Where can I find the IP address of the people who connected to my Azure server?

Krisse Casimiro 0 Reputation points
2024-03-28T06:53:56.5633333+00:00

Hello, I would like to know where or how I can find the IP addresses of anyone who accessed my Azure virtual machine. What happened was, one of the web services were accessed by an unauthorized user. The web service was a test application, and very few knew how to access it. The unauthorized user have for some reason gained access to the web service and spammed the service causing several problems.

Basically, I would like to have a log or similar report that shows which IP address/es connected to the server during a specific date and time.

Unfortunately, the web service did not have any log mechanism at the time when the unauthorized user accessed.

I tried to look for logs using Windows Event and Azure's NSG but it says I need Insights. If that is the case, If I subscribed to Insights, will I be able to view the log from a month ago?

The server is a virtual machine with Windows Server 2019.

Any help is much appreciated. Thanks in advance.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,132 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,143 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,721 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. TP 75,736 Reputation points
    2024-03-28T07:10:18.06+00:00

    Hi Krisse,

    Typically if your web service is running under IIS you would have logging enabled in IIS and could examine the log files under C:\inetpub\logs\LogFiles\W3SVC1 by default. Have you checked there? You may open the files in Notepad.

    You can look in IIS Manager, select your server in left pane, then in right pane double-click on Logging icon to see logging configuration.Another potential option is NSG flow logs, however, you would've needed to have this configured before the incident. You can't go back in time to see flow logs if the feature wasn't enabled.

    Windows Defender Firewall with Advanced Security (wf.msc) has logging ability as well, however, by default it isn't going to log successful connections so this is another case where you would've had to have it configured to log beforehand.

    Please click Accept Answer and upvote if the above was helpful. If something is unclear add a comment.

    Thanks.

    -TP