6

I got a Win Server 2008 R2 on a VM. I think someone accidentally ejected the NIC card that is presented as a hot pluggable device. But I am trying to find proof of that in the windows event logs and I haven't found a thing so far. What should I be looking for?

Thanks

EDIT for clarity:

  1. VMware presents NIC cards and HDDs to the Win Srv 2003 and newer VM as hot removable devices. This means if someone doesn't look where they are clicking can easily eject the NIC card, and this activity would not get logged in the VMware normal log messages. As per KB below, it has the fix as well:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1020718

  1. The pluggin and unpluggin of hot plugging of removable devices are not logged apparently.

  2. The VM is already fixed. I have the above as a theory as to what happened, but it wouldn't be a very convincing theory without sufficient proof. While I have the screenshot that shows the NIC is presented as a removable device that is circumstantial. I would rather have a log message that shows at "time xx:xx device removed".

D.Zou
  • 191
  • The System Event Log, if it's recorded, but it might not be. – HopelessN00b Feb 24 '15 at 15:30
  • thanks, I did look through the windows logs and application services logs found under server manager/diagnostics. I spent an hour googling those event ids, and haven't found anything that looks like someone ejecting a hotpluggable device – D.Zou Feb 24 '15 at 15:33
  • Sounds to me like it's not logged, then. – HopelessN00b Feb 24 '15 at 15:36
  • 1
    Isn't the important thing to get it working again? When you say you're trying to find proof it makes me think you're playing the blame game, which doesn't serve anyone, least of all yourself. – joeqwerty Feb 24 '15 at 16:01
  • we already got it working. this is just the post incident analysis – D.Zou Feb 24 '15 at 16:04
  • 5
    I'm going to weigh in and say I don't really understand the downvotes - I think this question is perfectly reasonable and it's totally understandable to want to provide conclusive evidence of what caused a production issue. – Dan Feb 24 '15 at 16:19
  • @joeqwerty hopefully he just means prove his theory, and isn't trying to lay blame. – MDMoore313 Feb 24 '15 at 16:22
  • @Dan I can understand joeqwerty's question, the edit I provided is after his comment made me realize that it could look like I am trying to play the blame game. But this is making a quite a big assumption about the my situation, and it's a lab environment, not production. – D.Zou Feb 24 '15 at 16:25
  • @D.Zou You wouldn't be able to see because of your low rep, but your question has attracted 2 downvotes, to 3 updates (Giving an overall score of 1). I was just commenting that I don't get the downvotes – Dan Feb 24 '15 at 16:28
  • Well, if it's a test lab, just perform this action exactly as you describe it and see if your problem condition is replicated. – mfinni Feb 24 '15 at 16:29
  • @mfinni I will have to wait until EOD, there is a tour or some stuff so its no touch all day – D.Zou Feb 24 '15 at 16:32
  • 3
    @D.Zou - My apologies. I didn't intend to start a fire with my comment. I have an aversion to the use of the word "proof" being used in the context of incident analysis because I've only ever heard it used when someone was getting beaten up for making a mistake. I didn't mean to imply that that's what you were doing. Again, my apologies. – joeqwerty Feb 24 '15 at 16:44
  • @joeqwerty its ok, no offense taken. around here the code word for the blame train is "rca" – D.Zou Feb 24 '15 at 20:35

1 Answers1

0

Yes, this will not be clearly logged in the vmware.log or hostd log file. However, depending on your setup, this can still be possible to trace.

If you know the timeframe, you can go to file > export > export events in vSphere Client (assuming you are using VI Client, but you haven't mentioned what kind of environment this is...) Select the timeframe and finish. There should then be a "Reconfigure VM" task at the time, including the username of who did it.

A better method is if the VM is on an ESXi host that is part of vCenter Server, as you can find this information in the vCenter database quite easily.

First, create a test VM and remove a network card (or do it on a VM where it wont be a big deal.) Next, connect to the vCenter database with SQL Management Studio, and run a SQL query: select * from vpx_task

Find the task of the NIC being removed, and note the code name of the description for removing a NIC (I am not in front of a SQL Db at the moment so I cannot test this right now). At a guess, it will be something like networkcard.remove or network.destroy - something along those lines....

Next, run the following query, changing the bit in between the % and % to the description code from above:

select * from vpx_task where description like '%description%'

Example: select * from vpx_task where description like '%network.destroy%' Locate the VM and timeframe, and you will see who removed the NIC and when.

user1718443
  • 31
  • 1
  • 1
  • 2