I need to do reports on failed logins ( as I'm sure many do )
I'm in a simple environment with several esxi5.5 boxes reporting to a VCSA 6.0
I can get most of the failures ( ESXi ssh, webclient and C# fat client , VCSA ssh and C# fat client ) that are logged in the VCSA event console through PowerCLI Get-VIEvent
e.g ( apologies in advance for the simplistic PS code )
connect-viserver -server xxx.xxx.xxx.xxx
$hostevents = Get-VIEvent -start 08/02/2018 -finish 28/02/2018 -maxsamples 10000 | where-object {$_.Host.Name -notlike ""}
$VChostevents = Get-VIEvent -start 08/02/2018 -finish 28/02/2018 -maxsamples 10000 | where-object {$_.Host.Name -like ""}
foreach ($event in $hostevents)
{if (
($event.fullFormattedMessage -match "(.*)Cannot login(.*)")
) {Write-Host ( "----ESX----" + $event.fullFormattedMessage + " from " + $event.Host.Name + " at: " + $event.createdTime)} }
foreach ($event in $VChostevents)
{if (
($event.fullFormattedMessage -match "(.*)Cannot login(.*)")
) {Write-Host ("----VCE----" + $event.fullFormattedMessage + " from " + $event.Host.Name + " at: " + $event.createdTime)} }
So far so good.
But I need to also get the failed webclient/sso logins for the VCSA that appear to be logged in /var/log/vmware/sso/vmware-sts-idmd.log
# tail -20000 /var/log/vmware/sso/vmware-sts-idmd.log | grep -e "Login failed" -e "Authentication failed"
Seems to do what I want but I'd like to extract it into a windows environment.
Even if I get the /var/log/vmware/sso/vmware-sts-idmd.log into PS / Windows, I should also really get the the .gz file/s too as it may have just archived.
I then have to extract by time period.
Is there any cli stuff that can help ?
I do have Vrealize log insight running but just the free version so cannot add dashboards, I'd have to create my own queries and I haven't quite got my head around it yet.
Has anyone some insights they could share or do users that need to do these audit reports just buy something commercial like GFILog ?
cheers and regards,
Ray