Tuesday, July 16, 2013

VMware: vCenter find who deleted a VM

Today I need to check who deleted a Virtual Machine from our vCenter. Looking this task in logs can be painful and spend lot of time, so the best way to check this is in the vCenter DB.

Just connect to vCenter DB(in our case was VCDB and using SQL Server Management Studio) and run a small query and you will have all the information.

Query:

###########
SELECT CREATE_TIME, USERNAME, VM_NAME, HOST_NAME, EVENT_TYPE FROM VCDB.DBO.VPX_EVENT WHERE EVENT_TYPE = 'vim.event.VmRemovedEvent'
AND VM_NAME = 'VMNAME'
###########

Where the VMNAME is the name of your Virtual Machine that was deleted.

If you don't know the full name of the VM, you can just use wildcards(AND VM_NAME LIKE 'VM%'). This will show all results from all Virtual Machines that start with 'VM'.
You can use many different wildcards to look for the right result. Please check Microsoft KBQ98434 how to use wildcards.

Using VPX_EVENT you can query lot of events/tasks that was performed on VMs/Hosts.

Example:

vim.event.VmPoweredOffEvent - Virtual Machines that were Poweroff(without using Guest Powerdown)

Hope this can help.

Luciano Patrão

No comments:

Post a Comment