As searching and filtering for events in vCenter Server trough vSphere Client somewhat limited (OK, it really sucks, to be honest), itโs usually much faster using PowerCLI, to retrieve, filter & searching events.
The basics. Connecting to vCenter Server via PowerCLI, and get some events
Connecting to vCenter
Connect-VIServer vc-02.esod.localGetting the last 1337 events from vCenter
Get-VIEvent -MaxSamples 1337Getting the last 1337 events from a ESXi host
Get-VMHost esx-11.esod.local | Get-VIEvent -MaxSamples 1337Getting the last 1337 events from a VM
Get-VM dc-02.esod.local | Get-VIEvent -MaxSamples 1337Knowing there is moreโฆ
Since this is basically PowerShell output, you may filter in any way you like, as you might already know, through regular PowerShell. Check all the objects I may retrieve, just for this event first event.
PS /Users/esod> Get-VMHost esx-11.esod.local | Get-VIEvent -MaxSamples 1
EventTypeId : com.vmware.vc.TaHostAttestUnsetEvent
Severity : info
Message :
Arguments :
ObjectId : host-4373
ObjectType : HostSystem
ObjectName : esx-11.esod.local
Fault :
Key : 592127
ChainId : 592127
CreatedTime : 05/19/2021 08:23:42
UserName :
Datacenter : VMware.Vim.DatacenterEventArgument
ComputeResource : VMware.Vim.ComputeResourceEventArgument
Host : VMware.Vim.HostEventArgument
Vm :
Ds :
Net :
Dvs :
FullFormattedMessage : Trusted Host attestation status unset.
ChangeTag :
Adding a filter, to get events, performed by a specific domain (or user)
PS /Users/esod> Get-VIEvent | Where-Object UserName -ilike "esod\*" | Select-Object CreatedTime,ipaddress,username,fullformattedmessage -Last 3
CreatedTime IpAddress UserName FullFormattedMessage
----------- --------- -------- --------------------
05/19/2021 08:15:15 10.0.1.115 ESOD\svc-vmw-log User ESOD\svc-vmw-log@10.0.1.115 logged in as JAX-WS RI 2.2.9-b130926.1035 svn-revision#5f6196f2b90e9460065a4c2f4e30e065b245e51e
05/19/2021 08:14:00 10.0.1.114 ESOD\svc-vmw-vrops User ESOD\svc-vmw-vrops@10.0.1.114 logged out (login time: Wednesday, 19 May, 2021 06:13:59 AM, number of API invocations: 6, user agent: VMware vim-java 1.0)
05/19/2021 08:13:59 10.0.1.114 ESOD\svc-vmw-vrops User ESOD\svc-vmw-vrops@10.0.1.114 logged in as VMware vim-java 1.0
Bonus: If youโre on MacOS and need GridView
Another, maybe cooler way to filter (well, I usually do this), is to just pipe the output to GridView (runs in RAM, hence really, really fast to search), and just apply some filters there. Applying, or re-applying search filter(s), is just as easy as typing something new, on the keyboard.
Notes:
- Steps below is performed from
pwshon my MacOS (does not have Out-GridView by default), hence this might look - If youโre using Windows, youโll native have the โOut-Gridviewโ by default - great! Use that!
If youโre on MacOS (like I am), I previously used to install the module โMicrosoft.PowerShell.GraphicalToolsโ
Install-Module Microsoft.PowerShell.GraphicalToolsNow this used to work just fine, but Iโm currently having trouble getting this to play nice in MacOS Catalina (keeps crashing, etc.). I recently dicovered another cool tool (if using pwsh from MacOS), called Out-ConsoleGridView, released back in 2020.
Install-Module Microsoft.PowerShell.ConsoleGuiToolsI can now pipe a lot of output to the new โOut-ConsoleGridViewโ. Letโs retry the Get-VIEvent, but increase the output to last 999 events
Get-VIEvent | Where-Object UserName -ilike "esod\*" | Select-Object CreatedTime,ipaddress,username,fullformattedmessage -Last 999 | Out-ConsoleGridViewAs you can see from the output below, I now have the possibility to filter on โanythingโ, hence I can throw more output into the GridView, and filter there (in RAM, which is much faster then polling output, again and again).
I may now filter on e.g. the IP, ending in 1.99, by just typing 1.99in the Filter box.
Related articles, discussing topics in more detail
https://devblogs.microsoft.com/powershell/introducing-consoleguitools-preview/ https://www.vembu.com/blog/vsphere-tasks-and-events-tips-to-track/ https://devblogs.microsoft.com/powershell/out-gridview-returns/