Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 512
  • Last Modified:

folder with permissions in vc

hi,

if someone deletes user/group with permissions on say for
example a virtual machine folder....... which log file will this be recorded in?

is there anyway i can check who or when someone removed it?

thank you
0
LuiChen
Asked:
LuiChen
  • 5
  • 5
  • 3
  • +1
2 Solutions
 
coolsport00Commented:
Check the Tasks/Events tab in vCenter.

~coolsport00
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
check the events in vcenter to see if anthing was recorded.

0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
otherwise you would have to inspect the logs on the vcenter server.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
coolsport00Commented:
If that doesn't show anything, log into vCenter and click on File -> Export -> Export System Logs and see if that shows anything.

~cooslport00
0
 
LuiChenAuthor Commented:
thanks for the fast replys:

i could not see anything in tasks and events.

i got logs already but dont know where exactly to search in them !

is it pointless trying to locate it ???

0
 
coolsport00Commented:
Well, the logs more than likely won't show it. I'm thinking it doesn't show that kind of info. I'm not sure of any other 3rd party utility that could give that info either if you were to implement in your infrastructure...

~coolsport00
0
 
coolsport00Commented:
If you open your logs, just do a 'search' for "remove" or "delete" or something like that, and maybe about the timeframe you think it happened.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
to be honest this could one of the audit trail holes which exists.

just check if any user ids are recorded in logs, quick search.

you may not find any record.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
without knowing the full events, you may be able to possibly suspect someone, but hard evidence may be difficult to prove.
0
 
LuiChenAuthor Commented:

well i might do a quick search again 2moro..!

thanks anyway
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
no problems, its one our many holes in vcenter management.
0
 
coolsport00Commented:
keep us posted if you find anything...
0
 
Danny McDanielClinical Systems AnalystCommented:
the tasks/events data drops off in the client after 24 hours or something like that.  The entries all go in the database, though, but I'm not sure if there's an easy way to view it.  There is a setting under Administration | vCenter Server settings | Database Retention Policy for how long to keep the entries in the db, too, so if someone has dropped that number down; the data could have already been dropped.

the tables are vpx_event and vpx_task so if you're comfortable with your db, you could view/query the tables directly and see if that gives you the information you want.
0
 
Danny McDanielClinical Systems AnalystCommented:
http://communities.vmware.com/thread/258967?tstart=0 has some talk about using PowerCLI to query for task info.
0
 
LuiChenAuthor Commented:
yeah,

file export system/user logs
or
query the db directly

didn't get chance to do it but they are probably the
easiest way!!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now