MRoushdy
Hot Shot
Hot Shot

Get removed VMs by a specific user

Jump to solution

Hello,

I want to know by whom the VMs were deleted through time, but this command isn't working fine with me.

Get-VIEvent -maxsamples 10000 -Start (Get-Date).AddDays(–100) |where {$_.username -ne "USERNAME" -and    $_.Gettype().Name-eq "VmRemovedEvent"} |Sort CreatedTime -Descending |Select CreatedTime, UserName,Fullforma

ttedMessage

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
Tags (1)
1 Solution

Accepted Solutions
LucD
Leadership
Leadership

That confirms the events are there and with a UserName that is not your Veeam account.

Now go for this one to have the report.

Get-VIEvent -MaxSamples ([int]::MaxValue) |

where{$_ -is [VMware.Vim.VmRemovedEvent] -and $_.UserName -ne 'Veeam account'} |

Sort CreatedTime -Descending |

Select CreatedTime,UserName,@{N='VM';E={$_.VM.Name}},FullformattedMessage


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

10 Replies
LucD
Leadership
Leadership

Not sure why you have the -ne USERNAME condition in the where-clause, but can you try with this.
Does this return anything?

Get-VIEvent -MaxSamples ([int]::MaxValue) -Start (Get-Date).AddDays(–100) |

where{$_ -is [VMware.Vim.VmRemovedEvent]} |

Sort CreatedTime -Descending |

Select CreatedTime, UserName,FullformattedMessage


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
MRoushdy
Hot Shot
Hot Shot

Because I need to exclude the VEEAM SureBackup user accounts, as it deletes thousands of VMs, I want the result to get only real users, not service accounts, so, could you please help me with this?

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
0 Kudos
LucD
Leadership
Leadership

The 1st requirement is of course that you keep the Events for 100 days.
Did you check that?


For the account, can you try with this one?

Get-VIEvent -MaxSamples ([int]::MaxValue) -Start (Get-Date).AddDays(–100) |

where{$_ -is [VMware.Vim.VmRemovedEvent] -and $_.UserName -ne 'Veeam account'} |

Sort CreatedTime -Descending |

Select CreatedTime, UserName,Fullforma

And can you also run the following?
It should show if any other, besides the Veeam account, is used to remove VMs.

Get-VIEvent -MaxSamples ([int]::MaxValue) |

where{$_ -is [VMware.Vim.VmRemovedEvent]} |

Group-Object -Property UserName


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
LucD
Leadership
Leadership

And also give this one a try

Get-VIEvent -MaxSamples ([int]::MaxValue) |

where{$_ -is [VMware.Vim.VmRemovedEvent]} |

Group-Object -Property UserName |

Select @{N='User';E={$_.Name}},

    @{N='First';E={$_.Group | Sort-Object -Property CreatedTime | Select -First 1 | Select -ExpandProperty CreatedTime}},

    @{N='Last';E={$_.Group | Sort-Object -Property CreatedTime -Descending | Select -First 1 | Select -ExpandProperty CreatedTime}}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
MRoushdy
Hot Shot
Hot Shot

This one doesn't return the VM name, it returns the user only. the last script is still running in the background.

yes I meant 100 days, it was set to 200, but I've reduced it Smiley Happy. I'm just digging six months back.

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
0 Kudos
MRoushdy
Hot Shot
Hot Shot

this one also returns only the username, I see that you are only specifying the "username" property. Could you please include the VM name as well?

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
0 Kudos
LucD
Leadership
Leadership

I'm not selecting the UserName, but trying to group the events by UserName.
That should return for each event it finds a line with a Name and a Group Property.

It would help if you can show the script itself and the output it generates.

A screenshot is ok.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
MRoushdy
Hot Shot
Hot Shot

PS C:\Users\u981021> Get-VIEvent -MaxSamples ([int]::MaxValue) -Start (Get-Date).AddDays(–20) | where{$_ -is [VMware.Vim

.VmRemovedEvent] -and $_.UserName -ne "swcc\vm-bkpsvc"} | Sort CreatedTime -Descending | Select CreatedTime, UserName,Fu

llformat

CreatedTime            UserName                                                          Fullformat

-----------            --------                                                          ----------

12/2/2018 1:32:01 PM   username

12/2/2018 12:24:04 PM  VSPHERE.LOCAL\vpxd-extension-7b35d086-71e1-4722-a810-871d540c4023

12/2/2018 10:57:21 AM  User

12/2/2018 10:57:21 AM  User

12/2/2018 10:47:07 AM  username

11/29/2018 1:40:30 PM  VSPHERE.LOCAL\vpxd-extension-7b35d086-71e1-4722-a810-871d540c4023

11/29/2018 12:51:03 PM User

11/27/2018 9:11:07 AM  username

11/26/2018 12:22:54 AM User

11/24/2018 2:28:59 AM  User

11/21/2018 1:08:38 PM  username

11/14/2018 8:11:41 AM  username

and for the last script you've shared:

PS D:\ps> .\removed.ps1

User                                                              First                  Last

----                                                              -----                  ----

username                                                   11/13/2018 12:09:26 PM 12/3/2018 1:25:01 PM

User                                                              11/24/2018 2:28:59 AM  12/2/2018 10:57:21 AM

VSPHERE.LOCAL\vpxd-extension-7b35d086-71e1-4722-a810-871d540c4023 11/29/2018 1:40:30 PM  12/2/2018 12:24:04 PM

username                                                    11/14/2018 8:11:41 AM  12/2/2018 1:32:01 PM

PS D:\ps>

No VM name.

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
0 Kudos
LucD
Leadership
Leadership

That confirms the events are there and with a UserName that is not your Veeam account.

Now go for this one to have the report.

Get-VIEvent -MaxSamples ([int]::MaxValue) |

where{$_ -is [VMware.Vim.VmRemovedEvent] -and $_.UserName -ne 'Veeam account'} |

Sort CreatedTime -Descending |

Select CreatedTime,UserName,@{N='VM';E={$_.VM.Name}},FullformattedMessage


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

MRoushdy
Hot Shot
Hot Shot

That did the trick.

Thank you,

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
0 Kudos