訓練
模組
建立 Log Analytics 工作區 - Training
了解如何在 Azure 入口網站中建立 Log Analytics 工作區,為適用於雲端的 Microsoft Defender 啟用強固的資料收集和分析,以增強安全性態勢。
認證
Microsoft Certified: Azure Administrator Associate - Certifications
示範在 Microsoft Azure 中設定、管理、保護及管理重要專業功能的重要技能。
注意
建議您使用 Azure Az PowerShell 模組來與 Azure 互動。 若要開始使用,請參閱安裝 Azure PowerShell (部分機器翻譯)。 若要了解如何移轉至 Az PowerShell 模組,請參閱將 Azure PowerShell 從 AzureRM 移轉至 Az。
在 Azure 監視器記錄預先定義的記錄集上,您可以使用計量警示功能。 可從 Azure 或內部部署機器收集的受監視記錄會轉換成計量,然後使用計量警示規則進行監視,就像任何其他計量一樣。
Log Analytics 工作區支援這些記錄類型:
針對 Azure 中基於查詢的記錄搜尋警示,使用計量警示的優點包括:
注意
特定的計量或維度必須在所選期間存在資料才會顯示。 這些計量可供擁有 Log Analytics 工作區的客戶使用。
透過計量警示,您可以使用維度來將計量篩選到正確層級。 記錄支援的完整計量清單等同於 Log Analytics 工作區計量清單 (部分機器翻譯)。
注意
若要檢視透過 Azure 監視器 - 計量從 Log Analytics 工作區擷取的支援計量,您必須針對該特定計量建立記錄的計量警示。 您在記錄計量警示中選擇的維度只會透過 Azure 監視器計量顯示以供探索。
來自常用記錄的計量資料會先輸送至 Azure 監視器計量,再於 Log Analytics 中處理。 除了計量警示之外,您還可以利用計量平台的功能,包括頻率低至一分鐘的警示。
為記錄建立計量警示的流程分為兩部分:
scheduledQueryRules
) 建立規則,從支援的記錄擷取計量。建立記錄的計量警示之前,請確定下列項目已設定且可供使用:
若要建立和管理計量警示,您可以使用 Azure 入口網站、Azure Resource Manager 範本、REST API、Azure PowerShell 和 Azure CLI。
為指定的 Log Analytics 工作區建立記錄的計量警示之後,工作區便具有計量警示 (部分機器翻譯) 的所有特性和功能,包括承載架構、適用的配額限制和計費價格。
如需逐步詳細資料和範例,請參閱建立或編輯計量警示規則。 請遵循管理計量警示的指示,並注意下列事項:
計量警示的目標必須是有效的 Log Analytics 工作區。
所選 Log Analytics 工作區的計量警示選取訊號必須是 [計量] 類型。
您可以使用維度篩選條件來篩選特定條件或資源,因為記錄的計量具有多維度。
在設定訊號邏輯時,您可以建立單一警示來跨越維度的多個值 (例如電腦)。
當您使用 Azure 入口網站為記錄建立計量警示時,系統會在背景自動建立透過 scheduledQueryRules
將記錄資料轉換為計量的對應規則,完全不需要使用者介入或採取行動。
如果您「不是」使用 Azure 入口網站來建立所選 Log Analytics 工作區的計量警示,則必須先手動建立明確的規則,以使用 scheduledQueryRules
將記錄資料轉換成計量。
若要建立記錄的計量警示,您可以使用下列範例 Resource Manager 範本。
針對透過 Azure 入口網站以外方式所建立記錄的計量警示,您可以使用這些範例範本,在建立計量警示之前,先建立以 scheduledQueryRules
為基礎的記錄到計量轉換規則。 如果您沒有這麼做,記錄中的計量警示將不會有任何資料。
在下列範例範本中,將建立一個計量警示,其靜態閾值取決於透過 scheduledQueryRules
從記錄擷取計量的規則成功建立。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"convertRuleName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the rule to convert a log to a metric"
}
},
"convertRuleDescription": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Description for the log converted to a metric."
}
},
"convertRuleRegion": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the region used by the workspace."
}
},
"convertRuleStatus": {
"type": "string",
"defaultValue": "true",
"metadata": {
"description": "Specifies whether the log conversion rule is enabled."
}
},
"convertRuleMetric": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the metric after extraction is done from logs."
}
},
"alertName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the alert."
}
},
"alertDescription": {
"type": "string",
"defaultValue": "This is a metric alert",
"metadata": {
"description": "Description of the alert."
}
},
"alertSeverity": {
"type": "int",
"defaultValue": 3,
"allowedValues": [
0,
1,
2,
3,
4
],
"metadata": {
"description": "Severity of the alert {0,1,2,3,4}."
}
},
"isEnabled": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Specifies whether the alert is enabled."
}
},
"resourceId": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Full resource ID of the resource emitting the metric that will be used for the comparison. For example: /subscriptions/00000000-0000-0000-0000-0000-00000000/resourceGroups/ResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/workspaceName"
}
},
"metricName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the metric used in the comparison to activate the alert."
}
},
"operator": {
"type": "string",
"defaultValue": "GreaterThan",
"allowedValues": [
"Equals",
"NotEquals",
"GreaterThan",
"GreaterThanOrEqual",
"LessThan",
"LessThanOrEqual"
],
"metadata": {
"description": "Operator comparing the current value with the threshold value."
}
},
"threshold": {
"type": "string",
"defaultValue": "0",
"metadata": {
"description": "The threshold value at which the alert is activated."
}
},
"timeAggregation": {
"type": "string",
"defaultValue": "Average",
"allowedValues": [
"Average",
"Minimum",
"Maximum",
"Total"
],
"metadata": {
"description": "How the data that's collected should be combined over time."
}
},
"windowSize": {
"type": "string",
"defaultValue": "PT5M",
"metadata": {
"description": "Period of time used to monitor alert activity based on the threshold. Must be between five minutes and one day. ISO 8601 duration format."
}
},
"evaluationFrequency": {
"type": "string",
"defaultValue": "PT1M",
"metadata": {
"description": "How often the metric alert is evaluated, represented in ISO 8601 duration format."
}
},
"actionGroupId": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The ID of the action group that's triggered when the alert is activated or deactivated."
}
}
},
"variables": {
"convertRuleSourceWorkspace": {
"SourceId": "/subscriptions/1234-56789-1234-567a/resourceGroups/resourceGroupName/providers/Microsoft.OperationalInsights/workspaces/workspaceName"
}
},
"resources": [
{
"name": "[parameters('convertRuleName')]",
"type": "Microsoft.Insights/scheduledQueryRules",
"apiVersion": "2018-04-16",
"location": "[parameters('convertRuleRegion')]",
"properties": {
"description": "[parameters('convertRuleDescription')]",
"enabled": "[parameters('convertRuleStatus')]",
"source": {
"dataSourceId": "[variables('convertRuleSourceWorkspace').SourceId]"
},
"action": {
"odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.LogToMetricAction",
"criteria": [{
"metricName": "[parameters('convertRuleMetric')]",
"dimensions": []
}
]
}
}
},
{
"name": "[parameters('alertName')]",
"type": "Microsoft.Insights/metricAlerts",
"location": "global",
"apiVersion": "2018-03-01",
"tags": {},
"dependsOn":["[resourceId('Microsoft.Insights/scheduledQueryRules',parameters('convertRuleName'))]"],
"properties": {
"description": "[parameters('alertDescription')]",
"severity": "[parameters('alertSeverity')]",
"enabled": "[parameters('isEnabled')]",
"scopes": ["[parameters('resourceId')]"],
"evaluationFrequency":"[parameters('evaluationFrequency')]",
"windowSize": "[parameters('windowSize')]",
"criteria": {
"odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria",
"allOf": [
{
"name" : "1st criterion",
"metricName": "[parameters('metricName')]",
"dimensions":[],
"operator": "[parameters('operator')]",
"threshold" : "[parameters('threshold')]",
"timeAggregation": "[parameters('timeAggregation')]"
}
]
},
"actions": [
{
"actionGroupId": "[parameters('actionGroupId')]"
}
]
}
}
]
}
如果您將上述 JSON 儲存為 metricfromLogsAlertStatic.json,您可以將其與參數 JSON 檔案結合,以根據 Resource Manager 範本進行建立。 以下是範例參數 JSON 檔案:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"convertRuleName": {
"value": "TestLogtoMetricRule"
},
"convertRuleDescription": {
"value": "Test rule to extract metrics from logs via template"
},
"convertRuleRegion": {
"value": "West Central US"
},
"convertRuleStatus": {
"value": "true"
},
"convertRuleMetric": {
"value": "Average_% Idle Time"
},
"alertName": {
"value": "TestMetricAlertonLog"
},
"alertDescription": {
"value": "New multidimensional metric alert created via template"
},
"alertSeverity": {
"value":3
},
"isEnabled": {
"value": true
},
"resourceId": {
"value": "/subscriptions/1234-56789-1234-567a/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/workspaceName"
},
"metricName":{
"value": "Average_% Idle Time"
},
"operator": {
"value": "GreaterThan"
},
"threshold":{
"value": "1"
},
"timeAggregation":{
"value": "Average"
},
"actionGroupId": {
"value": "/subscriptions/1234-56789-1234-567a/resourceGroups/myRG/providers/microsoft.insights/actionGroups/actionGroupName"
}
}
}
假設您已將上述參數檔案儲存為 metricfromLogsAlertStatic.parameters.json,則可以在 Azure 入口網站中透過用於建立的 Resource Manager 範本 (部分機器翻譯) 來建立記錄的計量警示。
或者,您可以使用 Azure PowerShell 命令:
New-AzResourceGroupDeployment -ResourceGroupName "myRG" -TemplateFile metricfromLogsAlertStatic.json TemplateParameterFile metricfromLogsAlertStatic.parameters.json
或者,您可以使用 Azure CLI 來部署 Resource Manager 範本:
az deployment group create --resource-group myRG --template-file metricfromLogsAlertStatic.json --parameters @metricfromLogsAlertStatic.parameters.json
在下列範例範本中,將建立一個計量警示,其動態閾值取決於透過 scheduledQueryRules
從記錄擷取計量的規則成功建立。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"convertRuleName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the rule to convert a log to a metric."
}
},
"convertRuleDescription": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Description for the log converted to a metric."
}
},
"convertRuleRegion": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the region used by the workspace."
}
},
"convertRuleStatus": {
"type": "string",
"defaultValue": "true",
"metadata": {
"description": "Specifies whether the log conversion rule is enabled."
}
},
"convertRuleMetric": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the metric after extraction is done from logs."
}
},
"alertName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the alert."
}
},
"alertDescription": {
"type": "string",
"defaultValue": "This is a metric alert",
"metadata": {
"description": "Description of the alert."
}
},
"alertSeverity": {
"type": "int",
"defaultValue": 3,
"allowedValues": [
0,
1,
2,
3,
4
],
"metadata": {
"description": "Severity of the alert {0,1,2,3,4}."
}
},
"isEnabled": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Specifies whether the alert is enabled."
}
},
"resourceId": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Full resource ID of the resource emitting the metric that will be used for the comparison. For example: /subscriptions/00000000-0000-0000-0000-0000-00000000/resourceGroups/ResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/workspaceName"
}
},
"metricName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the metric used in the comparison to activate the alert."
}
},
"operator": {
"type": "string",
"defaultValue": "GreaterOrLessThan",
"allowedValues": [
"GreaterThan",
"LessThan",
"GreaterOrLessThan"
],
"metadata": {
"description": "Operator comparing the current value with the threshold value."
}
},
"alertSensitivity": {
"type": "string",
"defaultValue": "Medium",
"allowedValues": [
"High",
"Medium",
"Low"
],
"metadata": {
"description": "Tunes how 'noisy' the alerts for dynamic thresholds will be. 'High' will result in more alerts. 'Low' will result in fewer alerts."
}
},
"numberOfEvaluationPeriods": {
"type": "string",
"defaultValue": "4",
"metadata": {
"description": "The number of periods to check in the alert evaluation."
}
},
"minFailingPeriodsToAlert": {
"type": "string",
"defaultValue": "3",
"metadata": {
"description": "The number of unhealthy periods to alert on (must be lower or equal to numberOfEvaluationPeriods)."
}
},
"timeAggregation": {
"type": "string",
"defaultValue": "Average",
"allowedValues": [
"Average",
"Minimum",
"Maximum",
"Total"
],
"metadata": {
"description": "How the data that's collected should be combined over time."
}
},
"windowSize": {
"type": "string",
"defaultValue": "PT5M",
"metadata": {
"description": "Period of time used to monitor alert activity based on the threshold. Must be between five minutes and one day. ISO 8601 duration format."
}
},
"evaluationFrequency": {
"type": "string",
"defaultValue": "PT1M",
"metadata": {
"description": "How often the metric alert is evaluated, represented in ISO 8601 duration format."
}
},
"actionGroupId": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The ID of the action group that's triggered when the alert is activated or deactivated."
}
}
},
"variables": {
"convertRuleSourceWorkspace": {
"SourceId": "/subscriptions/1234-56789-1234-567a/resourceGroups/resourceGroupName/providers/Microsoft.OperationalInsights/workspaces/workspaceName"
}
},
"resources": [
{
"name": "[parameters('convertRuleName')]",
"type": "Microsoft.Insights/scheduledQueryRules",
"apiVersion": "2018-04-16",
"location": "[parameters('convertRuleRegion')]",
"properties": {
"description": "[parameters('convertRuleDescription')]",
"enabled": "[parameters('convertRuleStatus')]",
"source": {
"dataSourceId": "[variables('convertRuleSourceWorkspace').SourceId]"
},
"action": {
"odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.LogToMetricAction",
"criteria": [{
"metricName": "[parameters('convertRuleMetric')]",
"dimensions": []
}
]
}
}
},
{
"name": "[parameters('alertName')]",
"type": "Microsoft.Insights/metricAlerts",
"location": "global",
"apiVersion": "2018-03-01",
"tags": {},
"dependsOn":["[resourceId('Microsoft.Insights/scheduledQueryRules',parameters('convertRuleName'))]"],
"properties": {
"description": "[parameters('alertDescription')]",
"severity": "[parameters('alertSeverity')]",
"enabled": "[parameters('isEnabled')]",
"scopes": ["[parameters('resourceId')]"],
"evaluationFrequency":"[parameters('evaluationFrequency')]",
"windowSize": "[parameters('windowSize')]",
"criteria": {
"odata.type": "Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria",
"allOf": [
{
"criterionType": "DynamicThresholdCriterion",
"name" : "1st criterion",
"metricName": "[parameters('metricName')]",
"dimensions":[],
"operator": "[parameters('operator')]",
"alertSensitivity": "[parameters('alertSensitivity')]",
"failingPeriods": {
"numberOfEvaluationPeriods": "[parameters('numberOfEvaluationPeriods')]",
"minFailingPeriodsToAlert": "[parameters('minFailingPeriodsToAlert')]"
},
"timeAggregation": "[parameters('timeAggregation')]"
}
]
},
"actions": [
{
"actionGroupId": "[parameters('actionGroupId')]"
}
]
}
}
]
}
如果您將上述 JSON 儲存為 metricfromLogsAlertDynamic.json,您可以將其與參數 JSON 檔案結合,以根據 Resource Manager 範本進行建立。 以下是範例參數 JSON 檔案:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"convertRuleName": {
"value": "TestLogtoMetricRule"
},
"convertRuleDescription": {
"value": "Test rule to extract metrics from logs via template"
},
"convertRuleRegion": {
"value": "West Central US"
},
"convertRuleStatus": {
"value": "true"
},
"convertRuleMetric": {
"value": "Average_% Idle Time"
},
"alertName": {
"value": "TestMetricAlertonLog"
},
"alertDescription": {
"value": "New multidimensional metric alert created via template"
},
"alertSeverity": {
"value":3
},
"isEnabled": {
"value": true
},
"resourceId": {
"value": "/subscriptions/1234-56789-1234-567a/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/workspaceName"
},
"metricName":{
"value": "Average_% Idle Time"
},
"operator": {
"value": "GreaterOrLessThan"
},
"alertSensitivity": {
"value": "Medium"
},
"numberOfEvaluationPeriods": {
"value": "4"
},
"minFailingPeriodsToAlert": {
"value": "3"
},
"timeAggregation":{
"value": "Average"
},
"actionGroupId": {
"value": "/subscriptions/1234-56789-1234-567a/resourceGroups/myRG/providers/microsoft.insights/actionGroups/actionGroupName"
}
}
}
假設您已將上述參數檔案儲存為 metricfromLogsAlertDynamic.parameters.json,則可以在 Azure 入口網站中透過用於建立的 Resource Manager 範本 (部分機器翻譯) 來建立記錄的計量警示。
或者,您可以使用 Azure PowerShell 命令:
New-AzResourceGroupDeployment -ResourceGroupName "myRG" -TemplateFile metricfromLogsAlertDynamic.json TemplateParameterFile metricfromLogsAlertDynamic.parameters.json
或者,您可以使用 Azure CLI 來部署 Resource Manager 範本:
az deployment group create --resource-group myRG --template-file metricfromLogsAlertDynamic.json --parameters @metricfromLogsAlertDynamic.parameters.json
訓練
模組
建立 Log Analytics 工作區 - Training
了解如何在 Azure 入口網站中建立 Log Analytics 工作區,為適用於雲端的 Microsoft Defender 啟用強固的資料收集和分析,以增強安全性態勢。
認證
Microsoft Certified: Azure Administrator Associate - Certifications
示範在 Microsoft Azure 中設定、管理、保護及管理重要專業功能的重要技能。
文件
建立 Azure 監視器計量警示規則 - Azure Monitor
本文說明如何建立新的計量警示規則。
本文說明不同類型的 Azure 監視器警示,以及每種類型的使用時機。
建立 Azure 監視器記錄搜尋警示規則 - Azure Monitor
本文會說明如何建立新的 Azure 監視器記錄搜尋警示規則或編輯現有的規則。