Reviewing and Auditing User Connections in VMware View 5 Logs

I wanted to find out what sort of data was tracked on the local logs in reference to user connections when an event DB was not configured in VMware View 5. I wasn’t able to find much information on the user session details doing some web searches, so decided to just configure an environment in a similar fashion and explore for myself.

View Logs Location

A log folder exists on the connection server under this path (Server 2008):

C:ProgramDataVMwareVDMlogs

Exploring this folder, you’ll see a few different types of logs.

  • Debug-<Date>
  • Log-<Date>
  • PCoIP Secure Gateway (if this is in use)

The log that contains the user session data is the Log-<Date> format log, which is rolled at midnight on a daily basis.

Contents of the Log

Notably, the log contains a few different types of lines on user sessions. Included in the log are a lot of great pieces of information:

  1. Session IDs
  2. SIDs for the User and Broker
  3. Pool and Desktop information
  4. IP address of the Desktop
  5. Connection Duration

Here is a cleaned up log dump from the lab:

[sourcecode highlight=”4,5,12,13″]

16:09:55, 014 INFO <TP-Processor3> [ProperoAuthFilter] (SESSION:123456789ABCD) User LABwahl has successfully authenticated to VDM
16:09:55, 024 INFO <TP-Processor3> [Audit] (SESSION:123456789ABCD) BROKER_LOGON:USER:LABwahl;USERSID:S-1-5-21-123456789;USERDN:CN=S-1-5-21-123456789, CN=ForeignSecurityPrincipals, DC=vdi, DC=vmware, DC=int;
16:09:57, 943 INFO <Thread-15> [ak] (Request44) User wahl connected to the Secure Gateway Server – session ID: 123456789ABC
16:14:49, 761 INFO <DesktopControlJMS> [Audit] PENDING:Server:cn=123456789, ou=servers, dc=vdi, dc=vmware, dc=int;Pool:cn=localmode, ou=server groups, dc=vdi, dc=vmware, dc=int;DNS:LOCALMODE-01.lab.lan;IP:192.168.20.35;USER:LABwahl;USERDN:CN=S-1-5-21-123456789, cn=foreignsecurityprincipals, dc=vdi, dc=vmware, dc=int;BROKERUSERSID:S-1-5-21-123456789;
16:14:55, 141 INFO <DesktopControlJMS> [Audit] CONNECTED:Server:cn=123456789, ou=servers, dc=vdi, dc=vmware, dc=int;Pool:cn=localmode, ou=server groups, dc=vdi, dc=vmware, dc=int;DNS:LOCALMODE-01.lab.lan;IP:192.168.20.35;USER:LABwahl;USERDN:CN=S-1-5-21-123456789, cn=foreignsecurityprincipals, dc=vdi, dc=vmware, dc=int;BROKERUSERSID:S-1-5-21-123456789;
16:14:55, 141 INFO <DesktopControlJMS> [DesktopTracker] User LABwahl connected to machine LocalMode-01 for desktop localmode – session allocated at December 28, 2011 4:14:55 PM CST, connected after 0 mins 0 secs
16:15:45, 581 INFO <DesktopControlJMS> [Audit] PENDING:Server:cn=9e7b8dc0-c075-4534-9ed5-e64c784636b8, ou=servers, dc=vdi, dc=vmware, dc=int;Pool:cn=pool1, ou=server groups, dc=vdi, dc=vmware, dc=int;DNS:POOL1-02.lab.lan;IP:192.168.20.13;USER:LABwahl;USERDN:CN=S-1-5-21-123456789, cn=foreignsecurityprincipals, dc=vdi, dc=vmware, dc=int;BROKERUSERSID:S-1-5-21-123456789;
16:15:54, 572 INFO <DesktopControlJMS> [Audit] CONNECTED:Server:cn=9e7b8dc0-c075-4534-9ed5-e64c784636b8, ou=servers, dc=vdi, dc=vmware, dc=int;Pool:cn=pool1, ou=server groups, dc=vdi, dc=vmware, dc=int;DNS:POOL1-02.lab.lan;IP:192.168.20.13;USER:LABwahl;USERDN:CN=S-1-5-21-123456789, cn=foreignsecurityprincipals, dc=vdi, dc=vmware, dc=int;BROKERUSERSID:S-1-5-21-123456789;
16:15:54, 573 INFO <DesktopControlJMS> [DesktopTracker] User LABwahl connected to machine pool1-02 for desktop pool1 – session allocated at December 28, 2011 4:15:54 PM CST, connected after 0 mins 0 secs
16:21:20, 817 INFO <DesktopControlJMS> [Audit] ENDED:Server:cn=9e7b8dc0-c075-4534-9ed5-e64c784636b8, ou=servers, dc=vdi, dc=vmware, dc=int;Pool:cn=pool1, ou=server groups, dc=vdi, dc=vmware, dc=int;DNS:POOL1-02.lab.lan;IP:192.168.20.13;USER:LABwahl;USERDN:CN=S-1-5-21-123456789, cn=foreignsecurityprincipals, dc=vdi, dc=vmware, dc=int;BROKERUSERSID:S-1-5-21-123456789;
16:21:20, 818 INFO <DesktopControlJMS> [DesktopTracker] User LABwahl logged off from machine pool1-02 for desktop pool1 – session allocated at December 28, 2011 4:15:54 PM CST, connected for 5 mins 26 secs
16:21:30, 872 INFO <DesktopControlJMS> [Audit] ENDED:Server:cn=123456789, ou=servers, dc=vdi, dc=vmware, dc=int;Pool:cn=localmode, ou=server groups, dc=vdi, dc=vmware, dc=int;DNS:LOCALMODE-01.lab.lan;IP:192.168.20.35;USER:LABwahl;USERDN:CN=S-1-5-21-123456789, cn=foreignsecurityprincipals, dc=vdi, dc=vmware, dc=int;BROKERUSERSID:S-1-5-21-123456789;
16:21:30, 873 INFO <DesktopControlJMS> [DesktopTracker] User LABwahl logged off from machine LocalMode-01 for desktop localmode – session allocated at December 28, 2011 4:14:55 PM CST, connected for 6 mins 35 secs
16:21:32, 051 INFO <TP-Processor8> [Audit] (SESSION:123456789ABCD;ABCD123456789) BROKER_LOGOFF:USER:LABwahl;USERSID:S-1-5-21-123456789;USERDN:CN=S-1-5-21-123456789, CN=ForeignSecurityPrincipals, DC=vdi, DC=vmware, DC=int;
16:21:32, 053 INFO <TP-Processor8> [UserSessionTracker] (SESSION:123456789ABCD;ABCD123456789) User USER:LABwahl;USERSID:S-1-5-21-123456789;USERDN:CN=S-1-5-21-123456789, CN=ForeignSecurityPrincipals, DC=vdi, DC=vmware, DC=int; has logged out of VDM
16:21:32, 236 INFO <Tunnel#43> [ac] (ABCD123456789) User wahl Secure Gateway Server session ended – session ID: 123456789ABC

[/sourcecode]

I can see how this information would be useful in both a troubleshooting scenario (which is probably the primary intention for this log) but also to do user session auditing.

I’ll call specific attention to lines 04 and 05 which show connection information to a pool I made called “localmode” (which I have been using for local mode testing). The detail lets you know specifically what desktop I was assigned (LOCALMODE-01) and also the IP address of that desktop (192.168.20.35). This can be valuable for security auditing.

I also highlighted lines 12 and 13, which show the tear down of the connection to that pool.

The additional lines of logs show me connecting to a different pool called “Pool1” and that I was assigned desktop POOL1-02.