Introduction

A co-worker asked me yesterday if I knew of a way to find out who was watching your console session inside Virtual Center.  I wasn’t quite sure what he meant by this at first.  But after doing some digging I discovered that yes you can find out who is watching your console session.  Don’t forget that security permissions that are setup correctly will eliminate these snoopers from even getting to the console in Virtual Center in the first place.

Cloak and Dagger

My co-worker was installing an application on a new virtual machine, and noticed the following alert in the Virtual Center console.  This is probably something you have seen before if you have multiple administrators working with the VI client.  Notice the warning message “Number of active connections has changed.  There are now 2 active connections to the console”:

An easy way to check who just obtained the console session is to examine your virtual machine event logs in Virtual Center.  Make sure your focus is set to the virtual machine you are working on.  The screen shot displayed below shows my personal account at the bottom, then a second intruder connecting to the console at the top!

If the user connecting to the console is unauthorized to view this specific virtual machine, I suggest terminating the session and re-evaluating your virtual center security permissions.  You also might want to have a talk with the end user (Sally) to see if there is something they need assistance with or additional training on how to navigate Virtual Center views correctly.

PowerCLI equivalent

I am constantly trying to leverage PowerCLI because of how much time you can save if you know the right commands to invoke.  I will admit I am still not much of a scripter, but I mentioned this topic on Twitter the other day and another master Power shell scripter came to my assistance.  Luc Dekens provided me with the following PowerCLI command that you can use to accomplish this same thing via Virtual Center.  Thanks again for the help Luc!

The great thing about this script is you can change the variables in case you need to go back in time further to find your perpetrator.  Make sure you substitute your actual virtual machine name in your environment where it says “TestVM”.  Make sure you are running the latest version of PowerCLI or you could potentially run into some issues.

Get-VIEvent -St (Get-Date).addhours(-2) -Ent (Get-VM TestVM)|?{$_.GetType().Name -eq “VmAcquiredMksTicketEvent”}|%{$_.Username}

Conclusion

If you are approached by an end user asking “why someone is spying on them” you now have several methods you can use to assist in your security auditing.  Start off by checking your active sessions in Virtual Center, make sure all the connected user accounts are legitimate.  Look for generic accounts or the “Administrator” account that are signed in multiple times.  Virtual Center provides some great built in logging and gives you the ability to check to see who attached to the console connection.  If you are familiar with PowerCLI, use the command listed above to quickly find out which accounts are connecting to the console.  If this becomes an ongoing problem, you might need to step back and take a look at your Virtual Center security permissions and make sure that they align with your business needs.