Saturday 11 March 2017

Trace deleted virtual disk in VMware

Or, Tracing deleted VMDK files in VMware
Or, How to check who deleted the virtual disk of the virtual machine in VMware?

Descriptions: First thing first, Once you have deleted the virtual disk by selecting “Delete From Disk” option, VMware cant help you to get it back as they dont have any built-in recovery solution in VMware. You may consult data recovery vendors to check for any possibility of data restoration.

In common scenario, if the disk was deleted by someone else or it was done unknowingly, an administrator is always asked to trace the logs..

At first attempt, VMware administrators prefer to check the task and events of vSphere client which is very much useful in most of the cases but not for all the cases.

For example: If someone have deleted the disk of VM, modified RAM capacity, or Modified CPU capacity, vSphere will have almost similar kind of event for all these actions (like, Reconfigure Virtual Machine). In this case, you will not be able to understand at what stage HDD or deleted and at what stage CPU was updated.

In this article, we will see some available options to trace the logs more efficiently for deleted vmdks.

Steps: How to trace the logs for deleted VMDK?

1. Check for the Tasks and Events in vSphere Client for the affected Virtual Machine and note down the “Reconfigure” event details time stamps
2. Check for the associated Datastore from which the disk was deleted
3. Check for the Host on which this Virtual Machine was running when the Modify event was occurred.












SSH the Host in Putty and run the following commands sequencially

# ls -la
# cd vmfs/volumes
# ls -la
# cd Datastore
# ls -la
# cd VMName
# ls -la
# less vmware.log | less

Search for the logs:

1. (Destroying Virtual Dev for scsix:xxx vscsi=xxxx)
2. (DISKLIB-VMFS : ‘’vmfs/volumes/xxxx-xxxxx-xxxx-xxxx-VMName/VMName-Flat.VMDK” : Closed )





Above two highlighted events gives some clue about VMDK deletion. It was started from term “Destroying” and completed at term “Closed”.

Cheers, Please write me back if you have any query or feedback..

By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)