Setting up Stackdriver alert on accessing a VM in GCP

Setting up Stackdriver alert on accessing a VM in GCP

15 October 2020

This blog describes how to get the auth logs in stackdriver logging whenever anyone login to the VM on GCP and setting up the Stackdriver alert notification from that auth log via email.

Stackdriver Alert

Alerting option comes under the stackdriver monitoring, it provides timely awareness to the problems in your cloud application via different channels so that you can solve the problems quickly.

Steps to get auth logs and set up an alert on accessing the VM (Linux):

  1. Create a Linux VM on GCP.
  2. Login to the VM (SSH into the VM).
  3. Execute below commands to install the Logging agent.Setting_up_Stackdriver_alert_on_accessing_a_VM_in_GCP_Google_Cloud_Platform_01
  4. Go to this directory /etc/google-fluentd/config.d
  5. Open syslog.conf file with any editor (e.g. nano syslog.conf).
  6. Add the following codes to this file:
    Setting_up_Stackdriver_alert_on_accessing_a_VM_in_GCP_Google_Cloud_Platform_02 The above codes will read and tag the auth logs and will post to the stackdriver logs.
  7. Go to the Stackdriver Logging console on GCP and filter the auth logs for that particular instance. You can use the Advanced filter option for better filtration.
  8. The auth log title should be like this “session opened for user USERNAME”.
  9. After filtering the logs, create a metric from the filtered logs.
    Setting_up_Stackdriver_alert_on_accessing_a_VM_in_GCP_Google_Cloud_Platform_03
  10. Now you have to create an alert from the Log-based metric, go to the Log-based metric section and find the metric name which you have created just now. Click on the 3 bullets present extreme right of the metric name and click on the “Create alert from metric”.
  11. Check that resource type and metric are selected as follows:
    1. Resource Type: GCE VM Instance
    2. Metric: logging/user/[YOUR_METRIC_NAME]
      Note: [YOUR_METRIC_NAME] – Make sure this is the metric name that you created earlier.
  12. Leave all the other fields as default for now then Save the Configuration. If you want to customize the other settings such as condition, threshold, chart type, aggregator, etc.. You can check out google official doc for that.
    Setting_up_Stackdriver_alert_on_accessing_a_VM_in_GCP_Google_Cloud_Platform_04
  13. It will redirect you to the Alerting page, give a name to the alerting policy.
  14. Click on “Add notification channel”.
  15. Choose Notification channel type as Email. (Or you can choose any)
  16. Enter the email address in which you want to receive the alert email.
  17. (Optional) If you want to receive an email with the body then add that body to the documentation field then save the policy.Setting_up_Stackdriver_alert_on_accessing_a_VM_in_GCP_Google_Cloud_Platform_05

All done! Now whenever any user login to the VM, a stackdriver notification will be sent to the email (which you have added to the notification channel) with the body which you have entered into the documentation field.

Note: Auth logs take some time to populate in the stackdriver logging.

Request a quote