Single Sign-On (SSO) audit events are records of user or system actions for accessing the SSO services.

vCenter Server 6.7 Update 2 and later improves VMware vCenter Single Sign-On auditing by adding events for the following operations:

  • User management
  • Login
  • Group creation
  • Identity source
  • Policy updates

Supported identity sources are vsphere.local, Integrated Windows Authentication (IWA), and Active Directory over LDAP.

When a user logs in to vCenter Server through Single Sign-On, or makes changes that affect SSO, the following audit events are written to the SSO audit log file:
  • Login and Logout Attempts: Events for all the successful and failed login and logout operations.
  • Privilege Change: Event for change in a user role or permissions.
  • Account Change: Event for change in the user account information, for example, user name, password, or any additional account information.
  • Security Change: Event for change in a security configuration, parameter, or policy.
  • Account Enabled or Disabled: Event for when an account is enabled or disabled.
  • Identity Source: Event for adding, deleting, or editing an identity source.

In the vSphere Client and the vSphere Web Client, event data is displayed in the Monitor tab. See the vSphere Monitoring and Performance documentation.

Note: The ability to view events using either of the GUI clients is only enabled for the vCenter Server Appliance.

SSO audit event data includes the following details:

  • Timestamp of when the event occurred.
  • User who performed the action.
  • Description of the event.
  • Severity of the event.
  • IP address of client used to connect to vCenter Server, if available.

SSO Audit Event Log Overview

The vSphere Single-Sign On process writes audit events to the audit_events.log file in the following locations.

Table 1. SSO Audit Log Location
OS Location
vCenter Server Appliance /var/log/audit/sso-events/
vCenter Server Windows C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\logs\
Caution: Never manually edit the audit_events.log file, as doing so might cause the audit logging to fail.

Keep the following in mind when working with the audit_events.log file:

  • The log file is archived once it reaches 50 MB.
  • A maximum of 10 archive files is kept. If the limit is reached, the oldest file is purged when a new archive is created.
  • The archive files are named audit_events-<index>.log.gz, where the index is a numeral from 1 to 10. The first archive created is index 1, and is increased with each subsequent archive.
  • The oldest events are in archive index 1. The highest indexed file is the latest archive.