Hello,

You can see from 'Tasks and Events' in the vSphere client who initiated which jobs.

You can also pull this data directly from the database tables these are generated from.

For activities from directly connecting to a host using SSH there is the shell.log (/var/log/shell.log)

I believe there are also logs in vCenter that show IP connections of users etc. that might correlate with actions in the environment.

Here is a decent article covering some of these methods:

itdiversified.com/vmware-vsphere-auditing-your-administrators/

Bob

-o- If you found this comment useful please click the 'Helpful' button and/or select as 'Answer' if you consider it so, please ask follow-up questions if you have any -o-

Hello Dongjianhua​

You can to the following:
log in to vSphere Client --> pick a virtual machine on inventory --> File (on the upper left side) --> Export --> System events --> and pick a time range in wich you think the event happened.

Please note that this data is directly pulled from vcdb and it is directly affected by event rotation.