How to Detect Failed Logon Attempts to VMware

Native Solution vs. Netwrix Auditor for Vmware
We never share your data. Privacy Policy
Native Solution Netwrix Auditor for Vmware

To list all failed logon attempts

  1. In the vSphere client, while connected to vCenter Server, click Events in the Management section.
  2. In the Description, Type or Target contains field, type

cannot login

A list of recent failed logon attempts will be displayed with the following details:

  • The Description field lists the username and IP address from which the connection was attempted.
  • If the failed login attempt was made to an ESX/ESXi host, the Target field lists the ESX/ESXi hostname or IP address. The Target field will be blank if the failed login attempt was to vCenter Server.
How to Detect Failed Logon Attempts to VMware with Native Tools

To report on events within a specific date range

Note: This method does not distinguish between failed logins to ESX/ESXi hosts and failed logins to the vCenter Server.

  1. In the vSphere Client, while connected to vCenter Server, click File > Export > Export Events.
  2. Enter a file name and location.
  3. Deselect the Warning and Information Severity options.
  4. Select a date/time range.
  5. Click OK
    Note: This process may take some time in large environments. A progress indicator is shown at the bottom of the Export Events screen. 
  6. Open the resulting file in a text editor and search for cannot login to find failed login attempts.

Using PowerCLI

This sample script generates a list of failed logins to ESX/ESXi hosts managed by vCenter Server between 10/11/2019 and 13/11/2019:

connect-viserver -server vCenter Server hostname

$hostevents = Get-VIEvent -start 10/11/2019 -finish 13/11/2019 -maxsamples 100000 | where-object {$_.Host.Name -notlike ""}

foreach ($event in $hostevents) {if ($event.fullFormattedMessage -match "Cannot login (.*)@(.*)") {Write-Host ("User " + $matches[1] + " failed to login to " + $event.Host.Name + " from " + $matches[2] + " at: " + $event.createdTime)} }

Sample output:

User root failed to login from at: 12/11/2019 15:51:25
User jmclaren failed to login from at: 12/11/2019 17:02:51

Note that:

  • In large environments, processing may take some time.
  • If you suspect that not all results are being returned, set the -maxsamples parameter higher.
  • Available events depend upon your retention policy. If your retention policy is set for 10 days, data about failed logons from 20 days ago won’t be available.
  • You need to have sufficient permissions to export the events.

Run Netwrix Auditor → Click Reports→ Choose VMware→ Choose All ESXi and vCenter Logon Activity→ Click View.

How to Detect Failed Logon Attempts to VMware with Netwrix Auditor

Reduce the mean time to respond to failed access attempts

Virtualization technologies like VMware offer a wealth of benefits, including easy scalability and better business continuity through redundancy and failover. However, virtual appliances can serve as entry points for malefactors, so IT administrators and security staff need to regularly review failed attempts to log on to their ESXi hosts and vCenter. Unfortunately, with native VMware tools, auditing failed logons is time-consuming and difficult, so it is easy to miss intrusion attacks. 

Netwrix Auditor makes it easy to detect and review failed logon attempts to your virtual environment, so you can validate your access controls, ensure IT security and maintain uninterrupted business processes.