You have dozens of vCenters and want to track logins across your estate, enter Aria Operations for Logs! We won't discuss deployment here, but it's pretty straight forward. Once deployed, go to Integration - vSphere and add your vCenters.
Here you can see I've configured three vCenters (and their ESXi Hosts) to send their events, tasks, and alarms (and ESXi Host Syslog) to Aria Operations for Logs. Click the pencil next to a vCenter to see details.
Click the information bubble to see a bit more detail around what we're collecting. When configuring your vCenter connections you also have the ability to tag logs upon ingestions, I've tagged mine "product=vmware", which gives me the ability to use that in queries later on.
Once you've configured your vCenter connections, we'll use the vSphere Content Pack to explore the vCenter and ESXi Hosts logs.
The vSphere Content Pack comes out-of-the-box and provides Dashboards, Queries, Alerts, Agents Groups, and Extracted Fields. Exploring the Dashboards gives us a feel for what data is being explored.
The Security - Authentication Dashboard gives us visibility into authentication requests, failed login attempts, logins, authentication events, and more. The vCenter Server authentication events is most interested to me in tracking vCenter logins, let's explore.
The information bubble top right tells you about the widget itself.
Clicking the little out arrow to the left of the information bubble launches the query providing the data in Explore Logs.
You can configure whatever columns you want, but you'll see the text of the event, the source, the vCenter Event Type, the username, the vCenter, and more. The most important part of this query is the vCenter Event Type (com.vmware.vim25.userloginsessionevent), which is the vCenter login event type. For a comprehensive list of vCenter Events, check this blog.
You can now adjust your query to watch certain IPs, users, and more. You can also create Alerts based on these Events, send them over to Aria Operations, or notify directly out from Aria Operations for Logs itself. And we can do this for any vCenter event type, any ESXi Host Syslog event, literally any log Aria Operations for Logs is aware of.