vCenter Troubleshooting TIPS - How to find who deleted a VM

If we need to check who deleted a Virtual Machine from our vCenter. Looking this task in logs can be painful and spend lot of time, so the best way to check this is in the vCenter DB.

Just connect to vCenter DB(default DB should be VCDB and using SQL Server Management Studio) and run a small query and you will have all the information.

Query:

 

SELECT CREATE_TIME, USERNAME, VM_NAME, HOST_NAME, EVENT_TYPE FROM VCDB.DBO.VPX_EVENT WHERE EVENT_TYPE = 'vim.event.VmRemovedEvent'
AND VM_NAME = 'VMNAME'

Select all Open in new window

Where the VMNAME is the name of your Virtual Machine that was deleted.

If you don't know the full name of the VM, you can just use wildcards(AND VM_NAME LIKE 'VM%'). This will show all results from all Virtual Machines that start with 'VM'.
You can use many different wildcards to look for the right result. Please check Microsoft KBQ98434 how to use wildcards.

Using VPX_EVENT you can query lot of events/tasks that was performed on VMs/Hosts.

Example:
vim.event.VmPoweredOffEvent - Virtual Machines that were Poweroff(without using Guest Powerdown)

We can also use the same query using PowerShell Script o check events.

Example(VM created)

 

Get-VM -Name 'VMNAME' | Get-VIEvent -Types Info | Where {$_.GetType().Name -eq "VmCreatedEvent"}
Select UserName, CreatedTime, FullFormattedMessage | FT -AutoSize

Select all Open in new window

You should get something like this

 

Template             : False
Key                  : 13264809
ChainId              : 13264804
CreatedTime          : 5/9/2014 16:21:16
UserName             : DOMAIN\USER
Datacenter           : VMware.Vim.DatacenterEventArgument
ComputeResource      : VMware.Vim.ComputeResourceEventArgument
Host                 : VMware.Vim.HostEventArgument
Vm                   : VMware.Vim.VmEventArgument
Ds                   : 
Net                  : 
Dvs                  : 
FullFormattedMessage : Virtuelle Maschine VMNAME auf HOSTNAME in DatacenterNAME erstellt.
ChangeTag            : 
DynamicType          : 
DynamicProperty      : 

Select all Open in new window

You can also list the last VMs deleted, or any other event(just change the event id for the event you want to list).


You can consult all machine events and that can be used in the above query/script VMware vSphere API Reference Documentation

Hope this can help.

This is the second of "TIP Articles" that I plan to write when I have some time. So, please vote "Helpful" on this Article. And I encourage your comments and feedback.