Notification about SSH connection to Linux VM

Question

Notification about SSH connection to Linux VM

Belan Marek 56

Hi
we build Linux Ubuntu VM on Azure with public IP , and SSH enabled.
I build log analytics on it.

How can i get notification when someone connect SSH?
What i find is NSG flow logs, but this can log only to Storage. And this is pain to find some info there.

2 answers

Your answer

Answer 1

@Belan Marek
I understand you wish to get notifications whenever there is an SSH session made to your Linux VM. Please correct me if I am misunderstanding.

If you have your VM onboarded in the Azure Monitor Virtual Machine Insights, then, in the Log Analytics Workspace where the agents are connected, you will get details about each connection that every process running on the agents are initiating / receiving.
All that data is stored in a table called VMConnection, and then you could use a query like this to find out the required info:

VMConnection
| where Direction == "inbound"
| where Protocol == "tcp"
| where DestinationPort == 22
| summarize FirstEvent = min(TimeGenerated), LastEvent = max(TimeGenerated),NumberOfConnections = count() by Computer, RemoteIp

The above query how many incoming SSH connections (TCP 22) were detected from each RemoteIP, together with some additional information like when the first and last connections were done. You should be able to create an alert based on monitoring the above information.

Another popular option not exclusive to Azure is to setup an email alert from the VM. This will send an email everytime someone logins with SSH to your server. Please see this blog post for information on how this can be done.

Hope this helps. Let me know if you have further questions or need help.

-------------------------------

Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.
There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

Belan Marek 56 Reputation points

2022-03-07T06:39:59.813+00:00

I setup shit sollution but dont have any table VMConnection
Belan Marek 56 Reputation points

2022-03-07T16:29:13.487+00:00

I have possibility to upgrade on AZ Monitor but its always failed

i found this
https://github.com/Azure/azure-linux-extensions/issues/1284

so it look broken
Belan Marek 56 Reputation points

2022-03-22T06:23:41.277+00:00

by this doccument its not supported on Ubuntu 20.04

https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-health-enable?tabs=powershell

Answer 2

Manu Philip 20,206 MVP Volunteer Moderator

Have a look at the procedure I shared here: https://learn.microsoft.com/en-us/answers/questions/764226/is-it-possible-to-create-an-alert-when-someone-log.html
Hope, this helps you also

Belan Marek 56 Reputation points

2022-03-09T11:57:47.187+00:00

Hi i have enabled Gues Level Monitoring but i dont have table VMConnection
Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2022-03-09T12:34:43.497+00:00

Have you tried re-installing VM Insight? https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-dependency-agent-maintenance#upgrade-linux-agent
If it didn't fix the issue, check if you can troubleshoot the VM Insight: https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-troubleshoot
Belan Marek 56 Reputation points

2022-03-10T12:59:18.41+00:00

I try all of this nothing help.

I have posibility to upgrade agent

this task failed
ZabbixServer/GuestHealthLinuxAgent
Microsoft.Compute/virtualMachines/extensions
Conflict
Operation details
"message": "The handler for VM extension type 'Microsoft.Azure.Monitor.VirtualMachines.GuestHealth.GuestHealthLinuxAgent' has reported terminal failure for VM extension 'GuestHealthLinuxAgent' with error message: '[ExtensionOperationError] Non-zero exit code: 178, /var/lib/waagent/Microsoft.Azure.Monitor.VirtualMachines.GuestHealth.GuestHealthLinuxAgent-1.0.54/./scripts/install.py\n[stdout]\nInitializing Logger in logger.py\n2022-03-09 08:07:25: INFO: Successfully created ConsoleLogger\n2022-03-09 08:07:25: INFO: Starting to parse the HandlerEnvironment\n2022-03-09 08:07:25: INFO: Successfully parsed the HandlerEnvironment, got the following log_path : /var/log/azure/Microsoft.Azure.Monitor.VirtualMachines.GuestHealth.GuestHealthLinuxAgent\n2022-03-09 08:07:25: INFO: Logging will continue at /var/log/azure/Microsoft.Azure.Monitor.VirtualMachines.GuestHealth.GuestHealthLinuxAgent/vmGuestHealthAgent.log\n\n\n[stderr]\nRunning scope as unit: install_a5513181-c40b-4963-8ab9-e52803bf730d.scope\n'.\r\n \r\n'Install handler failed for the extension. More information on troubleshooting is available at https://aka.ms/vmextensionlinuxtroubleshoot'"

i try remove agent and still the same erorr.
Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2022-03-10T14:38:47.737+00:00

Have you checked the page shows the troubleshooting methods of vm extension here: https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/vmext-troubleshoot
Belan Marek 56 Reputation points

2022-03-22T06:19:45.123+00:00

i find this in /var/log/azure/Microsoft.Azure.Monitor.VirtualMachines.GuestHealth.GuestHealthLinuxAgent/vmGuestHealthAgent.log

The VM doesn't have systemctl
root - ERROR - Unsupported Operating System. OS distribution: Ubuntu OS Version: 20.04

so Ubuntu 20.04 is not supported for this ????????????????????????

Share via

Notification about SSH connection to Linux VM

2 answers

Your answer