As searching and filtering for events in vCenter Server trough vSphere Client somewhat limited (OK, it really sucks, to be honest), it’s usually much faster using PowerCLI, to retrieve, filter & searching events.
The basics. Connecting to vCenter Server via PowerCLI, and get some events
Connecting to vCenter
Getting the last 1337 events from vCenter
Get-VIEvent -MaxSamples 1337
Getting the last 1337 events from a ESXi host
Get-VMHost esx-11.esod.local | Get-VIEvent -MaxSamples 1337
Getting the last 1337 events from a VM
Get-VM dc-02.esod.local | Get-VIEvent -MaxSamples 1337
Knowing there is more…
Since this is basically PowerShell output, you may filter in any way you like, as you might already know, through regular PowerShell. Check all the objects I may retrieve, just for this event first event.
PS /Users/esod> Get-VMHost esx-11.esod.local | Get-VIEvent -MaxSamples 1 EventTypeId : com.vmware.vc.TaHostAttestUnsetEvent Severity : info Message : Arguments : ObjectId : host-4373 ObjectType : HostSystem ObjectName : esx-11.esod.local Fault : Key : 592127 ChainId : 592127 CreatedTime : 05/19/2021 08:23:42 UserName : Datacenter : VMware.Vim.DatacenterEventArgument ComputeResource : VMware.Vim.ComputeResourceEventArgument Host : VMware.Vim.HostEventArgument Vm : Ds : Net : Dvs : FullFormattedMessage : Trusted Host attestation status unset. ChangeTag :
Adding a filter, to get events, performed by a specific domain (or user)
PS /Users/esod> Get-VIEvent | Where-Object UserName -ilike "esod\*" | Select-Object CreatedTime,ipaddress,username,fullformattedmessage -Last 3 CreatedTime IpAddress UserName FullFormattedMessage ----------- --------- -------- -------------------- 05/19/2021 08:15:15 10.0.1.115 ESOD\svc-vmw-log User ESOD\firstname.lastname@example.org logged in as JAX-WS RI 2.2.9-b130926.1035 svn-revision#5f6196f2b90e9460065a4c2f4e30e065b245e51e 05/19/2021 08:14:00 10.0.1.114 ESOD\svc-vmw-vrops User ESOD\email@example.com logged out (login time: Wednesday, 19 May, 2021 06:13:59 AM, number of API invocations: 6, user agent: VMware vim-java 1.0) 05/19/2021 08:13:59 10.0.1.114 ESOD\svc-vmw-vrops User ESOD\firstname.lastname@example.org logged in as VMware vim-java 1.0
Bonus: If you’re on MacOS and need GridView
Another, maybe cooler way to filter (well, I usually do this), is to just pipe the output to GridView (runs in RAM, hence really, really fast to search), and just apply some filters there. Applying, or re-applying search filter(s), is just as easy as typing something new, on the keyboard.
- Steps below is performed from
pwshon my MacOS (does not have Out-GridView by default), hence this might look
- If you’re using Windows, you’ll native have the “Out-Gridview” by default - great! Use that!
If you’re on MacOS (like I am), I previously used to install the module “Microsoft.PowerShell.GraphicalTools”
Now this used to work just fine, but I’m currently having trouble getting this to play nice in MacOS Catalina (keeps crashing, etc.). I recently dicovered another cool tool (if using pwsh from MacOS), called Out-ConsoleGridView, released back in 2020.
I can now pipe a lot of output to the new “Out-ConsoleGridView”. Let’s retry the Get-VIEvent, but increase the output to last 999 events
Get-VIEvent | Where-Object UserName -ilike "esod\*" | Select-Object CreatedTime,ipaddress,username,fullformattedmessage -Last 999 | Out-ConsoleGridView
As you can see from the output below, I now have the possibility to filter on “anything”, hence I can throw more output into the GridView, and filter there (in RAM, which is much faster then polling output, again and again).
I may now filter on e.g. the IP, ending in
1.99, by just typing
1.99in the Filter box.
Related articles, discussing topics in more detail
https://devblogs.microsoft.com/powershell/introducing-consoleguitools-preview/ https://www.vembu.com/blog/vsphere-tasks-and-events-tips-to-track/ https://devblogs.microsoft.com/powershell/out-gridview-returns/