vCenter Troubleshooting TIPS - How to find who deleted a VM
vExpert vSAN, NSX, Cloud Provider, Veeam Vanguard, Virtual Backups, and Storage design, and an active blogger.
Published:
Browse All Articles > vCenter Troubleshooting TIPS - How to find who deleted a VM
If we need to check who deleted a Virtual Machine from our vCenter. Looking this task in logs can be painful and spend lot of time, so the best way to check this is in the vCenter DB.
Just connect to vCenter DB(default DB should be VCDB and using SQL Server Management Studio) and run a small query and you will have all the information.
Query:
Where the VMNAME is the name of your Virtual Machine that was deleted.
If you don't know the full name of the VM, you can just use wildcards( AND VM_NAME LIKE 'VM%'). This will show all results from all Virtual Machines that start with 'VM'.
You can use many different wildcards to look for the right result. Please check Microsoft KBQ98434 how to use wildcards.
Using VPX_EVENT you can query lot of events/tasks that was performed on VMs/Hosts.
Example:
vim.event.VmPoweredOffEvent - Virtual Machines that were Poweroff(without using Guest Powerdown)
We can also use the same query using PowerShell Script o check events.
Example(VM created)
You should get something like this
You can also list the last VMs deleted, or any other event(just change the event id for the event you want to list).
You can consult all machine events and that can be used in the above query/script VMware vSphere API Reference Documentation
Hope this can help.
This is the second of "TIP Articles" that I plan to write when I have some time. So, please vote "Helpful" on this Article. And I encourage your comments and feedback.
Just connect to vCenter DB(default DB should be VCDB and using SQL Server Management Studio) and run a small query and you will have all the information.
Query:
SELECT CREATE_TIME, USERNAME, VM_NAME, HOST_NAME, EVENT_TYPE FROM VCDB.DBO.VPX_EVENT WHERE EVENT_TYPE = 'vim.event.VmRemovedEvent'
AND VM_NAME = 'VMNAME'
Where the VMNAME is the name of your Virtual Machine that was deleted.
If you don't know the full name of the VM, you can just use wildcards( AND VM_NAME LIKE 'VM%'). This will show all results from all Virtual Machines that start with 'VM'.
You can use many different wildcards to look for the right result. Please check Microsoft KBQ98434 how to use wildcards.
Using VPX_EVENT you can query lot of events/tasks that was performed on VMs/Hosts.
Example:
vim.event.VmPoweredOffEven
We can also use the same query using PowerShell Script o check events.
Example(VM created)
Get-VM -Name 'VMNAME' | Get-VIEvent -Types Info | Where {$_.GetType().Name -eq "VmCreatedEvent"}
Select UserName, CreatedTime, FullFormattedMessage | FT -AutoSize
You should get something like this
Template : False
Key : 13264809
ChainId : 13264804
CreatedTime : 5/9/2014 16:21:16
UserName : DOMAIN\USER
Datacenter : VMware.Vim.DatacenterEventArgument
ComputeResource : VMware.Vim.ComputeResourceEventArgument
Host : VMware.Vim.HostEventArgument
Vm : VMware.Vim.VmEventArgument
Ds :
Net :
Dvs :
FullFormattedMessage : Virtuelle Maschine VMNAME auf HOSTNAME in DatacenterNAME erstellt.
ChangeTag :
DynamicType :
DynamicProperty :
You can also list the last VMs deleted, or any other event(just change the event id for the event you want to list).
You can consult all machine events and that can be used in the above query/script VMware vSphere API Reference Documentation
Hope this can help.
This is the second of "TIP Articles" that I plan to write when I have some time. So, please vote "Helpful" on this Article. And I encourage your comments and feedback.
vExpert vSAN, NSX, Cloud Provider, Veeam Vanguard, Virtual Backups, and Storage design, and an active blogger.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)