Someone deleted a VM from the AHV cluster. We can see a VM deletion task under Prism Element, but we can’t easiliy determine which VM got deleted and by whom? Can you help?
I am surprised this kind of information can’t be found directly on Prism Element (PE). All you got is a notification for a VM deletion task that doesn’t provide any further details.
If you need more information on who deleted a specific VM, the only option that you have today is checking the logs.
You can connect to any CVM on the cluster and check the acropolis.out log and grep the string “VmdeleteAudit”.
allssh ‘grep VMDeleAudit /home/nutanix/data/logs/acropolis.out*’
This command gives you the name of the VM deleted:
To determine which user deleted this VM, check the ecli task list on any CVM and get the parent task UUID of a task with Type kVmDelete.
With the below command you will get more information about the task and especially the request context where you find the user_ip and user_name.
ecli task.get task UUID