Determining which user removed or deleted a virtual machine
search cancel

Determining which user removed or deleted a virtual machine

book

Article ID: 316569

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to determine which user deleted a virtual machine or removed a virtual machine from the vCenter Server inventory.


Environment

VMware vCenter Server 6.5.x
VMware vCenter Server 7.0.x
VMware vCenter Server 6.0.x
VMware vCenter Server 6.7.x

Resolution

To determine which user removed or deleted a virtual machine, check the vCenter Server Events tab for the host or cluster on which the virtual machine resided.
 

Regarding vSphere 6.5 and later 

  1. SSH to the ESXi host where the VM formerly resided on
  2. Check hostd.log file on directory /var/log
  3. Grep on word "Destroy VM called" on the  file you see an entry like:

          #grep -i "Destroy VM called" hostd.*

2020-05-04112:53:23.524Z info hostd[2098595] [Originator@6876 sub=Vbsvc.vm:/vmfs/volumes/5bfebala-########-####-##########da/<vm object name>.vmx opID=<generated alphanumeric opID name> user=vpxuser <domain\username> Destroy VM called 


Check the username in "Destroy VM called" Line, it will state the user who performed this task.

  • <domain\username> will be the user who removed or deleted the virtual machine.
  • <generated alphanumeric opID name> will be the ID that created for this specific task.
  • <vm object name> will be name of the .vmx file that was affected.

Additional Information

Powered by Wolken Software