This article provides steps to determine which user account and ip address initiated a clone task for a virtual machine from the vCenter Server 

• vCenter 7.0.x
• vCenter 8.0.x

Look for the corresponding task in the /var/log/vmware/vpxd/vpxd.log

Example below:

YYYY-MM-DDThh:mm:ss.###Z info vpxd[####] [Originator@#### sub=VmProv opID=######-####-auto-50cs-h5:######-##-##] Local-VC Host Full Clone of poweredOff VM '<vm_name>' (<vm-ID>, ds:///vmfs/volumes/#########-#######-######/<vm_name>/<vm_name>.vmx) to new name <new_vm_name> on <host_id> (<host_ip>) in pool resgroup-#### with ds ds:///vmfs/volumes/#######-##-##/ to <host_name> (<host_ip>) in pool resgroup-#### with ds ds:///vmfs/volumes/########-######-######/

YYYY-MM-DDThh:mm:ss.###Z info vpxd[#####] [Originator@#### sub=InvtId opID=######-######-auto-50cs-h5:########-##-##]  [VmFileAccess] Operation: Copy, SrcFile: ds:///vmfs/volumes/########-#######-######/<vm_name>/<vm_name>.vmdk, DstFile: ds:///vmfs/volumes/########-#######-######/<vm_name>/<vm_name>.vmdk, User: <domain/useraname>, ClientIP: 127.0.0.1

 -- In the above entry, we can find the username that initiated the task.

At the same timestamp, checking for clone task in /var/log/vmware/vsphere-ui/logs/access/localhost_access_log.txt

127.0.0.1 <192.168.0.0> - - [DD/MMM/YYYY:hh:mm:ss ] "POST /ui/mutation/add?propertyObjectType=com.vmware.vsphere.client.vm.VmCloneSpec HTTP/1.1" ### ### ###### ######## http-nio-127.0.0.1-####-exec-### ##

 -- In the above entry, the <192.168.0.0> is the ip address from which the task was initiated.

At the same timestamp, check for similar entries in the /var/log/vmware/envoy/envoy-access.log:

YYYY-MM-DDThh:mm:sss.###Z info envoy[2524] [Originator@#### sub=Default] YYYY-MM-DDThh:mm:ss.#### POST /ui/mutation/add?propertyObjectType=com.vmware.vsphere.client.vm.VmCloneSpec 200 via_upstream - #### ### zstd <192.168.0.0>:<port_number> HTTP/2 TLSv1.2 <vCenter_ip>:443 127.0.0.1:#### HTTP/1.1 - 127.0.0.1:#### - -