Sooo… someone switched off a VM instance that was definitely supposed to stay running, and now everyone in the meeting room is suddenly fascinated by the ceiling tiles?
No worries. GCP has this thing called Cloud Logging, and yes — it happily snitches on whoever stopped or started your Compute Engine instance.
Find Who Stopped a Compute Engine VM
Run the following query in Google Cloud Logging:
resource.type="gce_instance"
protoPayload.methodName="v1.compute.instances.stop"
protoPayload.resourceName:"INSTANCE_NAME"
This will show you:
- When it happened
- Which account performed the action
Find Who Started a VM in GCP
This also works the other way around if someone decided to resurrect a VM that was supposed to remain peacefully powered off.
Use this query:
resource.type="gce_instance"
protoPayload.methodName="v1.compute.instances.start"
protoPayload.resourceName:"INSTANCE_NAME"Output is similar to the stop except this time it shows for the start.
These audit logs are enabled by default.
The events you’re querying (compute.instances.start and compute.instances.stop) fall under Admin Activity Audit Logs, and Google Cloud automatically keeps those enabled for all projects. You do not need to manually turn them on.
0 Comments