0

I created multiple script to identify who started or stopped a Vm using the activity log but unable to get the results - the script just executes without an output

https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-audit

Get-AzureRmLog -StartTime 2018-10-01T10:30 -EndTime 2018-10-12T11:30
 -ResourceId /subscriptions/S1sub/resourceGroups/SamRG/providers/microsoft.compute/test
 -DetailedOutput -Maxrecord 100 -InformationAction stop     

Get-AzureRmLog -ResourceGroup samitrg -StartTime 2018-10-01T10:30
  -EndTime 2018-10-12T11:30 | Select-Object level,eventtimestamp,caller,ID,resourcegroupname,Authorization,scope |
  Export-Csv -Path c:\abc.csv

Get-AzureRmLog -ResourceGroup samitrg -StartTime 2018-10-01T10:30
    -EndTime 2018-10-12T11:30 | Where-Object OperationName -EQ Microsoft.compute/virtualmachines/deallocate/action
Joy Wang
  • 39,905
  • 3
  • 30
  • 54
workhard
  • 11
  • 3
  • Any update? Could it solve your issue? – Joy Wang Oct 16 '18 at 01:08
  • @Joy wang: Thank you for your response. I tried your script but it doesnot prvoide an output. It skips to the next line - Am I doing something wrong ` $start = Get-AzureRmLog -ResourceId /subscriptions//resourceGroups//providers/microsoft.compute/ | Where-Object { $_.Authorization.Action -eq "Microsoft.Compute/virtualMachines/start/action"} $start | Select-Object level,eventtimestamp,caller,ID,resourcegroupname,Authorization,scope` – workhard Oct 16 '18 at 15:02
  • I think it will work fine. – Joy Wang Oct 17 '18 at 01:11

2 Answers2

0

Try the command below, add the extra parameters you need, like -StartTime,-EndTime,etc, it will work fine.

Start a VM:

$start = Get-AzureRmLog -ResourceId "<ResourceId>" | Where-Object { $_.Authorization.Action -eq "Microsoft.Compute/virtualMachines/start/action"} 
$start | Select-Object level,eventtimestamp,caller,ID,resourcegroupname,Authorization,scope

enter image description here

Stop a VM:

$stop = Get-AzureRmLog -ResourceId "<ResourceId>" | Where-Object { $_.Authorization.Action -eq "Microsoft.Compute/virtualMachines/deallocate/action"} 
$stop | Select-Object level,eventtimestamp,caller,ID,resourcegroupname,Authorization,scope

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
0

I found the solution

START

Get-AzureRmLog -ResourceID /subscriptions/<SUBID>/resourceGroups/<ResourceGroup>/providers/Microsoft.Compute/virtualMachines/<VMName> -StartTime 2018-10-16T21:30 -EndTime 2018-10-16T21:50 -MaxRecord 20 | Where-Object { $_.Authorization.Action -eq "Microsoft.Compute/virtualMachines/start/action"} | Select-Object level,eventtimestamp,caller,ID,resourcegroupname,Authorization | Format-table -wrap -AutoSize -Property level,eventtimestamp,caller,resourcegroupname,ID -groupby Authorization

STOP

Get-AzureRmLog -ResourceID /subscriptions/<SUBID>/resourceGroups/<ResourceGroup>/providers/Microsoft.Compute/virtualMachines/<VMName> -StartTime 2018-10-16T21:30 -EndTime 2018-10-16T21:45 -MaxRecord 20 | Where-Object { $_.Authorization.Action -eq "Microsoft.Compute/virtualMachines/deallocate/action"} | Select-Object level,eventtimestamp,caller,ID,resourcegroupname,Authorization | Format-table -wrap -AutoSize -Property level,eventtimestamp,caller,resourcegroupname,ID -groupby Authorization

Hope this helps everyone :)

workhard
  • 11
  • 3