Who snapshot what VM and when

I got a request from my customer to track the VM snapshot operations. They need to track creation and deletion. Basically, who snapshot what VM and when. So I tried in the lab. I simply created a snapshot. I waited for a few seconds, then proceeded to delete it. You can see the activity in the vSphere Web Client below.

Notice the snapshot name is not shown in the vCenter task list. In production environment, you should have a meaningful snapshot name. If you have a naming pattern, you can actually build a Log Insight query based on it. Let’s see if Log Insight captures the name of the snapshot!

Who snapshot what VM and when: VM snapshot

Where do they show up? Well, the awesome folks at Log Insight has created an out of the box dashboard for you. Just go to the “Virtual Machine – Snapshots” like I did below. Notice Log Insight has categorised the 2 events nicely.

VM snapshot - 1

You can drill down to the Interactive Analytics. Here is what they look like. In this example, I’ve modified the chart so it’s simpler for me.

VM snapshot - 2

If you want to know the actual query, here is what they look like. Yup, just 2 variables are all you need. In the example below, I’ve also extended the time line to the past 7 days as I got curious if anyone else have done any snapshot. Good to know no one did.

VM snapshot - create 001

Now… can you guess the snapshot name? It’s in the log above. Hints: I was singing an old song by The Beatles. Ok, it wasn’t technically singing, it was a bad attempt at singing πŸ™‚

Wait a minute! We have not shown the User who made the changes. To do that, you need to use the vc_username field, and add the word Snapshot in the text field. To make it easier to see, use the Field Table. I’ve provided an example below.

VM snapshot - 5

There you go. Now you know who snapshot what VM and when. Have fun combing the logs with Log Insight. Easier than grep right πŸ˜‰ (just kidding!)