Who deleted my VM ?

Today I had a colleague come to me and say someone had deleted his VM, he didn’t know when and thinks it may have been a couple of months ago, he didn’t know which host or which datastore it was in. could I tell him when and who. Hmmmm, time to start trawling through the logs I thought.

A quick Twit from @stahler told me that this would be in the Virtual Center Database so, here is a quick powershell which I used to find the culprit…

# Fill in the following information:
$SqlServer = "MYDBSERVER";
$SqlDB = "VMwareDataBase";
$MYVM = "TESTSERVER1"
$TypeofEvent = "vim.event.VmRemovedEvent"
# The vim.event.VmRemovedEvent is a Removed action from VC you can also use :
# vim.event.VmGuestShutdownEvent
# vim.event.VmPoweredOffEvent
# vim.event.VmConnectedEvent

Function Read-VIDB ($SqlQuery)
{
# Setup SQL Connection
$SqlConnection = New-Object System.Data.SqlClient.SqlConnection
$SqlConnection.ConnectionString = "Server = $SqlServer; Database = $SqlDB; Integrated Security = True"

# Setup SQL Command
$SqlCmd = New-Object System.Data.SqlClient.SqlCommand
$SqlCmd.CommandText = $SqlQuery
$SqlCmd.Connection = $SqlConnection

# Setup .NET SQLAdapter to execute and fill .NET Dataset
$SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter
$SqlAdapter.SelectCommand = $SqlCmd
$DataSet = New-Object System.Data.DataSet

#Execute and Get Row Count
$nRecs = $SqlAdapter.Fill($DataSet)

if ($nRecs -gt 0)
{
# Do Stuff
$dataSet.Tables | Select-Object -Expand Rows
}
}

$SqlQuery = "SELECT CREATE_TIME, USERNAME, VM_NAME, HOST_NAME, EVENT_TYPE FROM VMWareDS.VPX_EVENT WHERE (VM_NAME = N'$MYVM') AND (EVENT_TYPE = '$TypeofEvent')"
$MyResults = Read-VIDB $SqlQuery
$MyResults

13 thoughts on “Who deleted my VM ?”

Yash July 21, 2022 at 01:11

This does not seem to work with vCenter server 6.7. we have an instance with Embedded PostgreSQL ,
and I am getting this error :

========
Exception calling “Fill” with “1” argument(s): “A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is
configured to allow remote connections. (provider: Named Pipes Provider, error: 40 – Could not open a connection to SQL Server)”

+ $nRecs = $SqlAdapter.Fill($DataSet)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : SqlException
========

can someone please provide an updated version of this script ?

KERR July 31, 2017 at 22:13

Looks like the formatting is messed up with HTML for the command, would you mind re-posting it? Thanks

metallica911 May 19, 2015 at 15:52

how to add sql login in this script
thanks

Andy October 4, 2013 at 17:32

Sorry Sai… I never found a fix to this error.
Andy

saikrishna September 25, 2013 at 09:21

Andy,

Did you find any answer for this, im getting a similar error.

-Sai

Anil August 24, 2013 at 04:22

Alan, one of our customer VMs were destroyed one day without any idea. We suspect someone involved. it is running on ESX 5. We got the logs from ESX. We are looking into hostd log. How can I deter mine which user / IP connected, powered off, dismounted and destroyed VMs? Do we have nay tool that analyze the Logs
Thanks in advance.

Aswini May 20, 2013 at 05:43

use below in line37 $SqlQuery = “SELECT CREATE_TIME, USERNAME, VM_NAME, HOST_NAME, EVENT_TYPE FROM dbo.VPX_EVENT WHERE (VM_NAME = N’$MYVM’) AND (EVENT_TYPE = ‘$TypeofEvent’)” to track the delete VM details

Andy March 23, 2013 at 04:09

I get an error on line 28 when I run this….”Exception calling “fill” with “1” argument”
Any ideas?

René February 9, 2011 at 17:42

Got a tricky question about something similar:
I want to find out, which user moved a folder to another folder. (even if the event is out of the max 1000 events in the client view)
The problem is, that i see in events and tasks: “user moved to target” without “what” he moved…
With the get-vievent cmdlet i only receive a “Task: move entity”, but no folder or something and also no target 🙁

How can i achive this ?

Alen October 13, 2010 at 12:20

I found that when i migrate a VM guest from a host to another host a event is logged saying : Migrated from host ESX1 to ESX2

When i do datastore migration and i leave the host the same I get the following log:
Migrated from host esx1 to esx1 but i cant find to which datastore it was moved?

is there a way to get that info?

René March 19, 2010 at 18:00

Thanks for the quick answer…
This script like posted before did not run.

Have it done now with an direct script into excel..

Virtu-Al March 19, 2010 at 16:09

Yes it would

René March 19, 2010 at 16:07

Is it possible to read the information from the vc directly ? Like:
$results = Get-VM | Get-VIEvent -maxsamples 10000 -Start (Get-Date).AddDays(-1) | where {$_.fullformattedmessage -eq “Aufgabe: Virtuelle Maschine ausschalten” -or $_.fullformattedmessage -eq “Aufgabe: Herunterfahren des Gastbetriebssystems initiiert.”} | Sort CreatedTime -Descending | select createdtime, username, vm, fullformattedmessage

foreach ($result in $Results) {
$Details=”” | select createdtime, username, vm, fullformattedmessage
$Details.createdtime = $result.createdtime
$Details.username = $result.username
$Details.vm = $result.vm.name
$Details.FullFormattedMessage = $result.fullformattedMessage
}
$details | Export-csv -NoTypeInformation ‘C:\TEMP\shutdown.csv’

I want to read out which user shutdown which vm at which time

Yash July 21, 2022 at 01:11

This does not seem to work with vCenter server 6.7. we have an instance with Embedded PostgreSQL ,
and I am getting this error :

========
Exception calling “Fill” with “1” argument(s): “A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is
configured to allow remote connections. (provider: Named Pipes Provider, error: 40 – Could not open a connection to SQL Server)”

+ $nRecs = $SqlAdapter.Fill($DataSet)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : SqlException
========

can someone please provide an updated version of this script ?
KERR July 31, 2017 at 22:13

Looks like the formatting is messed up with HTML for the command, would you mind re-posting it? Thanks
metallica911 May 19, 2015 at 15:52

how to add sql login in this script
thanks
Andy October 4, 2013 at 17:32

Sorry Sai… I never found a fix to this error.
Andy
saikrishna September 25, 2013 at 09:21

Andy,

Did you find any answer for this, im getting a similar error.

-Sai
Anil August 24, 2013 at 04:22

Alan, one of our customer VMs were destroyed one day without any idea. We suspect someone involved. it is running on ESX 5. We got the logs from ESX. We are looking into hostd log. How can I deter mine which user / IP connected, powered off, dismounted and destroyed VMs? Do we have nay tool that analyze the Logs
Thanks in advance.
Aswini May 20, 2013 at 05:43

use below in line37 $SqlQuery = “SELECT CREATE_TIME, USERNAME, VM_NAME, HOST_NAME, EVENT_TYPE FROM dbo.VPX_EVENT WHERE (VM_NAME = N’$MYVM’) AND (EVENT_TYPE = ‘$TypeofEvent’)” to track the delete VM details
Andy March 23, 2013 at 04:09

I get an error on line 28 when I run this….”Exception calling “fill” with “1” argument”
Any ideas?
René February 9, 2011 at 17:42

Got a tricky question about something similar:
I want to find out, which user moved a folder to another folder. (even if the event is out of the max 1000 events in the client view)
The problem is, that i see in events and tasks: “user moved to target” without “what” he moved…
With the get-vievent cmdlet i only receive a “Task: move entity”, but no folder or something and also no target 🙁

How can i achive this ?
Alen October 13, 2010 at 12:20

I found that when i migrate a VM guest from a host to another host a event is logged saying : Migrated from host ESX1 to ESX2

When i do datastore migration and i leave the host the same I get the following log:
Migrated from host esx1 to esx1 but i cant find to which datastore it was moved?

is there a way to get that info?
René March 19, 2010 at 18:00

Thanks for the quick answer…
This script like posted before did not run.

Have it done now with an direct script into excel..
Virtu-Al March 19, 2010 at 16:09

Yes it would
René March 19, 2010 at 16:07

Is it possible to read the information from the vc directly ? Like:
$results = Get-VM | Get-VIEvent -maxsamples 10000 -Start (Get-Date).AddDays(-1) | where {$_.fullformattedmessage -eq “Aufgabe: Virtuelle Maschine ausschalten” -or $_.fullformattedmessage -eq “Aufgabe: Herunterfahren des Gastbetriebssystems initiiert.”} | Sort CreatedTime -Descending | select createdtime, username, vm, fullformattedmessage

foreach ($result in $Results) {
$Details=”” | select createdtime, username, vm, fullformattedmessage
$Details.createdtime = $result.createdtime
$Details.username = $result.username
$Details.vm = $result.vm.name
$Details.FullFormattedMessage = $result.fullformattedMessage
}
$details | Export-csv -NoTypeInformation ‘C:\TEMP\shutdown.csv’

I want to read out which user shutdown which vm at which time

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Virtu-Al.Net

Virtually everything is POSHable

13 thoughts on “Who deleted my VM ?”

Leave a Reply