ranjithbabhu
Enthusiast
Enthusiast

VM Deleted Events

Jump to solution

I have VM name and want to find who deleted the VM. Tried below but there is no output.

Get-VIEvent -maxsamples ([int]::MaxValue) -Start (Get-Date).AddDays(–14|

where{$_ -is [VMware.Vim.VmRemovedEvent] -and $_.VM -ne 'VMNAME'|

Sort -Property CreatedTime -Descending|

Select CreatedTime,UserName,FullformattedMessage

I am not sure we can use "-and $_.VM -ne 'VMNAME'|" This parameters.

 

 

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership

Yes, if the VMNAME is in the FullFormattedMessage you could do that.
But be aware that this does not diminish the execution time.
The Get-VIEvent will still retrieve all events, and the Where-clause will filter out the ones you want.

That is in fact one of the reasons why I created my Get-VIEventPlus function.
There the filtering happens during the retrieval of the events, resulting in a much faster execution time.
You could use the EventType parameter and only retrieve the VMRemovedEvent objects.
Which you could then filter with a Where-clause on the FullFormattedMessage content


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
7 Replies
LucD
Leadership
Leadership

The VM property in an event does not contain a string with the name of the VM, but a MoRef.
That is a pointer to the VM, which is a bit strange when it concerns a removal.
Unless you have saved that MoRef somewhere before the removal.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Kpjangid
Enthusiast
Enthusiast

You can check vCenter server or ESXi hosts tasks & events for who deleted a VM. If not then try to find in vCenter server logs by filtering with VM name.

Thank you!
Vikramaditya J
0 Kudos
LucD
Leadership
Leadership

Did you actually read the question?!?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
ranjithbabhu
Enthusiast
Enthusiast

Thanks LuCD,

Can we use "FullFormattedMessage " and query the "VMNAME".   Ultimate aim to reduce the time and need to get the user name and time for VMRemovedEvent.  Instead of searching all the deleted event.  

 

Get-VIEvent -Start (Get-Date).AddDays(-1) -MaxSamples ([int]::MaxValue) |where{$_ -is [VMware.Vim.VmRemovedEvent]}


Template : False
Key : 792885076
ChainId : 792885073
CreatedTime : 16/06/2021 07:30:56
UserName : 'username"
Datacenter : VMware.Vim.DatacenterEventArgument
ComputeResource : VMware.Vim.ComputeResourceEventArgument
Host : VMware.Vim.HostEventArgument
Vm : VMware.Vim.VmEventArgument
Ds :
Net :
Dvs :
FullFormattedMessage : Removed vmname  on localhost.local from Datacenter
ChangeTag :

 

0 Kudos
LucD
Leadership
Leadership

Yes, if the VMNAME is in the FullFormattedMessage you could do that.
But be aware that this does not diminish the execution time.
The Get-VIEvent will still retrieve all events, and the Where-clause will filter out the ones you want.

That is in fact one of the reasons why I created my Get-VIEventPlus function.
There the filtering happens during the retrieval of the events, resulting in a much faster execution time.
You could use the EventType parameter and only retrieve the VMRemovedEvent objects.
Which you could then filter with a Where-clause on the FullFormattedMessage content


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
ranjithbabhu
Enthusiast
Enthusiast

Thanks LucD,

Yes not able reduce the time for execution.  Only able to filter out and get the VM result alone.

Get-VIEvent -Start ((get-date).adddays(-1)) -MaxSamples ([int]::MaxValue) |Where{($_ -is [VMware.Vim.VmRemovedEvent])}|
where {$_. FullFormattedMessage -like '*VMNAME*'} | Select-Object CreatedTime, UserName, fullFormattedMessage

CreatedTime : 16/06/2021 07:30:56
UserName : 'username"
FullFormattedMessage : Removed VMNAME on localhost.local  from Datacenter

0 Kudos
LucD
Leadership
Leadership

You should have a look at my Get-VIEventPlus function.

Is your question answered?
Or what is still missing?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos