Setting up Stackdriver alert on accessing a VM in GCP
Setting up Stackdriver alert on accessing a VM in GCP
Posted in by Tudipat 06:10Comments Off on Setting up Stackdriver alert on accessing a VM in GCP
Setting up Stackdriver alert on accessing a VM in GCP
15 October 2020
This blog describes how to get the auth logs in stackdriver logging whenever anyone login to the VM on GCP and setting up the Stackdriver alert notification from that auth log via email.
Stackdriver Alert
Alerting option comes under the stackdriver monitoring, it provides timely awareness to the problems in your cloud application via different channels so that you can solve the problems quickly.
Steps to get auth logs and set up an alert on accessing the VM (Linux):
Create a Linux VM on GCP.
Login to the VM (SSH into the VM).
Execute below commands to install the Logging agent.
Go to this directory /etc/google-fluentd/config.d
Open syslog.conf file with any editor (e.g. nano syslog.conf).
Add the following codes to this file: The above codes will read and tag the auth logs and will post to the stackdriver logs.
Go to the Stackdriver Logging console on GCP and filter the auth logs for that particular instance. You can use the Advanced filter option for better filtration.
The auth log title should be like this “session opened for user USERNAME”.
After filtering the logs, create a metric from the filtered logs.
Now you have to create an alert from the Log-based metric, go to the Log-based metric section and find the metric name which you have created just now. Click on the 3 bullets present extreme right of the metric name and click on the “Create alert from metric”.
Check that resource type and metric are selected as follows:
Resource Type: GCE VM Instance
Metric: logging/user/[YOUR_METRIC_NAME] Note: [YOUR_METRIC_NAME] – Make sure this is the metric name that you created earlier.
Leave all the other fields as default for now then Save the Configuration. If you want to customize the other settings such as condition, threshold, chart type, aggregator, etc.. You can check out google official doc for that.
It will redirect you to the Alerting page, give a name to the alerting policy.
Click on “Add notification channel”.
Choose Notification channel type as Email. (Or you can choose any)
Enter the email address in which you want to receive the alert email.
(Optional) If you want to receive an email with the body then add that body to the documentation field then save the policy.
All done! Now whenever any user login to the VM, a stackdriver notification will be sent to the email (which you have added to the notification channel) with the body which you have entered into the documentation field.
Note: Auth logs take some time to populate in the stackdriver logging.
All content provided on this blog is for informational purposes only. Tudip Technologies provides no endorsement and makes no representations as to accuracy, reliability, completeness, suitability or validity of any information or content on, distributed through or linked, downloaded or accessed from this site. Tudip Technologies will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use of the information on this site. All information is provided on an as-is basis without any obligation to make improvements or to correct errors or omissions. This site may contain links to other websites. Tudip Technologies makes no guarantees or promises regarding these websites and does not necessarily endorse or approve of their content. You may not modify any part of the blog. The inclusion of any part of this blog in another work, whether in printed or electronic or other form, or inclusion of any part of the blog in another website by linking, framing or otherwise without the express permission of Tudip Technologies is prohibited. This site may not be used for any illegal or illicit purpose and Tudip Technologies reserves the right, at its sole discretion and without notice of any kind, to remove anything posted to this site. By using this site, you hereby acknowledge that any reliance upon any materials shall be at your sole risk.