VMware vSphere

Login successes are captured as events in the vCenter log, but what about login failures? I cannot see them in the logs. I am trying to setup an Aria Operations for Logs event when there are failed logins. 

SSO-based login failures do emit events, see https://williamlam.com/2019/04/enhanced-vcenter-server-audit-event-logging-in-vsphere-6-7-update-2.html but if you're using external identity ... I don't believe an event is generated (easy enough to test/confirm as it'll show up in the vSphere UI under Events) as that might be managed through identity provider itself

Login successes are captured as events in the vCenter log, but what about login failures? I cannot see them in the logs. I am trying to setup an Aria Operations for Logs event when there are failed logins. 

Hi William, thanks for the response. Can you put in a feature request to have external identity login failures included as an event? What prompted this discussion was reading through the Protecting vSphere From Specialized Malware article, which has this section:

For anyone else looking for matching strings, this is what I used for login success and login failure for administrator@vsphere.local:

VdirPasswordFailEvent from user(cn=administrator,cn=users,dc=vsphere,dc=local)

User VSPHERE.LOCAL\Administrator@* logged in

SSO-based login failures do emit events, see https://williamlam.com/2019/04/enhanced-vcenter-server-audit-event-logging-in-vsphere-6-7-update-2.html but if you're using external identity ... I don't believe an event is generated (easy enough to test/confirm as it'll show up in the vSphere UI under Events) as that might be managed through identity provider itself

Login successes are captured as events in the vCenter log, but what about login failures? I cannot see them in the logs. I am trying to setup an Aria Operations for Logs event when there are failed logins. 

I was able to get access to an env that had AD setup and both login success AND failures are indeed captured. See the screenshot below where a non-vSphere SSO domain was used (sfo.rainpole.io)

Hi William, thanks for the response. Can you put in a feature request to have external identity login failures included as an event? What prompted this discussion was reading through the Protecting vSphere From Specialized Malware article, which has this section:

For anyone else looking for matching strings, this is what I used for login success and login failure for administrator@vsphere.local:

VdirPasswordFailEvent from user(cn=administrator,cn=users,dc=vsphere,dc=local)

User VSPHERE.LOCAL\Administrator@* logged in

SSO-based login failures do emit events, see https://williamlam.com/2019/04/enhanced-vcenter-server-audit-event-logging-in-vsphere-6-7-update-2.html but if you're using external identity ... I don't believe an event is generated (easy enough to test/confirm as it'll show up in the vSphere UI under Events) as that might be managed through identity provider itself

Login successes are captured as events in the vCenter log, but what about login failures? I cannot see them in the logs. I am trying to setup an Aria Operations for Logs event when there are failed logins.