VMware Cloud Community
junglehood
Contributor
Contributor

Tracing VMs deleted

Hello, I would like to know how can I trace VMs deleted

We have Infrastructure 3.5, + 200 ESX and + 1000 VMs

Some actions are done by administrators and my question is :

Is there a way to know when VMs are deleted ? I have some VMs I can't find anymore in our Infra.

I don't find anything in the logs

Thank you in advance for your time & help.

Reply
0 Kudos
7 Replies
RParker
Immortal
Immortal

It should be in the events log.

Reply
0 Kudos
junglehood
Contributor
Contributor

That's what we though but ...we do not see it.

We made an extract of the logs and no trace of the particular VM we are looking for.

Reply
0 Kudos
RParker
Immortal
Immortal

Well there are a few VM Management tools that are 3rd party. They will monitor your VM environment and keep track of ALL VMs including changes, add, remove, deletes and notify you if you want.

If this is an important asset you may consider investigating these tools (vkernel or embotics) and see if they will work.

vCenter is limited to the last 100 events, which doesn't help if you migrate, or make changes, the deleted VM's get rolled off. I haven't found a way to go back through the history to investigate a problem either, unless it's a recent change.

Reply
0 Kudos
kjb007
Immortal
Immortal

Unfortunatley, for this, the best way to get the data is either use powershell and retrieve all events, or query the vCenter db directly. Not very elegant or intuitive at all, but it will get you the information you need.

Another way to do this to edit the vi client settings, click on Lists tab, and edit the page size for the 'Tasks and Events'. It will pull more data from the db, but it will only go so far, especially if you don't know what folder/pool the vm was deleted from. The higher the level,the higher the page size you'll need.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
junglehood
Contributor
Contributor

OK, thank you all for the time and very interesting informations.

I think we will use 3rd party software.

Reply
0 Kudos
clavelstephane
Enthusiast
Enthusiast

What about sending vCenter logs to a syslog server to ensure longer data retention period and use some tool like splunk to crawl these logs ?

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Look into HyTrust. That will be a useful tool for you and will log all these actions.

As for logfile analysis, you will need to grab the logs using something like Splunk etc.

You can also grab the hostd.log off the ESX hosts. while it may not tell you who did the action, it will tell you when.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos