During recent security audits I was asked to provide 6 months logs for vcenter access...
Credentials are validated by Active Directory - on the DC security logs we can see events related to the vcenter servers, but not specially viclient.
The alterative is the vpxd log, which shows when a user authenticates however with the default settings, each 50 MB log gives me about 30 minutes of validation (I have rogue monitoring agent logging in and out every few seconds,), I've looked at some other systems and I'm not getting more than a couple of hours per vpxd before rollup
KB 1004795 is clear enough about increasing vpxd.cfg.
<maxFileNum>50</maxFileNum>
<maxFileSize>5242880</maxFileSize>
But there seems a noticeable silence on it being implemented in production environments, no mention in the hardening guide either, I'd need to increase logging considerably, perhaps doubling the file size and saving 500 logs instead of 50... are there people doing this.
An alternative is the task and events in the vc database - set to 180 days, though I would need to identify the correct table and then extract them directly with an sql query
I'd appreciate feedback, - how are you keeping the auditors happy...?