Azure 防火牆診斷記錄 (舊版)
診斷記錄是原始 Azure 防火牆記錄查詢,其會以非結構化或自由格式的文字格式輸出記錄資料。
診斷記錄中支援下列記錄類別:
- Azure 防火牆應用程式規則
- Azure 防火牆網路規則
- Azure 防火牆 DNS Proxy
應用程式規則記錄
只有當您針對每個 Azure 防火牆加以啟用時,應用程式規則記錄才會儲存到儲存體帳戶、串流至事件中樞及/或傳送至 Azure 監視器記錄。 符合其中一個已設定應用程式規則的每個新連線,都會產生接受/拒絕連線的記錄。 資料會以 JSON 格式記錄下來,如下列範例所示:
Category: application rule logs.
Time: log timestamp.
Properties: currently contains the full message.
note: this field will be parsed to specific fields in the future, while maintaining backward compatibility with the existing properties field.
{
"category": "AzureFirewallApplicationRule",
"time": "2018-04-16T23:45:04.8295030Z",
"resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
"operationName": "AzureFirewallApplicationRuleLog",
"properties": {
"msg": "HTTPS request from 10.1.0.5:55640 to mydestination.com:443. Action: Allow. Rule Collection: collection1000. Rule: rule1002"
}
}
{
"category": "AzureFirewallApplicationRule",
"time": "2018-04-16T23:45:04.8295030Z",
"resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
"operationName": "AzureFirewallApplicationRuleLog",
"properties": {
"msg": "HTTPS request from 10.11.2.4:53344 to www.bing.com:443. Action: Allow. Rule Collection: ExampleRuleCollection. Rule: ExampleRule. Web Category: SearchEnginesAndPortals"
}
}
網路規則記錄
只有當您針對每個 Azure 防火牆加以啟用時,網路規則記錄才會儲存到儲存體帳戶、串流至事件中樞及/或傳送至 Azure 監視器記錄。 符合其中一個已設定網路規則的每個新連線,都會產生接受/拒絕連線的記錄。 資料會以 JSON 格式記錄下來,如下列範例所示:
Category: network rule logs.
Time: log timestamp.
Properties: currently contains the full message.
note: this field will be parsed to specific fields in the future, while maintaining backward compatibility with the existing properties field.
{
"category": "AzureFirewallNetworkRule",
"time": "2018-06-14T23:44:11.0590400Z",
"resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
"operationName": "AzureFirewallNetworkRuleLog",
"properties": {
"msg": "TCP request from 111.35.136.173:12518 to 13.78.143.217:2323. Action: Deny"
}
}
DNS Proxy 記錄
只有當您針對每個 Azure 防火牆加以啟用時,DNS Proxy 記錄才會儲存到儲存體帳戶、串流至事件中樞及/或傳送至 Azure 監視器記錄。 此記錄會追蹤 DNS 訊息至使用 DNS Proxy 設定的 DNS 伺服器。 資料會以 JSON 格式記錄下來,如下列範例所示:
Category: DNS proxy logs.
Time: log timestamp.
Properties: currently contains the full message.
note: this field will be parsed to specific fields in the future, while maintaining backward compatibility with the existing properties field.
成功:
{
"category": "AzureFirewallDnsProxy",
"time": "2020-09-02T19:12:33.751Z",
"resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
"operationName": "AzureFirewallDnsProxyLog",
"properties": {
"msg": "DNS Request: 11.5.0.7:48197 – 15676 AAA IN md-l1l1pg5lcmkq.blob.core.windows.net. udp 55 false 512 NOERROR - 0 2.000301956s"
}
}
失敗:
{
"category": "AzureFirewallDnsProxy",
"time": "2020-09-02T19:12:33.751Z",
"resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
"operationName": "AzureFirewallDnsProxyLog",
"properties": {
"msg": " Error: 2 time.windows.com.reddog.microsoft.com. A: read udp 10.0.1.5:49126->168.63.129.160:53: i/o timeout”
}
}
msg 格式:
[client’s IP address]:[client’s port] – [query ID] [type of the request] [class of the request] [name of the request] [protocol used] [request size in bytes] [EDNS0 DO (DNSSEC OK) bit set in the query] [EDNS0 buffer size advertised in the query] [response CODE] [response flags] [response size] [response duration]
儲存體
您有三個選項可用來排序您的記錄:
- 儲存體帳戶:如果記錄會儲存一段較長的持續期間,並在需要時加以檢閱,則最好針對記錄使用儲存體帳戶。
- 事件中樞:如果要整合其他安全性資訊和事件管理 (SEIM) 工具以便在資源上取得警示,則事件中樞是絕佳的選項。
- Azure 監視器記錄:Azure 監視器記錄最適合用來進行應用程式的一般即時監視,或查看趨勢。
啟用診斷記錄
若要了解如何使用 Azure 入口網站啟用診斷記錄,請參閱監視 Azure 防火牆記錄 (舊版) 和計量。
下一步
意見反應
https://aka.ms/ContentUserFeedback。
即將登場:在 2024 年,我們將逐步淘汰 GitHub 問題作為內容的意見反應機制,並將它取代為新的意見反應系統。 如需詳細資訊,請參閱:提交並檢視相關的意見反應