Determine Which User Deleted VM instance
Problem
To find out which user deleted the VM instance. If the customer is unaware of the instance uuid, underlying host or in case of multiple instance deletion.
Environment
- Platform9 Managed OpenStack - v4.0 and Higher
Procedure
Either <INSTANCE_NAME> or <INSTANCE_UUID> should be known.
We have divided the steps into two parts as below:
- Get the underlying host details of deleted VM instance from DB.
- Access ostackhost logs of the underlying host
Lets understand each steps in detail:
- Get the underlying host details of deleted VM instance from Nova DB.
If the HOST at which the VM was running is unknown, please reach out to Platform9 Support.
In the nova DB, below command is run to get the hostname.
mysql> select display_name,created_at,updated_at,deleted_at,uuid,node from instances where display_name="<INSTANCE_NAME>" and updated_at >='<TENTATIVE_DATE>';+-----------------+---------------------+---------------------+---------------------+-----------------+------------+| display_name | created_at | updated_at | deleted_at | uuid | node |+-----------------+---------------------+---------------------+---------------------+-----------------+------------+| [INSTANCE_NAME] | [CREATED_TIMESTAMP] | [UPDATED_TIMESTAMP] | [DELETED_TIMESTAMP] | [INSTANCE_UUID] | [HOSTNAME] |+-----------------+---------------------+---------------------+---------------------+-----------------+------------+1 row in set (0.00 sec)Once the underlying Host is identified, please proceed with the next step.
- Access ostackhost logs of the underlying host
Login to the host to access ostackhost log or use support bundle logs and search for [INSTANCE_UUID] and "destroy the instance" like shown below:
# grep "<INSTANCE_UUID>" /var/log/pf9/ostackhost.log* | grep -i "destroy the instance"[TIMESTAMP] INFO nova.compute.manager [[REQ_ID] [USERNAME_WHO_DELETED] [OTHER_DETAILS] [instance: [INSTANCE_UUID]] Took 1.56 seconds to destroy the instance on the hypervisor.Look for [USERNAME_WHO_DELETED] that shows who performed the delete action.
Was this page helpful?