In some scenarios, it may be necessary to discover where a specific task in vCenter originated, especially if the user account does not belong to a single individual. 

• vCenter Server 7.x
• vCenter Server 8.x
• vCenter Server 9.x

Determine the time and date as well as the user that executed the task from the vCenter Tasks.

SSH to the vCenter Appliance with root

There will be at least two main locations where the task is recorded in the logs, the journal and vpxd.log.

Journal Logs

1. Run the following command to display the journal logs 

journalctl -b | less

2. Find the login and task by searching for the timestamp of the task and associate it with a relevant lines with the associated username.  

For example, if searching for a VM disk consolidation task executed by the [email protected] account, it would appear like this:

Oct 30 10:10:10 vcenter.example.com vpxd[5952]: Event [1234567] [1-1] [2025-10-30T10:10:10.550367Z] [vim.event.UserLoginSessionEvent] [info] [VSPHERE.LOCAL\Administrator] [] [1234567] [User VSPHERE.LOCAL\Administrator@10.10.10.10 logged in as Mozilla/4.0]
Oct 30 10:10:10 vcenter.example.com vpxd[5952]: Event [1234568] [1-1] [2025-10-30T10:10:10.882383Z] [vim.event.TaskEvent] [info] [VSPHERE.LOCAL\Administrator] [CNID] [1234568] [Task: Consolidate virtual machine disk files]

The above log messages indicate that the task originated from IP 10.10.10.10.

VPXD Logs

vpxd logs are located in /var/log/vmware/vpxd/

Find the associated task message in the vpxd log at the time indicated. This will include a session ID as highlighted below.

BEGIN task-220123 -- vm-1234 -- vim.VirtualMachine.consolidateDisks -- 12345678a-1e33-5702-ce3c-123456789f(88888888-14a1-75cb-b0f6-88888888)

Use the following command to determine the Client IP address associated with the session ID. 

zgrep "<session-id>" /var/log/vmware/vpxd/vpxd-profiler* | grep ClientIP

Note: The ClientIP may show up as 127.0.0.1. This means that the session was initiated by an internal process.