how to check who shutdown azure vm?

Kishore-Reddy.Byreddy 85 Reputation points
2023-05-26T11:15:37.4733333+00:00

Hi Team,

I've few VM's in Stopped state in my subscription. These VMs are in stopped state for more than 6 months. I need to collect the information, that when these VMs are stopped and which user has initiated the shutdown. There are no logs under "Activity log" for any of the VM.

Can please let me know if there are any other alternatives to find these details. Thanks in advance.

Thanks & Regards,

Kishore

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,071 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jackson Martins 9,636 Reputation points MVP
    2023-05-26T13:02:12.4733333+00:00

    Hi @Kishore-Reddy.Byreddy

    Azure only retains activity logs for a limited period 90 days, You can try use CLI from Azure Cloud Shell

    First, you need to find the ID of your virtual machine using the following command:

    az vm show --name Your_VM_Name --resource-group Your_Resource_Group --query id --output tsv

    Replace Your_VM_Name with the name of your virtual machine and Your_Resource_Group with the name of the resource group in which the VM is located.

    After you've obtained the ID of the virtual machine, you can use it to query the Azure activity log:

    az monitor activity-log list --resource-id Your_VM_Id --output table

    Replace Your_VM_Id with the ID you obtained in the previous command.

    This will return a list of all activities related to your virtual machine. You can look for entries with the "Operation Name" column set to "Deallocate Virtual Machine" or "Shut Down Virtual Machine". The date and time of the virtual machine shutdown will be in the "Event Timestamp" column.

    User's image

    Get in touch if you need more help with this issue.

    --please don't forget to "[Accept the answer]" if the reply is helpful--

    0 comments
  2. Kishore-Reddy.Byreddy 85 Reputation points
    2023-05-27T00:04:31.8+00:00

    Hi Jackson,

    Thanks for your reply.

    There was no output returned for the second command. Please find the screenshot below. Please let me know If I'm missing something. Thanks.

    User's image

    0 comments
  3. Srivathsav, Sai 0 Reputation points
    2023-10-09T07:54:31.0266667+00:00

    Please use the offset option to specify the query range.

    az monitor activity-log list --resource-id "/subscriptions/<sub-id>/resourceGroups/<rg-id>/providers/Microsoft.Compute/virtualMachines/<vm-name>" --offset 3d

    https://learn.microsoft.com/en-us/cli/azure/monitor/activity-log?view=azure-cli-latest#az-monitor-activity-log-list()

    --offset
Time offset of the query range, in ##d##h format.

default value: 6h
    0 comments