Drilling through vSphere events and tasks is one of the first things any administrator does when troubleshooting an issue or even just looking to know who did something on an entity. If you work with VMware products, you may have noticed that going back in time can be rather frustrating in the vSphere web client. It only displays 100 records at a time, which is not much considering everything happening on a host or a cluster in a day for instance.
You may find yourself spending the afternoon spamming the “Next” button to go back a few days or weeks to find that record you’re after. I think we can all agree that this is not a sustainable situation and we will see how to work this out more efficiently.
Do note that the methods described below will make it easier to find older records. You can only go as far back as the retention of the vCenter database allows it.
If you want older historical data you can use a syslog server like vRealize Log Insight or increase the default 30 days retention setting in “vCenter > Configure > General > Database > Event retention (days)”.
However, be aware that changing this setting may have an impact on the performances of your vCenter database.
Querying VI events in PowerCLI is a lot faster and convenient than one could imagine. The syntax of PowerCLI (PowerShell in general) is incredibly easy and flexible to use.
The big advantage of using this technique is that you can display events from several sources as opposed to the web client in which you focus on a single entity. For instance, troubleshooting can be made easy by displaying the events of a bunch of web server VMs and their associated database VM.
Note that you cannot mix entity type (e.g. VMHost and VM) but you could run 2 Get-VIEvent commands and concatenate their output without much hassle.
You actually don’t have to write a long command with all the conditions to display what you need. Instead, you can use Out-GridView (alias ogv) to open the output in a simple graphical interface in which you can narrow down the view with the use of criteria.
- Open PowerShell and connect to vCenter
- Use Get-VIEvent on the entity you want the events for and pipe it into Out-GridView (ogv). Note that it will display the first 100 records by default, use the -MaxSample parameter to increase this value
- The output will display a lot of columns you are not interested in. You can remove them by right-clicking one of them and select columns. Move the columns you don’t need to the left to clear out the view, then click OK
- You are left with the latest 9999 events of the current entity. Use the Add Criteria button in the top left corner to narrow it down. You can alter all the properties of the events. What you will most likely edit is CreatedTime, UserName, and FullFormattedmessage (description field in the web client), your mileage may vary
- When you have chosen a property (properties) to edit, you can change the operator to your needs
- You can now see only the records that match your query
It is possible to specify some of your query directly in the Get-VIEvent command with the use of parameters. This could be useful if the entity has a large number of records and you don’t want to query 99999 events which will take ages to run and process.
I suggest that you keep using out-grid view for clear visibility.
- Example: Same query as above created with parameters. I only added the -Types parameter to demonstrate it
As you can see PowerShell interprets the dates even though they are typed as strings.
Web client export
If you don’t want to use PowerCLI, the events view of the vSphere web client allows you to export export the into a CSV file which you can open in a viewer like excel.
This method is simple but proven and offers the same possibilities as PowerCLI.
- Go to the event view in vCenter and click Export in the bottom right corner of this pane
- Configure the parameters of the export. You can specify users, severity, a time frame, the number of events and the columns to include. Once you are done, click Generate CSV Report
- When the report is generated click Save to save the list of events in a csv file
The csv file extract is as below:
The tips described above are a quick fix to get access in seconds to older vSphere events, but this should not be relied on for long time retention or audit purpose. This job should be given to a proper Syslog server to which the components of the infrastructure send their logs where they can be cross-referenced (Hosts, vCenter, switch, San…).