Need to locate last login detail and log for Changes done on ESX /ESXi Host

I am curious to look for culprit who and how made changes in my passwd and shadow file under path /etc and i got my root id corrupted /renamed.

somehow i got it recovered..but now need to check for culprit

Please advise where i need to check for such logs for changes done on passwd and shadow files

On ESX 3.5 ?
On Esxi 4.1 ?
On Esxi 5.5 ?

and by default what is the date n time limit for old log files on host i can check ?
patronTechnical consultant Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Check all the logs in /var/log

and you may not find an actually answer as to who did what, even when they were logged in!
patronTechnical consultant Author Commented:
Checked for everything luck..any specific file which will record changes made on passwd and shadow file ?
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
There is no log or audit made of changes to files.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

vcenter logs in to ESXi host every 5 minutes and makes configuration changes.
patronTechnical consultant Author Commented:
There is no log or audit made of changes to files.

is this applicable for All ESX 3.5,4.x,5.x

we can not locate.. who made changes to my config files like passwd,shadow,sshd_config ?

any supportive info  ?
Yes, there is no filesystem audit in ESXi.
vmware does not recommend keeping SSHD running un ESXi.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Correct, you will not be able to tell or find it.
One might be able to dig some crumbles form file dates and login logs (but if passwd is changed your finding ability nears zero)
We use long random root password and reset it using host profiles as often as policies mandate (same pwd on all ESXi-s)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
patronTechnical consultant Author Commented:
no, not for passwd change..if someone made changes with id given under passwd file like existing id abc renamed by someone to xyz
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Restrict the root user account to a single person!
To single person called vcenter is the best.
patronTechnical consultant Author Commented:
patronTechnical consultant Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.