This week I needed to dig into some VMware Horizon View audit logs which were several hours old and no longer appeared in the Administration Console. I tried the DumpViewEvent tool but it kept crashing, it appears it conflicts with something on my machine. The audit logs are only stored in the database for about 90 days so it was important for me to retrieve the data without delay. I decided to roll up my sleeves and query the database.
Just like the DumpViewEvent tool, you can easily filter the data to retrieve just what you want. In my case, I wanted to track down any pool settings changed with info on when the change was made, waht the change was and by whom. If you’d like to do the same just run the following query on the view_Events database:
SELECT EventID, Time, ModuleandEventTest
WHERE (EventType = N'ADMIN_DESKTOP_EDITED')