Friday, September 12, 2014

How to tell who deleted your Horizon View VM

It's happened to all of us - we go to find a particular desktop in the View Inventory only to find it's not there. You didn't delete, so who did?

Luckily we know better than to survey our co-workers - we can confirm from the logs!

On the Connection Server, navigate to C:\ProgramData\VMware\VDM\logs and check out the DEBUG logs.

Typically you will see a line similar to:

2014-09-11T10:45:18.210-07:00 DEBUG (0B1C-0B47) [ws_TomcatService] STDOUT: 2014-08-11 10:45:18 [com.vmware.vdi.desktopcontroller.PendingOperation]-[DEBUG] Pool floating::Stopping & deleting VM /EUC/vm/Floating/Win7-01.

In this example, if you trace the session ID (0B1C-0B47), you'll also find a line earlier in the log such as:

2014-08-11T10:39:23.053-07:00 DEBUG (0B1C-0B38) [ws_TomcatService] STDOUT: 2014-09-11 10:39:23 [com.vmware.vdi.admin.ui.LoginBean]-[INFO] User ryan has successfully authenticated to View Administrator

And voila! User ryan has been busted.
Share:

0 comments:

Post a Comment