Aria Operations for Logs #3 vCenter PowerCLI Failed Logins
In this article, I will explain how to create alarms and dashboards of failed login attempts via PowerCLI with the logs we obtain from vCenter. In my previous article, I talked about the alarms of failed SSH attempts made in vCenter. If you want to review this article, you can find it below.
Explore Logs – Query filtering
Firstly, in the Explore Logs menu, we will choose the appname value as vpxd-main ve text olarak içerisinde (vim.fault.invalidlogin) {\n–> faultcause = (vmodl.methodfault) metinlerini içeren log kayıtlarını filtreliyoruz.
In this way, we can view the log records with failed access over PowerCLI to vCenter.
Alert Definitions – Creating Alert from Query
Now let's create an alarm definition for this filter. For this, we press the red alarm button and switch to alarm definition with Create Alert from Query...
In this section, we fill in the alarm name and description information. Then we select this alarm as Real Time in Trigger Condition. In the current situation, we will receive notification via e-mail and Slack Webhook when the number of events is more than 1.
vCenter PowerCLI Access – Failed Login Count
Now, using the same filters that we have defined alarm above, we transfer the total failed entries to a dashboard with the Add query to Dashboard button. Thus, we get an image containing the total number of events as below.
vCenter PowerCLI Access – Failed Logins by Source
As we did in the previous topic, we select these events as non-time series this time with the same filters and filter them according to Source with Group By. In this way, we can see the Source-based user login attempts by transferring them to the dashboard with PowerCLI connection to vCenter.
In the rest of this series, you can access the article where we created a report for the vCenter Failed Logins dashboard below.