Last week i was asked by a customer how they could monitor failed login attempts in vCloud Director. The customer required the ability to use their existing monitoring tool and read the failed login attempts from a file every hour.
The customer did not have a syslog server in place, will be implemented during Q2 2013 meaning we needed to create a solution without a syslog server.
I created a test user account in vCloud Director, testuser, and did a login attempt using the wrong password.
When finished i searched the vCloud Director log directory, /opt/vmware/vcloud-director/logs, for a failed login attempt by user, testuser, but i couldn’t find any failed login attempts.
I also searched the default RedHat Enterprise Server 6.2 log directory /var/log without finding the failed login attempt.
This means i had to get the failed login attempts from the customer MSSQL database used by vCloud Director. The login information is stored in the table:
- dbo.audit_event
By using the below line:
sqlcmd -S localhost -U vCD-DB-username -P vCD-DB-user-password -d vCD-DB-name -Q “select event_time, description from dbo.audit_event where description like ‘%failed%'” -h-1 -s “,”
You will get the following output per failed login attempt:
2012-12-14 22:32:40.700,User ‘testuser’ login failed
This means you can easily use Windows Task Scheduler and run the command, some minor modifications needed, to get all failed login attempts listed in a file on a regular basis. I added the below text in a .bat file which we scheduled to run every hour.
@echo off
REM ===============================
REM Get failed vCloud Director login attempts
REM Version 1.0
REM Created by: Magnus Andersson 2013-03-14
REM ===============================
set logfile=C:vCloud-Director-monitoringvCD-failed-login-attempts-timestamp.log
echo =============== >> %logfile%
echo start searching for vCloud Director failed login attempts >> %logfile%
date /t >> %logfile%
time /t >> %logfile%
sqlcmd -S localhost -U vCD-DB-username -P vCD-DB-user-password -d vCD-DB-name -Q “select event_time, description from dbo.audit_event where description like ‘%%failed%%'” -h-1 -s “,” -o “C:vCloud-Director-monitoringvCloud-Director-failed-login-attempts.csv”
echo Finished searching for vCloud Director failed login attempts >> %logfile%
date /t >> %logfile%
time /t >> %logfile%
echo =============== >> %logfile%
The script creates two files in the C:vCloud-Director-monitoring directory on the Windows server running the script.
Monitor the file “vCloud-Director-failed-login-attempts.csv” for newly created failed login attempts and monitor the file “vCD-failed-login-attempts-timestamp.log” to make sure the script runs as frequently as expected. New time stamps are created every time the script runs.
If you got a syslog server you can follow the steps outlined by David Hill ( @davehill99 ) in this post enable vCloud Director syslog after installation (do not need to perform step 3 in the guide if the vCD Cell is already installed)
3 pings