Audit logging of the Datastore Browser

apr911apr911 Member Posts: 380 ■■■■□□□□□□
Hi all,

Does anyone know where, if at all, VMWare ESXi/vCenter logs access to the datastore via the UI?

I know logging into the CLI and all actions/commands performed in the CLI are all logged (not to mention the CLI is turned off by default) and logging into the UI and most action performed in the UI are also logged but as far as I can tell, there is no log of actions taken when browsing the datastore via the UI.

Im referring to looking at the datastore by finding the Host server in either the Web or C# UI, looking at the attached datastores, right clicking on one of them and selecting browse. From there, you can upload, download and delete files and from what I can tell, there is no audit trail placed in any of the log files. I've gone through every log I can find on the ESX server and either Im overlooking something or it doesnt log anything when you access the UI in this way as there was no sign of any datastore activity. I also asked google for assistance and found someone with a similar complaint back in May but ultimately, there was no resolution/further comment on the issue.

This seems to be a rather large security vulnerability to me as it would allow a person with access to the UI to download a virtual server with no record, perhaps some DB server with PII of employees or customers. Alternatively, the user could upload a malicious vmdk file (perhaps they took that downloaded VM home, attached it to VMware, booted it, rootkitted it and now are "returning" it) or just plain delete the file again all with no audit trail.
Currently Working On: Openstack
2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP


  • apr911apr911 Member Posts: 380 ■■■■□□□□□□
    Im going to partially correct myself. I've been looking at this for the last hour (plus an hour before that) and I ran some tests while monitoring the logs on a low use server and found it does log something when the file browser is accessed.

    Specifically, it'll log verbose messages regarding NFC Server (provisisioningvpxNfcServer) in the vpxa.log that also has an associated Hex-id for the task that can be used to track the entire task from start to finish in other logs on the server. With the exception of "delete" operation, the log messages are rather benign in appearance though and not immediately apparent that's what's happening when you see them, especially since vmotion logs the same type of information whenever a server is moved.

    In addition, the messages do not seem to indicate which user performed the action and as they are verbose messages, they're likely to get ignored if not outright disabled in logging scripts but I suppose something is better than nothing. It may also be possible to correlate one of the id tags back to a user but my familiarity with you that might be accomplished is beyond my vmware skills.
    Currently Working On: Openstack
    2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP
Sign In or Register to comment.