Who deleted my VM ?
Today I had a colleague come to me and say someone had deleted his VM, he didn’t know when and thinks it may have been a couple of months ago, he didn’t know which host or which datastore it was in. could I tell him when and who. Hmmmm, time to start trawling through the logs I thought.
A quick Twit from @stahler told me that this would be in the Virtual Center Database so, here is a quick powershell which I used to find the culprit…
# Fill in the following information:$SqlServer = "MYDBSERVER";$SqlDB = "VMwareDataBase";$MYVM = "TESTSERVER1"$TypeofEvent = "vim.event.VmRemovedEvent"# The vim.event.VmRemovedEvent is a Removed action from VC you can also use :# vim.event.VmGuestShutdownEvent# vim.event.VmPoweredOffEvent# vim.event.VmConnectedEventFunction Read-VIDB ($SqlQuery){ # Setup SQL Connection $SqlConnection = New-Object System.Data.SqlClient.SqlConnection $SqlConnection.ConnectionString = "Server = $SqlServer; Database = $SqlDB; Integrated Security = True" # Setup SQL Command $SqlCmd = New-Object System.Data.SqlClient.SqlCommand $SqlCmd.CommandText = $SqlQuery $SqlCmd.Connection = $SqlConnection # Setup .NET SQLAdapter to execute and fill .NET Dataset $SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter $SqlAdapter.SelectCommand = $SqlCmd $DataSet = New-Object System.Data.DataSet #Execute and Get Row Count $nRecs = $SqlAdapter.Fill($DataSet) if ($nRecs -gt 0) { # Do Stuff $dataSet.Tables | Select-Object -Expand Rows }} $SqlQuery = "SELECT CREATE_TIME, USERNAME, VM_NAME, HOST_NAME, EVENT_TYPE FROM VMWareDS.VPX_EVENT WHERE (VM_NAME = N'$MYVM') AND (EVENT_TYPE = '$TypeofEvent')"$MyResults = Read-VIDB $SqlQuery$MyResults
Getting Windows SharePoint Services and Microsoft Search Server 2008 Express to index PowerShell script (.PS1) files Detailed VMware Host Network Information
Is it possible to read the information from the vc directly ? Like:
$results = Get-VM | Get-VIEvent -maxsamples 10000 -Start (Get-Date).AddDays(-1) | where {$_.fullformattedmessage -eq “Aufgabe: Virtuelle Maschine ausschalten” -or $_.fullformattedmessage -eq “Aufgabe: Herunterfahren des Gastbetriebssystems initiiert.”} | Sort CreatedTime -Descending | select createdtime, username, vm, fullformattedmessage
foreach ($result in $Results) {
$Details=”" | select createdtime, username, vm, fullformattedmessage
$Details.createdtime = $result.createdtime
$Details.username = $result.username
$Details.vm = $result.vm.name
$Details.FullFormattedMessage = $result.fullformattedMessage
}
$details | Export-csv -NoTypeInformation ‘C:\TEMP\shutdown.csv’
I want to read out which user shutdown which vm at which time
Yes it would
Thanks for the quick answer…
This script like posted before did not run.
Have it done now with an direct script into excel..
I found that when i migrate a VM guest from a host to another host a event is logged saying : Migrated from host ESX1 to ESX2
When i do datastore migration and i leave the host the same I get the following log:
Migrated from host esx1 to esx1 but i cant find to which datastore it was moved?
is there a way to get that info?
Got a tricky question about something similar:
I want to find out, which user moved a folder to another folder. (even if the event is out of the max 1000 events in the client view)
The problem is, that i see in events and tasks: “user moved to target” without “what” he moved…
With the get-vievent cmdlet i only receive a “Task: move entity”, but no folder or something and also no target
How can i achive this ?