VMware Cloud Community
Pozinux
Contributor
Contributor
‎02-22-2018 12:23 PM

How can I know who created this VMware snapshot?

Hi all,

Someone made a snapshot of a production VM (vSphere 5.1) a month ago. The snapshot is still there. Apparently this person doesn't know that snapshots are not backup operation...

I would like to find out in the logs who created it but the "Tasks & Events" in vCenter don't allow to go back far enough (I have already change the vSphere client setting > List > Tasks and Events > Page Size to 1000).

Where can I find more logs about the snapshots operations? What are the log files most appropriate for finding informations close to what we can find in task and event section?

Thanks for your help!

Reply
5 Replies
daphnissov
Immortal
Immortal
‎02-22-2018 03:05 PM

If you click on the VM which received the snapshot, you can look at its past Tasks pane and possibly see that information. If not, you may need to query vCenter for that. I'm not sure if 5.1 allows any PowerCLI cmdlets to run those queries, or if you'd have to run a database query directly (which is not preferable).

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
Reply
jrodsguitar
Enthusiast
Enthusiast
‎02-22-2018 04:06 PM

From VMware's Interoperability Matrices: PowerCLI 6.3.0 is compatible with vCenter 5.1

VMware Product Interoperability Matrices

This script will give you who took what snapshots. Keep in mind this is all dependent on how far back you choose to keep logs on your vCenter/vSphere.

#########################

#Script by Jose Rodriguez

#https://communities.vmware.com/people/jrodsguitar

#

$vmsnapshots = Get-VM | Get-Snapshot

$processed = 0

$results = @()

foreach ($snapshot in $vmsnapshots)

{

    Write-Progress -Activity "Getting snapshot CreatedBy info" -PercentComplete (($processed/$vmsnapshots.Length)*100)

    $processed = $processed + 1

    $snapevent = Get-VIEvent -Entity $snapshot.VM -Types Info -Finish $snapshot.Created -MaxSamples 1 | Where-Object {$_.FullFormattedMessage -imatch 'Task: Create virtual machine snapshot'}

   

    if ($snapevent -ne $null)

    {

        $user = [string]$snapevent.UserName

        $snapshot | Add-Member CreatedBy $user

    }

    else

    {

        $snapshot | Add-Member CreatedBy '--Unknown--'

    }

   

    $results = $results + $snapshot

}

Write-Progress -Activity "Sorting" -PercentComplete 0

$results = $results | Sort-Object -Property Created

Write-Progress -Completed -Activity "Sorting" -PercentComplete 100

$results | Format-Table -Property VM,Name,@{Label="Created"; Expression={Get-Date $_.Created -UFormat "%D"}},CreatedBy

Blog: https://powershell.house/
Reply
Pozinux
Contributor
Contributor
‎02-23-2018 05:48 AM

Thanks Jose,

I tried your script but it doesn't work as is (probably because of my powercli version = 5.5 but I cannot install another version at the moment). So I tried to adapt it to my case.

The script stops working on this part of code :

$snapshot | Add-Member CreatedBy $user

It asks for -MemberType and -Name options. I tried the following :

$snapshot | Add-Member -MemberType CodeProperty -Name CreatedBy -Value $user

but I get this error (I replaced the username of who made the snapshot by XXXX) :

Console

Add-Member : Cannot convert the "XXXXXX" value of type "System.String" to type "System.Reflection.MethodInfo".
At XXXX snapshots.ps1:24 char:31
+         $snapshot | Add-Member <<<<  -MemberType CodeProperty -Name CreatedBy -Value $user
    + CategoryInfo          : InvalidArgument: (:) [Add-Member], PSInvalidCastException
    + FullyQualifiedErrorId : ConvertToFinalInvalidCastException,Microsoft.PowerShell.Commands.AddMemberCommand

I don't know what to affect to this required option... Any ideas ?

Reply
0 Kudos
jrodsguitar
Enthusiast
Enthusiast
‎02-23-2018 11:35 AM

Try it this way. Looks like it doesn't like the cast. Maybe it was missing the -MemberType Notepad property for new-object? Either way I'm curious if this new version will work with your PowerShell/PowerCLI versions.

#########################

#Script by Jose Rodriguez

#https://communities.vmware.com/people/jrodsguitar

#

$vmsnapshots = Get-VM | Get-Snapshot

$processed = 0

$results = @()

foreach ($snapshot in $vmsnapshots){

    Write-Progress -Activity "Getting snapshot CreatedBy info" -PercentComplete (($processed/$vmsnapshots.Length)*100)

    $processed = $processed + 1

   

    $snapevent = Get-VIEvent -Entity  $snapshot.VM -Types Info -Finish  $snapshot.Created -MaxSamples 1 | Where-Object {$_.FullFormattedMessage -imatch 'Task: Create virtual machine snapshot'}

  

   if($snapevent -ne $null){

       $user = $snapevent.UserName 

  }

  else{

   

        $user =    '--Unknown--'

  }

   

    $properties = @{

    VM = $snapshot.vm.name

    Name =  $snapshot.name                                         

    Created = ($snapshot.created | Get-Date -UFormat "%D")

    CreatedBy = $user

       

   }

    $results += new-object psobject -Property $properties

}

Write-Progress -Activity "Sorting" -PercentComplete 0

$results = $results | Sort-Object -Property Created

Write-Progress -Completed -Activity "Sorting" -PercentComplete 100

$results | Format-Table -Property VM,Name,created,CreatedBy

Blog: https://powershell.house/
Reply
0 Kudos
sarikrizvi
Enthusiast
Enthusiast
‎02-23-2018 11:37 AM

Check this blog - Who created these VM snapshots??? | vStrong.info

Regards,
SARIK (Infrastructure Architect)
vExpert 2018-2020 | vExpert - Pro | NSX | Security
vCAP-DCD 6.5 | vCP-DCV 5.0 | 5.5 | 6.0 | vCA-DCV 5 | vCA-Cloud 5 | RHCSA & RHCE 6 | A+ (HW & NW)
__________________
Please Mark "Helpful" or "Correct" if It'll help you
_____________________________________
@Follow:
Blog# https://vmwarevtech.com
vExpert# https://vexpert.vmware.com/directory/1997
Badge# https://www.youracclaim.com/users/sarik
Reply
0 Kudos