Determining which user removed or deleted a virtual machine
search cancel

Determining which user removed or deleted a virtual machine

book

Article ID: 316569

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to determine which user deleted a virtual machine or removed a virtual machine from the vCenter Server inventory.

Environment

  • VMware vCenter Server 6.0.x
  • VMware vCenter Server 6.5.x
  • VMware vCenter Server 6.7.x
    VMware vCenter Server 7.0.x
  • VMware vCenter Server 8.0.x

Resolution

Note:To determine which user removed or deleted a virtual machine, check the vCenter Server Events tab f
or the host or cluster on which the virtual machine resided.

    1. Starting from vSphere 6.5 and later
    2. SSH to the ESXi host where the VM formerly resided on
    3. Grep on word "Destroy VM called" on the  file in the hostd.log you see an entry like:
      #cd /var/run/log/
#less hostd.log | grep -i "Destroy VM called" hostd.*

####-##-#####:##:##.###Zinfo hostd[2098595] [Originator@6876 sub=Vbsvc.vm:/vmfs/volumes/5bfebala-########-####-##########da/<vm object name>.vmx opID=<generated alphanumeric opID name> user=vpxuser <domain\username> Destroy VM called
    4. Check the username in "Destroy VM called" Line, it will state the user who performed this task.

      1. <domain\username> will be the user who removed or deleted the virtual machine.
      2. <generated alphanumeric opID name> will be the ID that created for this specific task.
      3. <vm object name> will be name of the .vmx file that was affected.

    5. To check from the vCenter's logs, SSH into the vCenter
    6. Grep on the word "Removing VirtualMachine", you see an entry like 

      #cd /var/log/vmware/
#cd /vsphere-ui/logs
#less vsphere_client_virgo.log | grep -i "Removing VirtualMachine"

vsphere_client_virgo_####-##-##_###.log:107964:[####-##-##T16:1:##:.###-##::##] [INFO ] io-127.0.0.1-5090-exec-13965 ##############5 com.vmware.vsphere.client.vm.impl.VmMutationProvider              Removing VirtualMachine: ManagedObjectReference: type = VirtualMachine, value = vm-1432, serverGuid = ######-###-####-####-##########
    7. The above output will give the timestamp at which the vm's were deleted

Additional Information

Powered by Wolken Software