How to get cmd logs that cannot be deleted in azure vm or bastion

진우 정 0 Reputation points
2024-08-23T02:22:42.8+00:00

Hi I want to check the command line log of the user using the ssh session of azure bastion or the log for the session accessed by the ssh in vm.

It is possible through history command within os, but these logs can be deleted, so I want to know if I can extract these logs as an azure service or see if I can.

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
268 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,275 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Prrudram-MSFT 27,251 Reputation points
    2024-08-23T06:18:19.0933333+00:00

    Hello @진우 정

    To access the logs of the remote sessions established through Azure Bastion, you can enable diagnostics logs on Azure Bastion. Once enabled, you can access the logs directly from the storage account that you specified while enabling the diagnostics settings.

    Here are the steps to enable diagnostics logs on Azure Bastion:

    In the Azure portal, go to your Azure Bastion resource and select Diagnostics settings from the Azure Bastion page.

    Select Diagnostics settings, then select +Add diagnostic setting to add a destination for the logs.

    On the Diagnostics settings page, select the type of storage account to be used for storing diagnostics logs.

    When you complete the settings, it will look similar to this example:

    example settings

    Once you have enabled diagnostics logs, you can access the logs by navigating to your storage account resource, then to Containers. You will see the insights-logs-bastionauditlogs blob created in your storage account blob container. As you go inside the container, you will see various folders in your blob. These folders indicate the resource hierarchy for your Azure Bastion resource. Navigate to the full hierarchy of your Azure Bastion resource whose diagnostics logs you wish to access/view. The 'y=', 'm=', 'd=', 'h=' and 'm=' indicate the year, month, day, hour, and minute respectively for the resource logs. Locate the json file created by Azure Bastion that contains the diagnostics log data for the time-period navigated to.

    However, please note that the logs generated by Azure Bastion are related to the connection establishment and management, and not the logs generated by the user's SSH session. If you want to access the logs generated by the user's SSH session, you will need to access the logs within the OS of the VM.

    Hope this helps!

    If I have answered your query, please click "Accept as answer" as a token of appreciation

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.