How do I monitor failed logins on VMWare ESXi Hosts?

Article ID: 462
Category: Network Services
Updated: 2021-12-14

Failed login attempts on VMWare ESXi hosts can be monitored via Syslog and the EventSentry Network Services Syslog daemon.

First, the VMWare ESXi Host must be configured to send SYSLOG messages to the EventSentry Network Services SYSLOG daemon (hostname or IP address of the management console machine). If the VMWare ESXi host(s) are not already configured to send Syslog to EventSentry then see below for instructions:

Configure Syslog on ESXi Hosts

In the EventSentry management console, expand "Network Services > Syslog Daemon", click "Syslog to Event Log" and add the following filter:

*hostd*esx*rejected password for user*

This will write any Syslog messages that contain this string to the event log. In order to get a real-time email alert, an event log filter needs to be added. As such, in the management console, expand "Packages", click on "Event Logs" and select "Add" from the ribbon. Give the new package a descriptive name, e.g. "Syslog Notifications". Then, click the new package "Syslog Notifications" and click "Add -- Include Filter" and give the filter a descriptive name, e.g. "VMWare login failures". Then, click on the filter and add an email action and configure it with the following properties:

Log: Application
Severity: Warning & Error
Event Source: EventSentry Network Services
Event ID: 500
Content Filter: *hostd*esx*rejected password for user*

Next, right-click on the package "Syslog Notifications" and select "Assign," and then select the EventSentry management console server and then in the toolbar select "Home > Save."