Aria Operations for Logs #7 ESXi DCUI Failed Logins
In this article, I will explain how to create alarms and dashboards of failed login attempts via DCUI (Direct Console User Interface) with the logs we obtain from ESXi hosts. In my previous article, I talked about the alarms of failed login attempts to ESXi hosts via SSH. If you want to review this article, you can find it below.
Explore Logs – Query filtering
Firstly, in the Explore Logs menu, we will choose the appname value as dcui ve text olarak içerisinde Authentication of user metinlerini içeren log kayıtlarını filtreliyoruz.
In this way, we can view log records with failed login attempts to ESXi hosts via DCUI.
Alert Definitions – Creating Alert from Query
Now let's create an alarm definition for this filter. For this, we press the red alarm button and switch to alarm definition with Create Alert from Query...
In this section, we fill in the alarm name and description information. Then we select this alarm as Real Time in Trigger Condition. In the current situation, we will receive notification via e-mail and Slack Webhook when the number of events is more than 1.
ESXi DCUI Access – Failed Login Count
Now, using the same filters that we have defined alarm above, we transfer the total failed entries to a dashboard with the Add query to Dashboard button. Thus, we get an image containing the total number of events as below.
ESXi DCUI Access – Failed Logins by Hostname
As we did in the previous topic, we select these events as non-time series this time with the same filters and filter them according to hostname with Group By. In this way, we can see the incorrect user logins to ESXi hosts via DCUI by transferring them to the dashboard.
In the rest of this series, you can access the article in which we created a report on the ESXi Failed Logins dashboard below.