------------------
/global-permission-created-67u2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/global-permission-created-67u2.png


--------------------------------------------------------------------------------
/global-permission-remove-67u2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/global-permission-remove-67u2.png


--------------------------------------------------------------------------------
/global-permission-update-67u2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/global-permission-update-67u2.png


--------------------------------------------------------------------------------
/permission-created-67u2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/permission-created-67u2.png


--------------------------------------------------------------------------------
/permission-remove-67u2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/permission-remove-67u2.png


--------------------------------------------------------------------------------
/permission-update-67u2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/permission-update-67u2.png


--------------------------------------------------------------------------------
/role-create-67u2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/role-create-67u2.png


--------------------------------------------------------------------------------
/role-remove-67u2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/role-remove-67u2.png


--------------------------------------------------------------------------------
/role-update-67u2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/role-update-67u2.png


--------------------------------------------------------------------------------
/successful-vsphere-web-client-login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/successful-vsphere-web-client-login.png


--------------------------------------------------------------------------------
/successful-vsphere-web-client-logout.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/successful-vsphere-web-client-logout.png


--------------------------------------------------------------------------------
/vc-login-67u2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/vc-login-67u2.png


--------------------------------------------------------------------------------
/vc-logout-67u2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lamw/vcenter-authn-authz-log-examples/d2b943d812cb776424c130143b12b554700d2d32/vc-logout-67u2.png


--------------------------------------------------------------------------------