Tracking adminstrator@vsphere.local Logins with Aria Operations for Logs

If you're using Aria Operations for Logs and have installed the vSphere Content Pack, you'll notice dozens of Dashboards, Queries, Alerts, and more!

I'm interested in users logging into my vCenters, specifically those logging in with adminstrator@vsphere.local. There's a Dashboard that gets close: VMware - vSphere: Security - Authentication.

I'm interested in the vCenter Server authentication events bottom left, let's look at the Query.

Click the icon top right that says "Open in Explore Logs page".

This is close to what I want, just need to filter on vc_username vsphere.local\Administrator.

Let's save this Query as a favorite.

We'll now have this Query available to us at any time via the Star dropdown.

Now, let's create an Alert (and Notification) on this Query.

Select Create Alert from Query...

I've given the Alert a Name and Description up top and as you can see the Query we created before is being used. I've adjusted the Trigger Conditions "group by" to be just a subset of the fields returned by the query, I don't want my Alert (or email) to be too busy. This is also where you configure the email destination (and Webhook if you'd like). My emails look like this.

Finally, I'm also sending this Alert over to Aria Operations.

Over in Aria Operations, it looks like this.

Operations for Logs Dashboards, Queries, and Alerts are powerful, enjoy!