Hello Mates,
I would like to find out the ntp server configured date of one of the host and the action is done by whom (what user). Any help is really appreciated.
Thanks,
You could try looking through the events for the host. I think you get an event with the text "Task: Update date or time" when someone changes the NTP server. Use the following one liner
Get-VMHost nameofyourhost | Get-VIEvent | Where {$_.FullFormattedMessage -eq "Task: Update date or time"} | Select CreatedTime, UserName, FullFormattedMessage
Depending on how long ago it happened you might have to increase the MaxSamples on the Get-VIEvent cmdlet, e.g.
Get-VMHost nameofyourhost | Get-VIEvent -MaxSamples 1000 | Where {$_.FullFormattedMessage -eq "Task: Update date or time"} | Select CreatedTime, UserName, FullFormattedMessage
Afaik, there is no event that keep track of the configuration of the NTP server on an ESX(i) host, I'm afraid.
Perhaps there is something in /var/log/messages (for an ESX host), but I'm afraid you won't see who actually did the change.
Was this done from a vSphere client or from a SSH to the ESX(i) host ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I found the guy reviewing events. Thanks anyway Luc ...
You could try looking through the events for the host. I think you get an event with the text "Task: Update date or time" when someone changes the NTP server. Use the following one liner
Get-VMHost nameofyourhost | Get-VIEvent | Where {$_.FullFormattedMessage -eq "Task: Update date or time"} | Select CreatedTime, UserName, FullFormattedMessage
Depending on how long ago it happened you might have to increase the MaxSamples on the Get-VIEvent cmdlet, e.g.
Get-VMHost nameofyourhost | Get-VIEvent -MaxSamples 1000 | Where {$_.FullFormattedMessage -eq "Task: Update date or time"} | Select CreatedTime, UserName, FullFormattedMessage