I'm trying to fetch the event initiated by i.e. email id of the user who created the vm using az cli.
I tried running
az monitor activity-log list -g "resgroupname" --resource-id "my-res-id"
but it lists me all the vm details.
I'm trying to list the event of one vm by passing the resource id.
https://learn.microsoft.com/en-us/cli/azure/monitor/activity-log?view=azure-cli-latest
You need to make use of query filter to the above cmdlet in order to the pull the user name (Caller) who initiated the create vm operation from the activity logs.
az monitor activity-log list -g <resourceGroupName> --resource-id <VMResourceId> --query "[?contains(operationName.value,'Microsoft.Compute/virtualMachines/write')].{name:operationName.value,caller:caller,createdtime:submissionTimestamp}" -o table
I have tested the above cmdlet in my local environment(cloud shell), by creating a log analytics workspace and projecting the activity logs of the resource group to that log analytics workspace.
Here is the sample output for reference:
Related
Normally when you create resources using ARM templates and the azure CLI you can create using:
az deployment group create --resource-group $resourceGroupName --template-file "infra/template.json" --parameters "infra/parameters.json"
Then when I want to delete the resources I can:
az group delete --name $resourceGroupName
However, with Databricks this will create other resource groups as well. Even if you delete the DB resource group, you've still got these other lingering resource groups. I'd like to be able to delete the databricks AND all of the other resources that were created, without having to do extra manual steps.
Any idea of a clean way to do this?
The managed resource group created by Databricks cannot be deleted manually since it was created by the Databricks resource itself. The deny assignment prevents deletion of the managed resource group.
One way to remove resource is to delete the existing workspace following is the example using azure cli
Through AZURE CLI
I have created resource group tvs and databricks tvs for the demo purpose
Delete resource
Use following command in AzureCLI to delete a resource.
Azure CLICopy
az resource delete \
--resource-group tvs\
--name tvs\
--ids *****\
(NOTE : ids is the id of the resource that can be picked from JSON view)
Before deletion
After deletion
Delete resource group
Use following command in AzureCLI to delete the resource group.
Azure CLICopy
az group delete --name tvs
Azure doesn’t currently provide a way to delete multiple resource groups at the same time.
Here’s a method that works for me.
Open Azure Portal
Click on Resource Groups
Select the Resource Groups that you want to delete
Click “Assign tags”
Assign a new tag called “disposable-service”(can be named anything) and tag value to be true
Open Azure Cloud Shell https://shell.azure.com or click on the Azure Shell icon in the Azure Portal toolbar.
the following script into Cloud Shell and hit enter.
az group list --tag disposable-service=true --query "[].[id]" --output tsv
I have two resource groups in Azure, each contains one VMSS (Virtual Machine Scale Sets) and the resources are visible in Azure Portal. The problem is, the following commands return empty output:
az resource list --subscription MySubscription -g vmss-rg
az vmss list --subscription MySubscription -g vmss-rg
az vmss list
However, running az resource list with different resource groups which doesn't have VMSS works fine. I also tested it with different Azure account and subscription, it also worked.
We have tested the same command in our local as suggested by #VenkateshDodda-MT and it works fine. Posting it as an answer to help other community members for the similar issue so that they can find and fix their problem.
To achieve the above requirement we need to install the az powershell module in our local .
Post that run the command in powershell to get the vmss list under our subscription or resource groups:-
az resource list --resource-type "Microsoft.Compute/virtualMachineScaleSets"
OUTPUT:-
To get the VMSS list under particular resource group run the below cmd:
az resource list --resource-type "Microsoft.Compute/virtualMachineScaleSets" -g '<rgName>'
OUTPUT:-
For more information please refer this SO THREAD:Azure PS command returns empty list as suggested by #Olga Osinskaya - MSFT
I have to fetch logs using AZ commands:
If I add a filter on Resource Group, it is not giving result.
For e.g.--
Following commands is working fine:
az monitor activity-log list --subscription "subscription1"
In the result I am getting logs for ResourceGroup1.
But when I execute following:
az monitor activity-log list --resource-group "ResourceGroup1"
It is giving 0 result.
I am using "azure-cli": "2.26.1"
You can use the below command to read monitor activity logs at resource group level
az monitor activity-log list -g "resource-group"
Here is the command to pull activity monitor logs with filters
az monitor activity-log list -g 'resource-group' --start-time 2021-07-29T12:00:00 --select {ResourceGroupName,EventTimestamp,CorrelationId,ResourceId} -o table
When we do AZ login, there is one field "isDefault": true for only one subscription (Default subscription of your account). For other Subscriptions, it will be False.
You will get results for all RGs under default Subscription. For other RGs, it will give 0 result.
Therefore, when you apply filter on a RG, you need to confirm that it's corresponding Subscription should be set as default. You can set same as:
az account set -s <subscription ID>
I get an ERROR: The request did not have a subscription or a valid tenant level resource provider. when trying to create a service principal via the azure cli under the scope of an Azure Iot Hub. I'm using the CLI (bash) but python would be sufficient, too.
As shown at end, i have correct credentials & rights to create sp's in this subscription, and i have owner rights to the iot hub in question.
In case i'm missing a better way to accomplish this, here is the context: We need to authenticate a job that automates the registration of new devices immediately after they are flashed, before they are shipped off to be plugged in. This does many things to customize the flashed filesystem (add unique device hostname & local passwords, for instance); and finally it needs to register the device with IotHub.
az iot hub device-identity create --device-id [device id] --hub-name [hub name] --edge-enabled
With my user permissions, i can az login and accomplish all of this - but it needs to run in an automated job with no interactive login. I believe service principal is the way to accomplish this (?).
Thus, attempting to create the principal I run:
# the following pulls a valid(looking) `"/subscriptions/NAME/resourceGroups/THEGROUP/providers/Microsoft.Devices/IotHubs/THEHUB"`
IOTHUB_ID="$(az iot hub show --name TheHubName --query id)
az ad sp create-for-rbac --name http://my-iothub-serviceprincipal --scopes $IOTHUB_ID --role contributor --query password --output tsv
which fails with the following as above (Note: contributor is too broad, will be a custom-role later):
WARNING: Role assignment creation failed.
ERROR: The request did not have a subscription or a valid tenant level resource provider.
as a test to ensure i have the right az login and other local state, the following analogous command for an Azure ACR scope does succeed, with a new service principal visible in the portal.
ACR_ID="$(az iot hub show --name TheAcrName --query id)
az ad sp create-for-rbac --name http://acr-service-principal-foobar --scopes $ACR_ID --role acrpull --query password --output tsv
This was caused by a bug in the azure CLI. az iot hub show is returning an improperly quoted string; az acr show for example does not.
az iot hub show --name your-iothub-name --query id returns a string like the following. both quotes " are in the original
'"/subscriptions/guid/.../IotHubs/your-iothub-name"'
az acr show --name your-acr-name --query id returns the same format string, but without the extra ' quoting.
"/subscriptions/.../registries/your-acr-name"
az iot hub device-identity create cannot deal with the '"..."' (understandable) but unfortunately doesn't fail cleanly, making this a bit difficult to track down as quoting blends in a bit for script output.
Is there a way to configure Azure Activity logs to be forwarded to a Log Analytics instance using Azure CLI?
Hopefully equivalent to the PowerShell command:
New-AzureRmOperationalInsightsAzureActivityLogDataSource -ResourceGroupName <LogAnalyticsOMSWorkspaceResourceGroupName> -WorkspaceName <LogAnalyticsOMSWorkspaceName> -Name <NameOfThisOperationalInsightsAzureActivityLogDataSource> -SubscriptionId <SubscriptionId>
Significant changes have been made to Azure Monitor recently, with different services being consolidated in order to simplify monitoring for Azure customers.
Dedicated Azure CLI commands under the set az monitor activity-log alert are available for managing activity log alert rules.
To create a new activity log alert rule, use in this order:
az monitor activity-log alert create: Create new activity log alert rule resource
az monitor activity-log alert scope: Add scope for the created activity log alert rule
az monitor activity-log alert action-group: Add action group to the activity log alert rule
To retrieve one activity log alert rule resource, the Azure CLI command az monitor activity-log alert show can be used. And for viewing all activity log alert rule resource in a resource group, use az monitor activity-log alert list. Activity log alert rule resources can be removed using Azure CLI command az monitor activity-log alert delete.
https://learn.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log#cli