It usually happens with all of us Azure VM got rebooted suddenly and no activity was going on and we need to figure out who did this . So yes we can have the details from Azure Portal Activity log and if its done from inside we can check system logs to check who performed the action.
Below is the small script to find out who did it from inside and it shows the results as below.
It could be the possibility something wrong from Host side and machine got rebooted from backed.
gwmi win32_ntlogevent -filter "LogFile='System' and EventCode='1074' and Message like '%restart%'" | select User,@{n="Time";e={$_.ConvertToDateTime($_.TimeGenerated)}}
User Time
---- ----
NT AUTHORITY\SYSTEM 6/12/2019 1:18:03 PM
POWER\azadmin 6/12/2019 1:16:14 PM
POWER\azadmin 5/14/2019 10:04:41 AM
The VM is hosted on a physical server that is running inside an Azure datacenter. The physical server runs an agent called the Host Agent in addition to a few other Azure components. When these Azure software components on the physical server become unresponsive, the monitoring system triggers a reboot of the host server to attempt recovery. The VM is usually available again within five minutes and continues to live on the same host as previously.
Because some host server faults can be specific to that server, a repeated VM reboot situation might be improved by manually redeploying the VM to another host server. This operation can be triggered by using the redeploy option on the details page of the VM, or by stopping and restarting the VM in the Azure portal.
No comments:
Post a Comment