PowerCLI

 View Only

  • 1.  VM Deleted Events

    Posted Jun 16, 2021 06:30 AM

    I have VM name and want to find who deleted the VM. Tried below but there is no output.

    Get-VIEvent -maxsamples ([int]::MaxValue) -Start (Get-Date).AddDays(–14|

    where{$_ -is [VMware.Vim.VmRemovedEvent] -and $_.VM -ne 'VMNAME'|

    Sort -Property CreatedTime -Descending|

    Select CreatedTime,UserName,FullformattedMessage

    I am not sure we can use "-and $_.VM -ne 'VMNAME'|" This parameters.

     

     



  • 2.  RE: VM Deleted Events

    Posted Jun 16, 2021 07:08 AM

    The VM property in an event does not contain a string with the name of the VM, but a MoRef.
    That is a pointer to the VM, which is a bit strange when it concerns a removal.
    Unless you have saved that MoRef somewhere before the removal.



  • 3.  RE: VM Deleted Events

    Posted Jun 16, 2021 08:14 AM

    Thanks LuCD,

    Can we use "FullFormattedMessage " and query the "VMNAME".   Ultimate aim to reduce the time and need to get the user name and time for VMRemovedEvent.  Instead of searching all the deleted event.  

     

    Get-VIEvent -Start (Get-Date).AddDays(-1) -MaxSamples ([int]::MaxValue) |where{$_ -is [VMware.Vim.VmRemovedEvent]}


    Template : False
    Key : 792885076
    ChainId : 792885073
    CreatedTime : 16/06/2021 07:30:56
    UserName : 'username"
    Datacenter : VMware.Vim.DatacenterEventArgument
    ComputeResource : VMware.Vim.ComputeResourceEventArgument
    Host : VMware.Vim.HostEventArgument
    Vm : VMware.Vim.VmEventArgument
    Ds :
    Net :
    Dvs :
    FullFormattedMessage : Removed vmname  on localhost.local from Datacenter
    ChangeTag :

     



  • 4.  RE: VM Deleted Events
    Best Answer

    Posted Jun 16, 2021 08:24 AM

    Yes, if the VMNAME is in the FullFormattedMessage you could do that.
    But be aware that this does not diminish the execution time.
    The Get-VIEvent will still retrieve all events, and the Where-clause will filter out the ones you want.

    That is in fact one of the reasons why I created my Get-VIEventPlus function.
    There the filtering happens during the retrieval of the events, resulting in a much faster execution time.
    You could use the EventType parameter and only retrieve the VMRemovedEvent objects.
    Which you could then filter with a Where-clause on the FullFormattedMessage content



  • 5.  RE: VM Deleted Events

    Posted Jun 16, 2021 11:14 AM

    Thanks LucD,

    Yes not able reduce the time for execution.  Only able to filter out and get the VM result alone.

    Get-VIEvent -Start ((get-date).adddays(-1)) -MaxSamples ([int]::MaxValue) |Where{($_ -is [VMware.Vim.VmRemovedEvent])}|
    where {$_. FullFormattedMessage -like '*VMNAME*'} | Select-Object CreatedTime, UserName, fullFormattedMessage

    CreatedTime : 16/06/2021 07:30:56
    UserName : 'username"
    FullFormattedMessage : Removed VMNAME on localhost.local  from Datacenter



  • 6.  RE: VM Deleted Events

    Posted Jun 16, 2021 12:26 PM

    You should have a look at my Get-VIEventPlus function.

    Is your question answered?
    Or what is still missing?



  • 7.  RE: VM Deleted Events

    Posted Jun 16, 2021 07:11 AM

    You can check vCenter server or ESXi hosts tasks & events for who deleted a VM. If not then try to find in vCenter server logs by filtering with VM name.



  • 8.  RE: VM Deleted Events

    Posted Jun 16, 2021 07:15 AM

    Did you actually read the question?!?