LoFP / administrators may access these files for initial setup or troubleshooting. limited in most environments. tune as needed.

`esxi_syslog` Message="*shell[*" Message IN ("*/etc/shadow*","*/etc/vmware/hostd/hostd.xml*", "*/etc/vmware/vpxa/vpxa.cfg*","*/etc/sfcb/sfcb.cfg*","*/etc/security/*", "*/etc/likewise/krb5-affinity.conf*","*/etc/vmware-vpx/vcdb.properties*") 
| rex field=_raw "\]: \[(?<user>\w+)\]:(?<command>.+)" 
| rex field=_raw "Z (?<dest>[\w\.]+)\s" 
| stats min(_time) as firstTime max(_time) as lastTime count by dest user command 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_sensitive_files_accessed_filter`