{
	"id": "7c807eb6-b312-4100-bb32-8f5a050ae5d3",
	"created_at": "2026-04-06T00:11:29.848005Z",
	"updated_at": "2026-04-10T03:19:56.180567Z",
	"deleted_at": null,
	"sha1_hash": "b1c6b9b8b75f820dd9a59f1cfb79443d34fb3b63",
	"title": "Auditing ESXi Shell logins and commands",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61961,
	"plain_text": "Auditing ESXi Shell logins and commands\r\nArchived: 2026-04-05 17:54:15 UTC\r\nAuditing ESXi Shell logins and commands\r\ncalendar_today\r\nUpdated On: 12-02-2025\r\nProducts\r\nVMware vSphere ESXi\r\nIssue/Introduction\r\nESXi maintains a history of all commands entered in the ESXi Shell, whether accessed at the console or via SSH.\r\nThis shell command history is maintained in the shell.log file. Within the transcription of commands, the\r\ncommand issuer is identified by the process or world ID. This article describes how to correlate authentication\r\ninformation from the auth.log file with the history of commands executed in the ESXi Shell.\r\nEnvironment\r\nResolution\r\nTo determine the commands executed in the ESXi Shell, and which user and client issued the request:\r\n1. Obtain access to the auth.log and shell.log log files.\r\nConsume logs via syslog in vRealize Log Insight, and filter on appname=login,sshd,shell\r\nLog in to the ESXi Shell and open each log using the less command.\r\nUse a web browser to access https://ESXiHostnameOrIP/host/auth.log and\r\nhttps://ESXiHostnameOrIP/host/shell.log .\r\nUse the vifs command line utility in the vCLI to copy the logs to a client and review the logs.\r\nRead the files from within a vm-support log bundle.\r\n \r\n2. Open the log file /var/log/auth.log in a text viewer.\r\n \r\n3. Identify the authentication record, including the Username, Timestamp, and World ID for the session:\r\n \r\nESXi Shell login at the console appears similar to:\r\nYYYY-MM-DD HH:MM:SS login[64386]: root login on 'char/tty/1'\r\nhttps://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html\r\nPage 1 of 3\n\nESXi Shell login via interactive SSH appears similar to:\r\nYYYY-MM-DD HH:MM:SS sshd[12345]: Connection from 10.11.12.13 port 2605\r\nYYYY-MM-DD HH:MM:SS sshd[12345]: Accepted keyboard-interactive/pam for root from\r\n10.11.12.13 port 2605 ssh2\r\nYYYY-MM-DD HH:MM:SS sshd[64386]: Session opened for 'root' on /dev/char/pty/t0\r\nYYYY-MM-DD HH:MM:SS sshd[12345]: Session closed for 'root' on /dev/char/pty/t0\r\n...\r\nYYYY-MM-DD HH:MM:SS sshd[12345]: Session closed for 'root' 2\r\nESXi Shell login via SSH with public key appears similar to:\r\nYYYY-MM-DD HH:MM:SS sshd[12345]: Connection from 10.11.12.13 port 2605\r\nYYYY-MM-DD HH:MM:SS sshd[12345]: Accepted publickey for root from 10.11.12.13 port 2605\r\nssh2\r\nYYYY-MM-DD HH:MM:SS sshd[64386]: Session opened for 'root' on /dev/char/pty/t0\r\nYYYY-MM-DD HH:MM:SS sshd[12345]: Session closed for 'root' on /dev/char/pty/t0\r\n...\r\nYYYY-MM-DD HH:MM:SS sshd[12345]: Session closed for 'root' 2\r\nEach of these authentication records indicates a successful authentication for the user root on August\r\n29th at 18:01 GMT. The SSH methods also include the IP address that the connection was initiated from.\r\nThe shell session is being handled by World 64386 .\r\n \r\n4. Close the /var/log/auth.log file.\r\n \r\n5. Open the /var/log/shell.log file in a text viewer.\r\n \r\n6. Identify commands entered that contain the same World ID as identified in Step 3, appearing similar to:\r\nYYYY-MM-DD HH:MM:SS shell[64386]: Interactive shell session started\r\nYYYY-MM-DD HH:MM:SS shell[64386]: cd /var/log\r\nYYYY-MM-DD HH:MM:SS shell[64386]: ls\r\nYYYY-MM-DD HH:MM:SS shell[64386]: vmware -v\r\nYYYY-MM-DD HH:MM:SS shell[64386]: exit\r\nBecause the commands were entered in the console session handled by world ID 64386 , they correspond\r\nto the authentication session established by the user root as described in Step 3.\r\nAdditional Information\r\nFeedback\r\nWas this article helpful?\r\nhttps://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html\r\nPage 2 of 3\n\nthumb_up Yes\r\nthumb_down No\r\nSource: https://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html\r\nhttps://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html"
	],
	"report_names": [
		"auditing-esxi-shell-logins-and-commands.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434289,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1c6b9b8b75f820dd9a59f1cfb79443d34fb3b63.pdf",
		"text": "https://archive.orkl.eu/b1c6b9b8b75f820dd9a59f1cfb79443d34fb3b63.txt",
		"img": "https://archive.orkl.eu/b1c6b9b8b75f820dd9a59f1cfb79443d34fb3b63.jpg"
	}
}