堆栈内存溢出
  简体   繁体   English

Activitylog PS-活动发起者

[英]Activitylog PS - Event initiated by

 原文  2018-10-12 20:52:08       azure/ powershell/ azure-powershell/ azure-log-analytics/ oms

问题描述

I created multiple script to identify who started or stopped a Vm using the activity log but unable to get the results - the script just executes without an output 我创建了多个脚本,以使用活动日志来识别谁启动或停止了Vm,但无法获取结果-脚本仅执行而没有输出

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-audit https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-audit 

Get-AzureRmLog -StartTime 2018-10-01T10:30 -EndTime 2018-10-12T11:30
 -ResourceId /subscriptions/S1sub/resourceGroups/SamRG/providers/microsoft.compute/test
 -DetailedOutput -Maxrecord 100 -InformationAction stop     

Get-AzureRmLog -ResourceGroup samitrg -StartTime 2018-10-01T10:30
  -EndTime 2018-10-12T11:30 | Select-Object level,eventtimestamp,caller,ID,resourcegroupname,Authorization,scope |
  Export-Csv -Path c:\abc.csv

Get-AzureRmLog -ResourceGroup samitrg -StartTime 2018-10-01T10:30
    -EndTime 2018-10-12T11:30 | Where-Object OperationName -EQ Microsoft.compute/virtualmachines/deallocate/action

2 个解决方案

解决方案1
 0  2018-10-15 02:08:26

Try the command below, add the extra parameters you need, like -StartTime , -EndTime ,etc, it will work fine. 尝试以下命令,添加所需的其他参数,例如-StartTime-EndTime等,它将正常工作。

Start a VM: 启动虚拟机: 

$start = Get-AzureRmLog -ResourceId "<ResourceId>" | Where-Object { $_.Authorization.Action -eq "Microsoft.Compute/virtualMachines/start/action"} 
$start | Select-Object level,eventtimestamp,caller,ID,resourcegroupname,Authorization,scope

在此处输入图片说明

Stop a VM: 停止虚拟机: 

$stop = Get-AzureRmLog -ResourceId "<ResourceId>" | Where-Object { $_.Authorization.Action -eq "Microsoft.Compute/virtualMachines/deallocate/action"} 
$stop | Select-Object level,eventtimestamp,caller,ID,resourcegroupname,Authorization,scope

在此处输入图片说明

解决方案2
 0  2018-10-16 18:10:11

I found the solution 我找到了解决方案

START 开始 

Get-AzureRmLog -ResourceID /subscriptions/<SUBID>/resourceGroups/<ResourceGroup>/providers/Microsoft.Compute/virtualMachines/<VMName> -StartTime 2018-10-16T21:30 -EndTime 2018-10-16T21:50 -MaxRecord 20 | Where-Object { $_.Authorization.Action -eq "Microsoft.Compute/virtualMachines/start/action"} | Select-Object level,eventtimestamp,caller,ID,resourcegroupname,Authorization | Format-table -wrap -AutoSize -Property level,eventtimestamp,caller,resourcegroupname,ID -groupby Authorization

STOP 

Get-AzureRmLog -ResourceID /subscriptions/<SUBID>/resourceGroups/<ResourceGroup>/providers/Microsoft.Compute/virtualMachines/<VMName> -StartTime 2018-10-16T21:30 -EndTime 2018-10-16T21:45 -MaxRecord 20 | Where-Object { $_.Authorization.Action -eq "Microsoft.Compute/virtualMachines/deallocate/action"} | Select-Object level,eventtimestamp,caller,ID,resourcegroupname,Authorization | Format-table -wrap -AutoSize -Property level,eventtimestamp,caller,resourcegroupname,ID -groupby Authorization

Hope this helps everyone :) 希望这对大家有帮助:)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何查找由ID发起的Azure事件 - How look up Azure Event Initiated By ID 仅在用户发起事件时触发警报 - Trigger Alert when Event is Initiated by Users only 在LogAnalytics中跟踪从Azure ActivityLog中删除资源 - Track Resource deletion from Azure ActivityLog in LogAnalytics Azure AD SAML身份验证SP已启动 - Azure AD SAML Authentication SP-initiated SP 发起的单点登录 - SP Initiated Single Sign-on Azure下载.ps1 - Azure download.ps1 Azure 中 IDP 发起的 SSO 失败,OKTA 作为 IDP - IDP initiated SSO fails with OKTA as an IDP in Azure Azure DSC - 执行 PS 脚本 - Azure DSC - Execute PS Script 仅授予PS访问特定VM的权限? - Only give PS access to a specific VM? 创建可由任何人启动的自定义 SQL Azure 警报 - Create an custom SQL Azure Alert that can be initiated by anyone
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM