Based on a snip from William Lam,
Snip here –> https://www.virtuallyghetto.com/2017/11/how-to-audit-vsphere-api-usage.html
You can use some quick Powershell to:
1 – Download the VPXD.log from your vcenter
2 – Parse that log for
a. API access frequency parsed per API.
b. User Auth frequency parsed per user account.
Why do we care about this? In my shop, we have an aggressive amount of third party (and VMware tools) that log into vCenter and relentlessly call APIs 24/7/365. This API usage has pushed some of our vCenters to 20+ vCPUs and 32+GB of memory. Some well above the “Extra Large” configuration setting at first deployment. So, use this script to find out who is logging in, then find out what API calls are being called the most frequent. If you want, you can go beyond this script and scan vcenter events (with PowerCLI get-vievent) and find the IP address and API method used by the user account you caught with this script.
First, Download and install the WinSCP Powershell commandlets.
If your computer has internet access, run an admin level powershell window and run “Install-Module -name WinSCP”
Help here if needed –> https://gallery.technet.microsoft.com/WinSCP-PowerShell-Module-ee1601ff
Second, Make sure your vCenter is ready to accept remote SSH/SCP sessions.
– SSH into your vCenter appliance, switch to the shell prompt with “shell.set –enabled true” then run “chsh -s /bin/bash root”
— Running this command will force vCenter shell to launch into the bash shell directly and allow remote SCP sessions to work.
— You can manually pull the log if you don’t want to use this command. Just download the log from vcenter location “/storage/log/vmware/vpxd/vpxd.log” and save it to a local location. Just keep in mind my script does focus on C:\temp and names the file with the vcenter name using the winSCP method. Thus, be sure to edit the script as needed if you plan to copy the file from vCenter manually.
Third, edit the top three vars of the script below and paste it into your powershell window. If you run into any issues, validate the vars, vcenter name, password, your Powershell modules loaded correctly, and that the vCenter SSH Shell is set correctly to allow remote commands.
###### EDIT THESE Vars:
$vcenter = “vcenter-1.pcli.me”
$pass = “VMWare1!”
$yourDomain = “pcli” #example if domain account is pcli\username1
### Paste The Script
Import-Module winscp
$filename = $vcenter.split(“.”)[0] + “-vpxd.log”
$destinationlocation = “c:\temp\”+$filename
$Cred = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList “root”, (ConvertTo-SecureString –String $pass –AsPlainText -Force)
$session = New-WinSCPSession -Credential $cred -Hostname $vcenter -GiveUpSecurityAndAcceptAnySshHostKey
$getfile = Receive-WinSCPItem -WinSCPSession $Session -Path “/storage/log/vmware/vpxd/vpxd.log” -destination $destinationlocation
if($getfile.issuccess -eq $true){
# IF the winSCP session resulted in success, parse the file
$vpxdLog = Get-Content -Path $destinationlocation
### find how much data is in the log file and store in var
$date1 = ($vpxdLog | select -f 1).split(” “)[0]
$date2 = ($vpxdLog | select -l 1).split(” “)[0]
$timespanofdata = “{0:N2}” -f (new-timespan $date1 $date2).totalhours
$apiTally = @{}
$userTally = @{}
foreach ($line in $vpxdLog) {
if($line -match “[VpxLRO]” -and $line -match “BEGIN”) {
$field = $line -split ” ”
if($field[13] -match “vim” -or $field[13] -match “vmodl”) {
$apiTally[$field[13]] += 1
}#end IF $field
}#end if $line
if($line -match “User “+$yourDomain+”\\” -or $line -match “User VSPHERE.LOCAL”){
$field = $line -split ” ”
if($field[8] -match $yourDomain){$userTally[$field[8]] += 1}
if($field[8] -match “VSPHERE.LOCAL”){$userTally[$field[8]] += 1}
}#end if $line auth
}#end foreach $vpxdlog
$commandDuration = Measure-Command {
$apiresults = $apiTally.GetEnumerator() | Sort-Object -Property Value | FT -AutoSize @{Name=”vSphereAPI”;e={$_.Name}}, @{Name=”Frequency”; e={$_.Value}}
$userresults = $userTally.GetEnumerator() | Sort-Object -Property Value | FT -AutoSize @{Name=”UserName”;e={$_.Name}}, @{Name=”Frequency”; e={$_.Value}}
}
$duration = $commandDuration.TotalMinutes
$fileSize = [math]::Round((Get-Item -Path $destinationlocation).Length / 1MB,2)
$apiresults
$userresults
Write-host “FileName: $destinationlocation”
Write-host “FileSize: $fileSize MB.”
Write-Host “Amount of Logs in file: $timespanofdata Hours.”
Write-host “Time to Parse logfile: $duration minutes.”
}
Again, Credit to William Lam for the Blog work. Ping me on twitter @vmnick0 if you have any questions.
And as with all scripts, I know this can be condensed down, but I leave it open to make it easy for others to edit (or take small snips) as needed.