How to troubleshoot overwrites in change reports for VMWare

6.5 and older
Copy Article URL Copied

Refer to the KB258 for details about how VMWare auditing with Netwrix Auditor works.

Overwrites warnings occur because there is some gap between the last collected and the oldest of newly received events.

Try running collections more frequently by configuring a scheduled task trigger.

If this doesn’t help  please perform the following steps to troubleshot this and localize the problematic place:

  1. Download and install VMWare PowerCLI, this package contains set of Powershell cmdlets which can be used to retrieve audit events from ESX server vCenter.
To download VMWare PowerCLI you need to register on the VMware website,
Alternatively you can download them  from our file service using this link
NOTE. We uploaded them just for the case you are unable to register at VMWare website
The VMWare PowerCLI documentation available here:
  1. Then after receiving a Change report for VMware with event overwrites warning and changes, which as a results of event overwrites were reported as made by system, retrieve audit events  using  VMWare PowerCLI cmdlets  by connecting to vCenter and ESX hosts:
  1. Run  the Connect-VIServer cmdlet and connect to the VMWare host (  by running this command:
 Connect-VIServer %ESXhostname% -User %username% -Password %Password%
  1. Run  the Get-VIEvent cmdlet (  and get all events for last 24 hours by running this command:
Get-VIEvent -Entity *  -Start (Get-Date).AddDays(-1) >> D:%ESX_host_name%.txt

This command will export all available events for all VMs for the last 24 hours and save it to the D:%ESX_host_name%.txt file

  1. Perform these steps for every ESX host which is managed with vCenter specified In the Netwrix Auditor for  VMware
  1. Submit a case and send  us the following information:
  • Events  retrieved with VMWare PowerCLI cmdlets from vCenter and ESX hosts (files created during the steps described in the section 2 above)
  • Received change summary report of VMware (after that receiving which the event files were generated) and inventory report
  • Events from from the following directory %% for the day you the report with warning and day before

Archive these files and provide them with your support case with our Technical Support team.

Having the files with events from every server involved into the VMWare data collection we will be able to see which server events are overwritten and probably why.

Originally KB1845

Go Up