Who deleted that VM…
Got a email from a customer trying to track down information on who deleted a VM from their environment. It wasn’t a critical VM, it was running some app the IT department was using, and they were able to restore it from a backup. Since the VM was running an app they were using they wanted to find out who deleted it so they could understand what the reason for deleting it was.
This information can be found in vCenter Task and Events but it may take a bit of searching depending on how long has passed. The customer has vRealize Log Insight installed in the environment which makes it super easy to track down things like this.
Log Insight includes a dashboard Virtual Machine – Overview which makes it super easy to locate VMs which have been deleted. On this dashboard there is a VMs deleted tile which displays the number of virtual machines which have been deleted during the selected time range.
The VMs deleted tile is backed by a simple query which displays the number of vCenter event type (vc_event_type) which contain com.vmware.vim25.VmRemovedEvent. If you click on the Interactive Analytics icon on the VMs deleted tile it will take you to the log entries for com.vmware.vim25.VmRemovedEvent associated with the tile.
From the event you can gather a lot of information: VM name, vCenter, Datacenter, ESXi host, Cluster, and the piece of information the customer was looking for – the user who deleted the VM.
There are a number of other ways within Log Insight to get to this same information, but this is pretty point and click easy.
You can also create an alert directly from the query so you get an email whenever a VM is deleted.
A pretty simple example which shows the usefulness and value of vRealize Log Insight.