Who created Folders in vCenter

Who created Folders in my vCenter

Introduction

While working as an Administrator the biggest challenge is to understand who did what and at what time.

A few days back I was working on an issue where a customer asked me about the identity of the User who created the Folders in vCenter.

Now This is very easy if we have an Idea about the vCenter Task and events, but like in my case, we don’t have any Tasks and Events in the vCenter. This is because the Tasks were overwritten.

  • For a Test, let’s Create a Folder the name Test
Who created Folders in my vCenter
  • Now while looking at this task from the vCenter we can go to the Task and Events and can see a Create Folder Task
Who created Folders in my vCenter

Now Let’s investigate this from the SSH.

  1. Take an SSH to the vCenter.
  1. Navigate to the Location /var/log/vmware/vpxd/ Here you have two Files with the Name VPXD and VPXD_Profiler.

VPXD Logs are the main vCenter Server log, consisting of all vSphere Client and Web Services connections, internal tasks and events, and communication with the vCenter Server Agent (vpxa) on managed ESXi/ESX hosts.

VPXD-PROFILER  are the logs that do the session information logging for all the vCenter related Tasks which are logged in the VPXD.

  • While Looking into the VPXD Logs we can see the below Event where vim.Folder.createFolder task was initiated which created the folder in vCenter.
info
vpxd[7FC743EFD700] [Originator@6876 sub=vpxLro
opID=CreateFolderResolver-add-613565-ngc:70049196-fc] [VpxLRO] -- BEGIN
task-32892 -- group-d1 -- vim.Folder.createFolder -- 5219ad93-f521-fd7c-5812-22fbf015cf18(524af5d7-7ff3-23da-f461-26d04bb0cb70)
  • Now search the session ID on this from the VPXD Profiler logs and found the username:
cat vpxd-profiler-123.log | grep -i 5219ad93-f521-fd7c-5812-22fbf015cf18
 
 
 --> /SessionStats/SessionPool/Session/Id='5219ad93-f521-fd7c-5812-22fbf015cf18'/Username='VSPHERE.LOCAL\Administrator'/ClientIP='127.0.0.1'/PropertyCollector/ReadLocked/total 0
 --> /SessionStats/SessionPool/Session/Id='5219ad93-f521-fd7c-5812-22fbf015cf18'/Username='VSPHERE.LOCAL\Administrator'/ClientIP='127.0.0.1'/PropertyCollector/TriggeredProcessGUReqs/total 0
 --> /SessionStats/SessionPool/Session/Id='5219ad93-f521-fd7c-5812-22fbf015cf18'/Username='VSPHERE.LOCAL\Administrator'/ClientIP='127.0.0.1'/HttpSessionObject/Hidden/total 0
 --> /SessionStats/SessionPool/Id='5219ad93-f521-fd7c-5812-22fbf015cf18'/Username='VSPHERE.LOCAL\Administrator'/PropertyCollector/ComputeGUReqTime/max 9277 

Fortunately, in our case, the Culprit was Administrator@vSphere.local. However, this will be different if your username is let’s say v-2adix@ABC.com. Now you can easily find the one “Who Created Folders in vCenter”

If you liked this, check out more articles like this in my VMware Investigation Series.

Ashutosh Dixit

I am currently working as a Senior Technical Support Engineer with VMware Premier Services for Telco. Before this, I worked as a Technical Lead with Microsoft Enterprise Platform Support for Production and Premier Support. I am an expert in High-Availability, Deployments, and VMware Core technology along with Tanzu and Horizon.

Leave a Reply