• A VM failed over due to some HA event:
  

  EventEx=com.vmware.vc.ha.VmRestartedByHAEvent vm=/vmfs/volumes/>Datastore-Name>/<VM-Name>/<VM-Name>.vmx host=host-##### tag=host-

   
• Aria Operations for Logs (Log Insight) flags vSphere HA after the first event 

8.x

The vSphere HA (FDM) agent generates a state dump when requested by a user or a script. This is identified in the logs as Dump Reason=User.

In this scenario, the second dump was triggered automatically by the vm-support utility (Log Bundle generation) or a manual prettyPrint.sh execution. This dump captures the current state of the cluster. 

Aria Operations for Logs may flag any occurrence of BEGIN DUMP in the FDM logs as a potential HA event, resulting in a false positive alert for the log collection activity.

This is expected behavior and indicates a benign, intentional capture of the HA state.

1. Open /var/log/fdm.log on the host and locate the timestamp of the second alert. Check the line immediately preceding or following BEGIN DUMP.

   • If Dump Reason=FailoverStart: A genuine HA event occurred.

   • If Dump Reason=User: This is a manual dump triggered by the log collection process. No failure occurred.

2. If the reason is "User," the alert can be safely dismissed. The absence of the deleted VM in this dump confirms the log bundle was generated after the administrative action to remove the VM.