Select Page

VMware vSphere – Auditing Your Administrators

VMware vSphere – Auditing Your Administrators

As written in my vSphere Security post, inside users (read administrators) should be considered your biggest threat to the virtual environment. As a result, auditing the environment should be the first step to ensure you’re aware of all changes and modifications to the infrastructure. By default, vSphere includes many tools that enable you to view changes being made and keep an eye on what’s going on.


*Note: This article focuses on native tools provided with vSphere. There are many third party tools that provide vCenter auditing which can include features beyond what the native tools can provide. If you need features not provided I’d suggest looking at tools such as Quest Auditor.

The first, and easiest, way is to simply look at the Tasks & Events tab on the object in question. This will list any tasks being requested on the object through both vCenter and even a PowerCLI session directly connected to vCenter using the Connect-VIServer command. This method allows you view all events in vCenter or a cluster all the way down to narrowing down to a specific object. Unfortunately, like most vSphere native tools, this will only display what Tasks itself and will NOT display the previous value. For example, if an administrator changes a VM’s allocated RAM from 4GB to 6GB, the event will only display as “Reconfigure Virtual Machine”. Hopefully VMware can incorporate that functionality into a later release.


Example of Tasks & Events in vCenter


Another easy way to view tasks and events is through PowerCLI. Using the Get-VIEvent command will retrieve information about the events on a vCenter Server. Using PowerCLI and cmdlet arguments even allows you to customize your search as needed. For example, you can look for specific objects or filter results based on a specific username if needed. To see all the cmlet arguments, use “Get-Help Get-VIEvent”. Example below:


Example of Get-VIEvent Command


Another handy log to keep an eye on is shell.log on the ESXi hosts themselves. This log audits all SSH activity and displays all commands run against the host. The log can be found at /var/log/shell.log and lists the date, time, user and command for each individual command.


Example of Information within /var/log/Shell.Log


All vCenter information is held within the vCenter database so naturally you can query the database if needed. Most people stray away from querying the vCenter database directly and typically recommand using other methods (PowerCLI, APIs, etc) to gather information. However, if you must query the database for some reason the vCenter events can be found in the VPX.EVENT table. As an example, you can use the simply query of  “Select * FROM dbo.VPX_EVENT Where USERNAME LIKE ‘USER%'” to list events that pertain to a specific user account.

sql query



Last but not least, you can use VMware’s Log Insight to capture all logs from vCenter and report from it. I personally haven’t used Log Insight yet but I plan to test it soon and will update this post with additional information.


Log Insight Screenshot from



About The Author

Bryan Krausen

Bryan Krausen is currently working as a Sr. Solutions Architect with experience in a vast number of platforms, specializing in AWS and HashiCorp tools.

Leave a reply

Your email address will not be published.