您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

排查环境中的更改错误Troubleshoot changes in your environment

本教程介绍如何排查 Azure 虚拟机上的更改错误。In this tutorial, you learn how to troubleshoot changes on an Azure virtual machine. 启用更改跟踪即可在计算机上跟踪对软件、文件、Linux 守护程序、Windows 服务和 Windows 注册表项的更改。By enabling Change tracking, you can track changes to software, files, Linux daemons, Windows Services, and Windows Registry keys on your computers. 确定这些配置更改有助于查明环境中的操作问题。Identifying these configuration changes can help you pinpoint operational issues across your environment.

本教程介绍如何执行下列操作:In this tutorial you learn how to:

  • 载入适用于更改跟踪和清单的 VMOnboard a VM for Change tracking and Inventory
  • 在更改日志中搜索停止的服务Search change logs for stopped services
  • 配置更改跟踪Configure change tracking
  • 启用活动日志连接Enable Activity log connection
  • 触发事件Trigger an event
  • 查看更改View changes
  • 配置警报Configure alerts

先决条件Prerequisites

要完成本教程,需要:To complete this tutorial, you need:

登录 AzureSign in to Azure

通过 https://portal.azure.com 登录到 Azure 门户。Sign in to the Azure portal at https://portal.azure.com.

启用更改跟踪和清单Enable Change tracking and Inventory

就本教程来说,首先需为 VM 启用更改跟踪和清单。First you need to enable Change tracking and Inventory for your VM for this tutorial. 如果以前已为 VM 启用其他自动化解决方案,则此步骤不是必需的。If you have previously enabled another automation solution for a VM, this step is not necessary.

  1. 在左侧菜单上选择“虚拟机”,然后从列表中选择一个 VM。On the left menu, select Virtual machines and select a VM from the list
  2. 在左侧菜单的“操作”部分单击“清单”。On the left menu, under the OPERATIONS section, click Inventory. 此时会打开“更改跟踪”页。The Change tracking page opens.

启用更改 此时会打开“更改跟踪”屏幕。Enable change The Change Tracking screen opens. 配置要使用的位置、Log Analytics 工作区和自动化帐户,然后单击“启用”。Configure the location, Log analytics workspace, and Automation account to use and click Enable. 如果这些字段灰显,则意味着已为 VM 启用其他自动化解决方案,因此必须使用同一工作区和自动化帐户。If the fields are grayed out, that means another automation solution is enabled for the VM and the same workspace and Automation account must be used.

Log Analytics 工作区用于收集由功能和服务(如清单)生成的数据。A Log Analytics workspace is used to collect data that is generated by features and services such as Inventory. 工作区提供了一个位置来查看和分析来自多个数据源的数据。The workspace provides a single location to review and analyze data from multiple sources.

在载入期间,VM 预配了 Microsoft Monitoring Agent (MMA) 和混合辅助角色。During onboarding, the VM is provisioned with the Microsoft Monitoring Agent (MMA) and hybrid worker. 此代理用于与 VM 通信并获取有关已安装软件的信息。This agent is used to communicate with the VM and obtain information about installed software.

启用解决方案最多可能需要 15 分钟。Enabling the solution can take up to 15 minutes. 在此期间,不应关闭浏览器窗口。During this time, you shouldn't close the browser window. 启用该解决方案后,VM 中有关已安装软件和更改的信息会流向 Azure Monitor 日志。After the solution is enabled, information about installed software and changes on the VM flows to Azure Monitor logs. 这些数据需花费 30 分钟到 6 小时的时间才能用于分析。It can take between 30 minutes and 6 hours for the data to be available for analysis.

备注

本文最近已更新,从使用术语“Log Analytics”改为使用术语“Azure Monitor 日志”。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 日志数据仍然存储在 Log Analytics 工作区中,并仍然由同一 Log Analytics 服务收集并分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我们正在更新术语,以便更好地反映 Azure Monitor 中的日志的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 有关详细信息,请参阅 Azure Monitor 术语更改See Azure Monitor terminology changes for details.

使用 Azure Monitor 日志中的更改跟踪Using Change tracking in Azure Monitor logs

更改跟踪生成发送到 Azure Monitor 日志的日志数据。Change tracking generates log data that is sent to Azure Monitor logs. 若要通过运行查询来搜索日志,请选择“更改跟踪”窗口顶部的“Log Analytics”。To search the logs by running queries, select Log Analytics at the top of the Change tracking window. 更改跟踪数据存储在 ConfigurationChange 类型下。Change tracking data is stored under the type ConfigurationChange. 以下示例 Log Analytics 查询返回所有已停止的 Windows 服务。The following sample Log Analytics query returns all the Windows Services that have been stopped.

ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped"

若要详细了解如何在 Azure Monitor 日志中运行和搜索日志文件,请参阅 Azure Monitor 日志To learn more about running and searching log files in Azure Monitor logs, see Azure Monitor logs.

配置更改跟踪Configure Change tracking

可以使用更改跟踪来跟踪 VM 上的配置更改。Change tracking gives you the ability to track configuration changes on your VM. 以下步骤演示了如何配置注册表项和文件的跟踪。The following steps show you how to configure tracking of registry keys and files.

若要选择要收集和跟踪的文件和注册表项,请选择“更改跟踪”页顶部的“编辑设置”。To choose which files and Registry keys to collect and track, select Edit settings at the top of the Change tracking page.

备注

清单和更改跟踪使用相同的集合设置,而设置在工作区级别配置。Inventory and Change tracking use the same collection settings, and settings are configured on a workspace level.

如接下来的三部分所述,在“工作区配置”窗口中,添加要跟踪的 Windows 注册表项、Windows 文件或 Linux 文件。In the Workspace Configuration window, add the Windows Registry keys, Windows files, or Linux files to be tracked, as outlined in the next three sections.

添加 Windows 注册表项Add a Windows Registry key

  1. 在“Windows 注册表”选项卡上,选择“添加”。On the Windows Registry tab, select Add. “添加 Windows 注册表以跟踪更改”窗口随即打开。The Add Windows Registry for Change Tracking window opens.

  2. 在“添加用于更改跟踪的 Windows 注册表”中,输入要求该项进行跟踪的信息,然后单击“保存”On the Add Windows Registry for Change Tracking, enter the information for the key to track and click Save

属性Property 说明Description
已启用Enabled 确定是否应用了设置Determines if the setting is applied
项名称Item Name 要跟踪的文件的友好名称Friendly name of the file to be tracked
Group 一个组名,用于对文件进行逻辑分组A group name for logically grouping files
Windows 注册表项Windows Registry Key 用于查看文件的路径,例如:“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup”The path to check for the file For example: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup"

添加 Windows 文件Add a Windows file

  1. 在“Windows 文件”选项卡上,选择“添加”。On the Windows Files tab, select Add. “添加 Windows 文件以跟踪更改”窗口随即打开。The Add Windows File for Change Tracking window opens.

  2. 在“添加用于更改跟踪的 Windows 文件”中,输入要求该文件或目录进行跟踪的信息,然后单击“保存”On the Add Windows File for Change Tracking, enter the information for the file or directory to track and click Save

属性Property 说明Description
已启用Enabled 确定是否应用了设置Determines if the setting is applied
项名称Item Name 要跟踪的文件的友好名称Friendly name of the file to be tracked
Group 一个组名,用于对文件进行逻辑分组A group name for logically grouping files
输入路径Enter Path 用于查看文件的路径,例如:“c:\temp\*.txt”The path to check for the file For example: "c:\temp\*.txt"
还可以使用环境变量,例如“%winDir%\System32\*.*”You can also use environment variables such as "%winDir%\System32\*.*"
递归Recursion 在查找要跟踪的项时,确定是否使用递归。Determines if recursion is used when looking for the item to be tracked.
上传所有设置的文件内容Upload file content for all settings 针对已跟踪的更改启用或关闭文件内容上传功能。Turns on or off file content upload on tracked changes. 可用选项:TrueFalseAvailable options: True or False.

添加 Linux 文件Add a Linux file

  1. 在“Linux 文件”选项卡上,选择“添加”。On the Linux Files tab, select Add. “添加 Linux 文件以跟踪更改”窗口随即打开。The Add Linux File for Change Tracking window opens.

  2. 在“添加用于更改跟踪的 Linux 文件”中,输入要求该文件或目录进行跟踪的信息,然后单击“保存”On the Add Linux File for Change Tracking, enter the information for the file or directory to track and click Save

属性Property 说明Description
已启用Enabled 确定是否应用了设置Determines if the setting is applied
项名称Item Name 要跟踪的文件的友好名称Friendly name of the file to be tracked
Group 一个组名,用于对文件进行逻辑分组A group name for logically grouping files
输入路径Enter Path 用于查看文件的路径,例如“/etc/*.conf”The path to check for the file For example: "/etc/*.conf"
路径类型Path Type 要跟踪的项的类型,可能值为“文件”和“目录”Type of item to be tracked, possible values are File and Directory
递归Recursion 在查找要跟踪的项时,确定是否使用递归。Determines if recursion is used when looking for the item to be tracked.
使用 SudoUse Sudo 此设置确定在检查该项时是否使用 Sudo。This setting determines if sudo is used when checking for the item.
链接Links 此设置确定在遍历目录时如何处理符号链接。This setting determines how symbolic links dealt with when traversing directories.
忽略 - 忽略符号链接,不包括引用的文件/目录Ignore - Ignores symbolic links and does not include the files/directories referenced
追随 - 在递归期间追随符号链接,并且包括引用的文件/目录Follow - Follows the symbolic links during recursion and also includes the files/directories referenced
管理 - 追随符号链接并允许修改返回内容的处置方式Manage - Follows the symbolic links and allows alter the treatment of returned content
上传所有设置的文件内容Upload file content for all settings 针对已跟踪的更改启用或关闭文件内容上传功能。Turns on or off file content upload on tracked changes. 可用选项:TrueFalseAvailable options: True or False.

备注

不建议使用“管理”链接选项。The "Manage" links option is not recommended. 不支持文件内容检索。File content retrieval is not supported.

启用活动日志连接Enable Activity log connection

在 VM 的“更改跟踪”页中,选择“管理活动日志连接”。From the Change tracking page on your VM, select Manage Activity Log Connection. 此任务打开“Azure 活动日志”页。This task opens the Azure Activity log page. 选择“连接”,将更改跟踪连接到 VM 的 Azure 活动日志。Select Connect to connect Change tracking to the Azure activity log for your VM.

启用此设置后,导航到 VM 的“概览”页,然后选择“停止”以停止 VM。With this setting enabled, navigate to the Overview page for your VM and select Stop to stop your VM. 出现提示时,选择“是”即可停止 VM。When prompted, select Yes to stop the VM. 将 VM 解除分配以后,请选择“启动”以重启 VM。When it is deallocated, select Start to restart your VM.

停止和启动 VM 时,会在活动日志中记录一个事件。Stopping and starting a VM logs an event in its activity log. 导航回到“更改跟踪”页。Navigate back to the Change tracking page. 选择页面底部的“事件”选项卡。Select the Events tab at the bottom of the page. 一段时间后,事件会显示在图表和表中。After a while, the events shown in the chart and the table. 与前面的步骤一样,可以选择每个事件来查看其详细信息。Like in the preceding step, each event can be selected to view detailed information on the event.

在门户中查看更改详细信息

查看更改View changes

启用更改跟踪和清单解决方案以后,即可在“更改跟踪”页查看结果。Once the Change tracking and Inventory solution is enabled, you can view the results on the Change tracking page.

在 VM 中的“操作”下选择“更改跟踪”。From within your VM, select Change tracking under OPERATIONS.

显示对 VM 的更改列表的屏幕截图

此图表显示了一段时间内发生的更改。The chart shows changes that have occurred over time. 添加活动日志连接以后,顶部的线形图会显示 Azure 活动日志事件。After you have added an Activity Log connection, the line graph at the top displays Azure Activity Log events. 条形图的每一行代表不同类型的可跟踪更改。Each row of bar graphs represents a different trackable Change type. 这些类型是 Linux 守护程序、文件、Windows 注册表项、软件、Windows 服务。These types are Linux daemons, files, Windows Registry keys, software, and Windows services. “更改”选项卡显示在可视化效果中显示的更改的详细信息,按更改发生时间以降序方式排列(最近发生的排在最前面)。The change tab shows the details for the changes shown in the visualization in descending order of time that the change occurred (most recent first). 选择“事件”选项卡时,此表会显示连接的活动日志事件及其相应的详细信息,最近发生的排在最前面。The Events tab, the table displays the connected Activity Log events and their corresponding details with the most recent first.

可以在结果中看到对系统进行了多项更改,包括对服务和软件的更改。You can see in the results, that there were multiple changes to the system, including changes to services and software. 可以使用页面顶部的筛选器,按“更改类型”或时间范围筛选结果。You can use the filters at the top of the page to filter the results by Change type or by a time range.

选择 WindowsServices 更改会打开“更改详细信息”窗口。Select a WindowsServices change, this opens the Change Details window. “更改详细信息”窗口显示更改详细信息以及更改前后的值。The change details window shows details about the change and the values before and after the change. 在此实例中,软件保护服务已停止。In this instance, the Software Protection service was stopped.

在门户中查看更改详细信息

配置警报Configure alerts

查看 Azure 门户中的更改可能会很有帮助,但能够在发生更改(例如服务停止)时收到警报会更有益。Viewing changes in the Azure portal can be helpful, but being able to be alerted when a change occurs, such as a stopped service is more beneficial.

若要为已停止的服务添加警报,请在 Azure 门户中转至“监视”。To add an alert for a stopped service, in the Azure portal, go to Monitor. 在“共享服务”下,选择“警报”,并单击“+ 新建警报规则”And then under Shared Services, select Alerts and click + New alert rule

单击“选择”以选择资源。Click Select to choose a resource. 在“选择资源”页上,从“按资源类型筛选”下拉列表中选择“Log Analytics”。On the Select a resource page, select Log Analytics from the Filter by resource type drop-down. 选择 Log Analytics 工作区,然后选择“完成”。Select your Log Analytics workspace, and then select Done.

选择资源

在“配置信号逻辑”页上单击“添加条件”,在表中选择“自定义日志搜索”。Click Add condition, on the Configure signal logic page, in the table, select Custom log search. 在“搜索查询”文本框中输入以下查询:Enter the following query in the Search query text box:

ConfigurationChange | where ConfigChangeType == "WindowsServices" and SvcName == "W3SVC" and SvcState == "Stopped" | summarize by Computer

此查询返回在指定时间范围内已停止 W3SVC 服务的计算机。This query returns the computers that had the W3SVC service stopped in the specified timeframe.

在“警报逻辑”下,输入 0 作为“阈值”。Under Alert logic, for Threshold, enter 0. 完成后,选择“完成”。When you're finished, select Done.

配置信号逻辑

在“操作组”下,选择“新建”。Under Action Groups, select Create New. 操作组是可以在多个警报中使用的一组操作。An action group is a group of actions that you can use across multiple alerts. 这些操作可能包括但不限于电子邮件通知、Runbook、Webhook 以及其他操作。The actions can include but are not limited to email notifications, runbooks, webhooks, and many more. 若要了解有关操作组的详细信息,请参阅创建和管理操作组To learn more about action groups, see Create and manage action groups.

在“警报详细信息”下,输入警报的名称和说明。Under Alert details, enter a name and description for the alert. 将“严重性”设置为“信息(严重性 2)”、“警告(严重性 1)”或“关键(严重性 0)”。Set Severity to Informational(Sev 2), Warning(Sev 1), or Critical(Sev 0).

在“操作组名称”框中输入警报的名称和一个短名称。In the Action group name box, enter a name for the alert and a short name. 使用此组发送通知时,短名称用来代替完整的操作组名称。The short name is used in place of a full action group name when notifications are sent by using this group.

在“操作”下输入操作的名称,例如“电子邮件管理员”。Under Actions, enter a name for the action, like Email Administrators. 在“操作类型”下,选择“电子邮件/短信/推送/语音”。Under ACTION TYPE, select Email/SMS/Push/Voice. 在“详细信息”下,选择“编辑详细信息”。Under DETAILS, select Edit details.

添加操作组

在“电子邮件/短信/推送/语音”窗格中,输入一个名称。In the Email/SMS/Push/Voice pane, enter a name. 选中“电子邮件”复选框,然后输入有效的电子邮件地址。Select the Email check box, and then enter a valid email address. 单击“电子邮件/短信/推送/语音”页上的“确定”,然后单击“添加操作组”页上的“确定”。Click OK on the Email/SMS/Push/Voice page, and then click OK on the Add action group page.

若要自定义警报电子邮件的主题,请在“创建规则”下的“自定义操作”下选择“电子邮件主题”。To customize the subject of the alert email, under Create rule, under Customize Actions, select Email subject. 完成后,请选择“创建警报规则”。When you're finished, select Create alert rule. 此警报会指出更新部署成功的时间以及哪些计算机是该更新部署运行的一部分。The alert tells you when an update deployment succeeds, and which machines were part of that update deployment run.

下图是 W3SVC 服务停止时收到的示例电子邮件。The following image is an example email received wen the W3SVC service stops.

电子邮件

后续步骤Next steps

本教程介绍了如何:In this tutorial you learned how to:

  • 载入适用于更改跟踪和清单的 VMOnboard a VM for Change tracking and Inventory
  • 在更改日志中搜索停止的服务Search change logs for stopped services
  • 配置更改跟踪Configure change tracking
  • 启用活动日志连接Enable Activity log connection
  • 触发事件Trigger an event
  • 查看更改View changes
  • 配置警报Configure alerts

继续阅读更改跟踪和清单解决方案的概述可以了解其详细信息。Continue to the overview for the Change tracking and Inventory solution to learn more about it.