Hello,
I want to know by whom the VMs were deleted through time, but this command isn't working fine with me.
Get-VIEvent -maxsamples 10000 -Start (Get-Date).AddDays(–100) |where {$_.username -ne "USERNAME" -and $_.Gettype().Name-eq "VmRemovedEvent"} |Sort CreatedTime -Descending |Select CreatedTime, UserName,Fullforma
ttedMessage
That confirms the events are there and with a UserName that is not your Veeam account.
Now go for this one to have the report.
Get-VIEvent -MaxSamples ([int]::MaxValue) |
where{$_ -is [VMware.Vim.VmRemovedEvent] -and $_.UserName -ne 'Veeam account'} |
Sort CreatedTime -Descending |
Select CreatedTime,UserName,@{N='VM';E={$_.VM.Name}},FullformattedMessage
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Not sure why you have the -ne USERNAME condition in the where-clause, but can you try with this.
Does this return anything?
Get-VIEvent -MaxSamples ([int]::MaxValue) -Start (Get-Date).AddDays(–100) |
where{$_ -is [VMware.Vim.VmRemovedEvent]} |
Sort CreatedTime -Descending |
Select CreatedTime, UserName,FullformattedMessage
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Because I need to exclude the VEEAM SureBackup user accounts, as it deletes thousands of VMs, I want the result to get only real users, not service accounts, so, could you please help me with this?
The 1st requirement is of course that you keep the Events for 100 days.
Did you check that?
For the account, can you try with this one?
Get-VIEvent -MaxSamples ([int]::MaxValue) -Start (Get-Date).AddDays(–100) |
where{$_ -is [VMware.Vim.VmRemovedEvent] -and $_.UserName -ne 'Veeam account'} |
Sort CreatedTime -Descending |
Select CreatedTime, UserName,Fullforma
And can you also run the following?
It should show if any other, besides the Veeam account, is used to remove VMs.
Get-VIEvent -MaxSamples ([int]::MaxValue) |
where{$_ -is [VMware.Vim.VmRemovedEvent]} |
Group-Object -Property UserName
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
And also give this one a try
Get-VIEvent -MaxSamples ([int]::MaxValue) |
where{$_ -is [VMware.Vim.VmRemovedEvent]} |
Group-Object -Property UserName |
Select @{N='User';E={$_.Name}},
@{N='First';E={$_.Group | Sort-Object -Property CreatedTime | Select -First 1 | Select -ExpandProperty CreatedTime}},
@{N='Last';E={$_.Group | Sort-Object -Property CreatedTime -Descending | Select -First 1 | Select -ExpandProperty CreatedTime}}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
This one doesn't return the VM name, it returns the user only. the last script is still running in the background.
yes I meant 100 days, it was set to 200, but I've reduced it . I'm just digging six months back.
this one also returns only the username, I see that you are only specifying the "username" property. Could you please include the VM name as well?
I'm not selecting the UserName, but trying to group the events by UserName.
That should return for each event it finds a line with a Name and a Group Property.
It would help if you can show the script itself and the output it generates.
A screenshot is ok.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
PS C:\Users\u981021> Get-VIEvent -MaxSamples ([int]::MaxValue) -Start (Get-Date).AddDays(–20) | where{$_ -is [VMware.Vim
.VmRemovedEvent] -and $_.UserName -ne "swcc\vm-bkpsvc"} | Sort CreatedTime -Descending | Select CreatedTime, UserName,Fu
llformat
CreatedTime UserName Fullformat
----------- -------- ----------
12/2/2018 1:32:01 PM username
12/2/2018 12:24:04 PM VSPHERE.LOCAL\vpxd-extension-7b35d086-71e1-4722-a810-871d540c4023
12/2/2018 10:57:21 AM User
12/2/2018 10:57:21 AM User
12/2/2018 10:47:07 AM username
11/29/2018 1:40:30 PM VSPHERE.LOCAL\vpxd-extension-7b35d086-71e1-4722-a810-871d540c4023
11/29/2018 12:51:03 PM User
11/27/2018 9:11:07 AM username
11/26/2018 12:22:54 AM User
11/24/2018 2:28:59 AM User
11/21/2018 1:08:38 PM username
11/14/2018 8:11:41 AM username
and for the last script you've shared:
PS D:\ps> .\removed.ps1
User First Last
---- ----- ----
username 11/13/2018 12:09:26 PM 12/3/2018 1:25:01 PM
User 11/24/2018 2:28:59 AM 12/2/2018 10:57:21 AM
VSPHERE.LOCAL\vpxd-extension-7b35d086-71e1-4722-a810-871d540c4023 11/29/2018 1:40:30 PM 12/2/2018 12:24:04 PM
username 11/14/2018 8:11:41 AM 12/2/2018 1:32:01 PM
PS D:\ps>
No VM name.
That confirms the events are there and with a UserName that is not your Veeam account.
Now go for this one to have the report.
Get-VIEvent -MaxSamples ([int]::MaxValue) |
where{$_ -is [VMware.Vim.VmRemovedEvent] -and $_.UserName -ne 'Veeam account'} |
Sort CreatedTime -Descending |
Select CreatedTime,UserName,@{N='VM';E={$_.VM.Name}},FullformattedMessage
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
That did the trick.
Thank you,