VMware Cloud Community
twigg0
Contributor
Contributor
‎04-09-2020 12:14 AM

Somebody deleted a vmdk. How to I tell who?

Hi all,

fast little info that is making me bang my head all day. I need to investigate who deleted a vmdk (persistent volume).

I am accused of having deleted a vmdk (persistent volume) created specifically for kubernetes with a vmware user to whom I have granted write permissions on that volume.Obviously we didn't do anything.

I need to find who deleted vmdk

On VM Task side I see this:

Reconfigure virtual machine

Status:

File [] /vmfs/volumes/xxxx/xx/xxxx.vmdk was not found

Initiator:

user to whom I granted write permission

Target:

name of the vm

Server:

xxxx

Related events:

date, time

Task: Reconfigure virtual machine

But he does not say who has canceled it, he only says that he does not find it

I searched on vpxa and hostd but I can't find anything, I only have the last 4 days but the event dates back to 15 days ago. Ideas?

0 Kudos
3 Replies
continuum
Immortal
Immortal
‎04-09-2020 01:43 AM

Look for cli.log on the datastore that had the flat.vmdk.

That log-file may be hidden - sometimes you can find it by running

strings against the device of the datastore.

Thats something you cant do with esxi itself - I have no time to explain right now .... call me via skype or wait for a reply later.

Ulli


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

0 Kudos
twigg0
Contributor
Contributor
‎04-09-2020 04:17 AM

continuum​ : Could you please help me? Tried to add to skype with no success..


Br

Thanks

0 Kudos
continuum
Immortal
Immortal
‎04-09-2020 04:48 AM

I have seen  no skype connection requests last hours ...

Anyway - read Create a VMFS-Header-dump using an ESXi-Host in production | VM-Sickbay

Create a dump like that and copy the dump to a host that has the tool strings installed.

That can be any Linux (comes with strings installed) or Windows (then install https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwib44HEotvo... )

Run strings dump-file > text.txt

Then search through text.txt - it often has a cli.log - in which manual commands are logged


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

0 Kudos