您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

如何从用于 VM 的 Azure Monitor(预览版)查询日志How to query logs from Azure Monitor for VMs (preview)

适用于 Vm 的 azure Monitor 收集性能和连接指标、 计算机和进程清单数据和运行状况状态信息并将其转发到 Azure Monitor 中的 Log Analytics 工作区。Azure Monitor for VMs collects performance and connection metrics, computer and process inventory data, and health state information and forwards it to the Log Analytics workspace in Azure Monitor. 此数据是可用于查询Azure 监视器中。This data is available for query in Azure Monitor. 此数据可应用于包括迁移计划、容量分析、发现和按需性能故障排除在内的方案。You can apply this data to scenarios that include migration planning, capacity analysis, discovery, and on-demand performance troubleshooting.

映射记录Map records

除了在进程或计算机启动或载入到用于 VM 的 Azure Monitor 映射功能时生成的记录以外,还会针对每个唯一计算机和进程每小时生成一条记录。One record is generated per hour for each unique computer and process, in addition to the records that are generated when a process or computer starts or is on-boarded to Azure Monitor for VMs Map feature. 这些记录的属性在下表中列出。These records have the properties in the following tables. ServiceMapComputer_CL 事件中的字段和值映射到 ServiceMap Azure 资源管理器 API 中计算机资源的字段。The fields and values in the ServiceMapComputer_CL events map to fields of the Machine resource in the ServiceMap Azure Resource Manager API. ServiceMapProcess_CL 事件中的字段和值映射到 ServiceMap Azure 资源管理器 API 中进程资源的字段。The fields and values in the ServiceMapProcess_CL events map to the fields of the Process resource in the ServiceMap Azure Resource Manager API. ResourceName_s 字段与相应的 Azure Resource Manager 资源中的名称字段匹配。The ResourceName_s field matches the name field in the corresponding Resource Manager resource.

包含内部生成的可用于标识唯一进程和计算机的属性:There are internally generated properties you can use to identify unique processes and computers:

  • 计算机:使用 ResourceId 或 ResourceName_s 来唯一标识 Log Analytics 工作区中的计算机 。Computer: Use ResourceId or ResourceName_s to uniquely identify a computer within a Log Analytics workspace.
  • 进程:使用 ResourceId 来唯一标识 Log Analytics 工作区中的进程 。Process: Use ResourceId to uniquely identify a process within a Log Analytics workspace. ResourceName_s 在运行该进程的计算机 (MachineResourceName_s) 的上下文中唯一ResourceName_s is unique within the context of the machine on which the process is running (MachineResourceName_s)

由于在指定的时间范围内,指定的进程和计算机可能存在多条记录,因此针对同一个计算机或进程的查询可能返回多条记录。Because multiple records can exist for a specified process and computer in a specified time range, queries can return more than one record for the same computer or process. 若要仅添加最新记录,请在查询中添加“| dedup ResourceId”。To include only the most recent record, add "| dedup ResourceId" to the query.

连接和端口Connections and ports

连接指标功能引入了 Azure Monitor 日志-VMConnection 和 VMBoundPort 中的两个新表。The Connection Metrics feature introduces two new tables in Azure Monitor logs - VMConnection and VMBoundPort. 这些表提供有关 (入站和出站) 的计算机的连接,以及在服务器的信息是打开/活动在其上的端口。These tables provide information about the connections for a machine (inbound and outbound), as well as the server ports that are open/active on them. 通过提供时间窗口期间获取的特定指标的方法的 Api 还公开 ConnectionMetrics。ConnectionMetrics are also exposed via APIs that provide the means to obtain a specific metric during a time window. TCP 连接所得接受侦听套接字上将入站,而创建的那些连接到给定的 IP 和端口均为出站。TCP connections resulting from accepting on a listening socket are inbound, while those created by connecting to a given IP and port are outbound. 连接方向由 Direction 属性表示,可将其设置为 inboundoutboundThe direction of a connection is represented by the Direction property, which can be set to either inbound or outbound.

依赖关系代理报告的数据生成这些表中的记录。Records in these tables are generated from data reported by the Dependency Agent. 每个记录表示在 1 分钟的时间间隔内观察值。Every record represents an observation over a 1-minute time interval. TimeGenerated 属性表示时间间隔的开始时间。The TimeGenerated property indicates the start of the time interval. 每条记录包含用于识别相应实体(即连接或端口)以及与该实体关联的指标的信息。Each record contains information to identify the respective entity, that is, connection or port, as well as metrics associated with that entity. 目前,只会报告使用“基于 IPv4 的 TCP”发生的网络活动。Currently, only network activity that occurs using TCP over IPv4 is reported.

公共字段和约定Common fields and conventions

以下字段和约定适用于 VMConnection 和 VMBoundPort:The following fields and conventions apply to both VMConnection and VMBoundPort:

  • 计算机:报告计算机的名称完全限定域名Computer: Fully-qualified domain name of reporting machine
  • AgentID:具有 Log Analytics 代理的计算机的唯一标识符AgentID: The unique identifier for a machine with the Log Analytics agent
  • 计算机:机公开的 ServiceMap Azure 资源管理器资源的名称。Machine: Name of the Azure Resource Manager resource for the machine exposed by ServiceMap. 它是在窗体m-{GUID} ,其中GUID作为 AgentID 的同一个 guidIt is of the form m-{GUID}, where GUID is the same GUID as AgentID
  • 进程:进程由 ServiceMap Azure 资源管理器资源的名称。Process: Name of the Azure Resource Manager resource for the process exposed by ServiceMap. 它是在窗体p-{十六进制字符串}It is of the form p-{hex string}. 进程是计算机范围内唯一的若要跨计算机生成唯一的进程 ID,组合计算机和进程的字段。Process is unique within a machine scope and to generate a unique process ID across machines, combine Machine and Process fields.
  • ProcessName:报告的过程可执行文件名称。ProcessName: Executable name of the reporting process.
  • 所有 IP 地址都的字符串格式 IPv4 规范,例如13.107.3.160All IP addresses are strings in IPv4 canonical format, for example 13.107.3.160

为了控制成本和复杂性,连接记录不会显示单个物理网络连接。To manage cost and complexity, connection records do not represent individual physical network connections. 多个物理网络连接分组到一个逻辑连接中,然后在相应的表中反映该逻辑连接。Multiple physical network connections are grouped into a logical connection, which is then reflected in the respective table. 这意味着,VMConnection 表中的记录表示逻辑分组,而不是观测到的单个物理连接。Meaning, records in VMConnection table represent a logical grouping and not the individual physical connections that are being observed. 在给定的一分钟时间间隔内对以下属性共用相同值的物理网络连接聚合到 VMConnection 中的一个逻辑记录内。Physical network connection sharing the same value for the following attributes during a given one-minute interval, are aggregated into a single logical record in VMConnection.

属性Property 描述Description
DirectionDirection 连接方向,值为 inboundoutboundDirection of the connection, value is inbound or outbound
MachineMachine 计算机 FQDNThe computer FQDN
ProcessProcess 进程或进程组的标识,状态为正在启动/接受连接Identity of process or groups of processes, initiating/accepting the connection
SourceIpSourceIp 源的 IP 地址IP address of the source
DestinationIpDestinationIp 目标的 IP 地址IP address of the destination
DestinationPortDestinationPort 目标的端口号Port number of the destination
ProtocolProtocol 用于连接的协议。Protocol used for the connection. 值为 tcpValues is tcp.

为了帮助你权衡分组造成的影响,以下记录属性中提供了有关分组的物理连接数的信息:To account for the impact of grouping, information about the number of grouped physical connections is provided in the following properties of the record:

属性Property 描述Description
LinksEstablishedLinksEstablished 在报告时间范围内建立的物理网络连接数The number of physical network connections that have been established during the reporting time window
LinksTerminatedLinksTerminated 在报告时间范围内终止的物理网络连接数The number of physical network connections that have been terminated during the reporting time window
LinksFailedLinksFailed 在报告时间范围内失败的物理网络连接数The number of physical network connections that have failed during the reporting time window. 此信息目前仅适用于出站连接。This information is currently available only for outbound connections.
LinksLiveLinksLive 在报告时间范围结束时打开的物理网络连接数The number of physical network connections that were open at the end of the reporting time window

度量值Metrics

除了连接计数指标以外,以下记录属性中还包含了有关在给定逻辑连接或网络端口上发送和接收的数据量的信息:In addition to connection count metrics, information about the volume of data sent and received on a given logical connection or network port are also included in the following properties of the record:

属性Property 描述Description
BytesSentBytesSent 在报告时间范围内发送的字节总数Total number of bytes that have been sent during the reporting time window
BytesReceivedBytesReceived 在报告时间范围内接收的字节总数Total number of bytes that have been received during the reporting time window
ResponsesResponses 在报告时间范围内观测到的响应数。The number of responses observed during the reporting time window.
ResponseTimeMaxResponseTimeMax 在报告时间范围内观测到的最大响应时间(毫秒)。The largest response time (milliseconds) observed during the reporting time window. 如果无值,则该属性为空。If no value, the property is blank.
ResponseTimeMinResponseTimeMin 在报告时间范围内观测到的最小响应时间(毫秒)。The smallest response time (milliseconds) observed during the reporting time window. 如果无值,则该属性为空。If no value, the property is blank.
ResponseTimeSumResponseTimeSum 在报告时间范围内观测到的所有响应时间的和(毫秒)。The sum of all response times (milliseconds) observed during the reporting time window. 如果无值,则该属性为空。If no value, the property is blank.

报告的第三种数据类型是响应时间 - 调用方花费了多长时间来等待通过连接发送请求进行处理,并收到远程终结点的响应。The third type of data being reported is response time - how long does a caller spend waiting for a request sent over a connection to be processed and responded to by the remote endpoint. 报告的响应时间是底层应用程序协议的真实响应时间的估算值。The response time reported is an estimation of the true response time of the underlying application protocol. 它是基于物理网络连接的源与目标端之间的数据流观测结果,使用试探法计算出来的。It is computed using heuristics based on the observation of the flow of data between the source and destination end of a physical network connection. 从概念上讲,它是请求的最后一个字节离开发送方的时间,与发送方收到响应的最后一个字节的时间的差。Conceptually, it is the difference between the time the last byte of a request leaves the sender, and the time when the last byte of the response arrives back to it. 这两个时间戳用于描述给定物理连接上的请求和响应事件。These two timestamps are used to delineate request and response events on a given physical connection. 两者的差表示单个请求的响应时间。The difference between them represents the response time of a single request.

在此功能的第一个版本中,我们的算法是求近似值,根据给定网络连接所用的实际应用程序协议,其成功度各不相同。In this first release of this feature, our algorithm is an approximation that may work with varying degree of success depending on the actual application protocol used for a given network connection. 例如,当前做法非常适合基于请求-响应的协议(例如 HTTP (S)),但不适合单向协议或基于消息队列的协议。For example, the current approach works well for request-response based protocols such as HTTP(S), but does not work with one-way or message queue-based protocols.

考虑的几个要点:Here are some important points to consider:

  1. 如果进程在相同的 IP 地址上接受连接,但通过多个网络接口接受连接,则为每个接口单独报告一条记录。If a process accepts connections on the same IP address but over multiple network interfaces, a separate record for each interface will be reported.
  2. 带通配符 IP 的记录不包含任何活动。Records with wildcard IP will contain no activity. 包含此类记录的目的是表示在计算机上为入站流量开放了某个端口这一事实。They are included to represent the fact that a port on the machine is open to inbound traffic.
  3. 为了降低详细程度和数据量,存在带有特定 IP 地址的匹配记录(适用于相同的进程、端口和协议)时,将省略带通配符 IP 的记录。To reduce verbosity and data volume, records with wildcard IP will be omitted when there is a matching record (for the same process, port, and protocol) with a specific IP address. 省略了通配符 IP 记录后,具有特定 IP 地址的 IsWildcardBind 记录属性将设置为“True”,表示已通过报告计算机的每个接口公开了该端口。When a wildcard IP record is omitted, the IsWildcardBind record property with the specific IP address, will be set to "True" to indicate that the port is exposed over every interface of the reporting machine.
  4. 绑定仅在特定接口的端口具有设置为 IsWildcardBind FalsePorts that are bound only on a specific interface have IsWildcardBind set to False.

命名和分类Naming and Classification

为提供方便,RemoteIp 属性中包含了连接的远程端的 IP 地址。For convenience, the IP address of the remote end of a connection is included in the RemoteIp property. 对于入站连接,RemoteIp 与 SourceIp 相同;对于出站连接,RemoteIp 与 DestinationIp 相同。For inbound connections, RemoteIp is the same as SourceIp, while for outbound connections, it is the same as DestinationIp. RemoteDnsCanonicalNames 属性表示计算机针对 RemoteIp 报告的 DNS 规范名称。The RemoteDnsCanonicalNames property represents the DNS canonical names reported by the machine for RemoteIp. RemoteDnsQuestions 和 RemoteClassification 属性保留供将来使用。The RemoteDnsQuestions and RemoteClassification properties are reserved for future use.

地理位置Geolocation

VMConnection 还包含以下记录属性中每个连接记录的远程端的地理位置信息:VMConnection also includes geolocation information for the remote end of each connection record in the following properties of the record:

属性Property 描述Description
RemoteCountryRemoteCountry 承载 RemoteIp 国家/地区的名称。The name of the country/region hosting RemoteIp. 例如 United StatesFor example, United States
RemoteLatitudeRemoteLatitude 地理位置的纬度。The geolocation latitude. 例如 47.68For example, 47.68
RemoteLongitudeRemoteLongitude 地理位置的经度。The geolocation longitude. 例如 -122.12For example, -122.12

恶意 IPMalicious IP

将会根据一组 IP 检查 VMConnection 表中的每个 RemoteIp 属性,以识别已知的恶意活动。Every RemoteIp property in VMConnection table is checked against a set of IPs with known malicious activity. 如果 RemoteIp 识别为恶意,则会在以下记录属性中填充以下属性(如果未将该 IP 视为恶意,则这些属性为空):If the RemoteIp is identified as malicious the following properties will be populated (they are empty, when the IP is not considered malicious) in the following properties of the record:

属性Property 描述Description
MaliciousIpMaliciousIp RemoteIp 地址The RemoteIp address
IndicatorThreadTypeIndicatorThreadType 检测到的威胁标志是以下值之一:Botnet 、C2 、CryptoMining 、Darknet 、DDos 、MaliciousUrl 、Malware 、Phishing 、Proxy 、PUA 和 Watchlist 。Threat indicator detected is one of the following values, Botnet, C2, CryptoMining, Darknet, DDos, MaliciousUrl, Malware, Phishing, Proxy, PUA, Watchlist.
DescriptionDescription 观察到的威胁说明。Description of the observed threat.
TLPLevelTLPLevel 交通信号灯协议 (TLP) 级别是以下定义值之一:White 、Green 、Amber 和 Red 。Traffic Light Protocol (TLP) Level is one of the defined values, White, Green, Amber, Red.
ConfidenceConfidence 值介于 0 和 100 之间。Values are 0 – 100.
SeveritySeverity 值介于 0 和 5 之间,其中 5 表示最严重,0 表示毫不严重。Values are 0 – 5, where 5 is the most severe and 0 is not severe at all. 默认值为 3 。Default value is 3.
FirstReportedDateTimeFirstReportedDateTime 提供程序第一次报告指标。The first time the provider reported the indicator.
LastReportedDateTimeLastReportedDateTime Interflow 最后一次看到指标。The last time the indicator was seen by Interflow.
IsActiveIsActive 使用值 True 或 False 指明是否停用标志。Indicates indicators are deactivated with True or False value.
ReportReferenceLinkReportReferenceLink 与给定可观测结果相关的报告的链接。Links to reports related to a given observable.
AdditionalInformationAdditionalInformation 提供观测到的威胁的其他信息(若有)。Provides additional information, if applicable, about the observed threat.

端口Ports

在计算机上的主动接受传入的流量或可能无法接受流量,但报告的时间窗口,期间处于空闲状态的端口将写入 VMBoundPort 表。Ports on a machine that actively accept incoming traffic or could potentially accept traffic, but are idle during the reporting time window, are written to the VMBoundPort table.

由以下字段标识 VMBoundPort 中的每个记录:Every record in VMBoundPort is identified by the following fields:

属性Property 描述Description
ProcessProcess 进程 (或组的进程) 端口与之关联的标识。Identity of process (or groups of processes) with which the port is associated with.
IpIp 端口的 IP 地址 (可以是通配符 IP 0.0.0.0)Port IP address (can be wildcard IP, 0.0.0.0)
PortPort 端口号The Port number
ProtocolProtocol 协议。The protocol. 示例中, tcpudp (仅tcp目前支持)。Example, tcp or udp (only tcp is currently supported).

标识一个端口派生自上述五个字段,存储在 PortId 属性。The identity a port is derived from the above five fields and is stored in the PortId property. 此属性可用于快速查找记录特定端口的各时间。This property can be used to quickly find records for a specific port across time.

度量值Metrics

端口记录包含度量值表示与之关联的连接。Port records include metrics representing the connections associated with them. 目前,报告以下度量值 (在上一节中介绍的每个指标的详细信息):Currently, the following metrics are reported (the details for each metric are described in the previous section):

  • BytesSent 和 BytesReceivedBytesSent and BytesReceived
  • LinksEstablished,LinksTerminated,LinksLiveLinksEstablished, LinksTerminated, LinksLive
  • ResposeTime,ResponseTimeMin,ResponseTimeMax ResponseTimeSumResposeTime, ResponseTimeMin, ResponseTimeMax, ResponseTimeSum

考虑的几个要点:Here are some important points to consider:

  • 如果进程在相同的 IP 地址上接受连接,但通过多个网络接口接受连接,则为每个接口单独报告一条记录。If a process accepts connections on the same IP address but over multiple network interfaces, a separate record for each interface will be reported.
  • 带通配符 IP 的记录不包含任何活动。Records with wildcard IP will contain no activity. 包含此类记录的目的是表示在计算机上为入站流量开放了某个端口这一事实。They are included to represent the fact that a port on the machine is open to inbound traffic.
  • 为了降低详细程度和数据量,存在带有特定 IP 地址的匹配记录(适用于相同的进程、端口和协议)时,将省略带通配符 IP 的记录。To reduce verbosity and data volume, records with wildcard IP will be omitted when there is a matching record (for the same process, port, and protocol) with a specific IP address. 如果省略通配符 IP 记录,则IsWildcardBind具有特定 IP 地址的记录的属性将设置为TrueWhen a wildcard IP record is omitted, the IsWildcardBind property for the record with the specific IP address, will be set to True. 这表示通过报告的计算机的每个接口公开的端口。This indicates the port is exposed over every interface of the reporting machine.
  • 绑定仅在特定接口的端口具有设置为 IsWildcardBind FalsePorts that are bound only on a specific interface have IsWildcardBind set to False.

ServiceMapComputer_CL 记录ServiceMapComputer_CL records

类型为 ServiceMapComputer_CL 的记录包含具有依赖项代理的服务器的库存数据。Records with a type of ServiceMapComputer_CL have inventory data for servers with the Dependency agent. 这些记录的属性在下表中列出:These records have the properties in the following table:

属性Property 说明Description
TypeType ServiceMapComputer_CLServiceMapComputer_CL
SourceSystemSourceSystem OpsManagerOpsManager
ResourceIdResourceId 工作区中计算机的唯一标识符The unique identifier for a machine within the workspace
ResourceName_sResourceName_s 工作区中计算机的唯一标识符The unique identifier for a machine within the workspace
ComputerName_sComputerName_s 计算机 FQDNThe computer FQDN
Ipv4Addresses_sIpv4Addresses_s 服务器的 IPv4 地址列表A list of the server's IPv4 addresses
Ipv6Addresses_sIpv6Addresses_s 服务器的 IPv6 地址列表A list of the server's IPv6 addresses
DnsNames_sDnsNames_s DNS 名称的数组An array of DNS names
OperatingSystemFamily_sOperatingSystemFamily_s Windows 或 LinuxWindows or Linux
OperatingSystemFullName_sOperatingSystemFullName_s 操作系统的全名The full name of the operating system
Bitness_sBitness_s 计算机的位数(32 位或 64 位)The bitness of the machine (32-bit or 64-bit)
PhysicalMemory_dPhysicalMemory_d 物理内存(以 MB 为单位)The physical memory in MB
Cpus_dCpus_d CPU 数The number of CPUs
CpuSpeed_dCpuSpeed_d CPU 速度(以 MHz 为单位)The CPU speed in MHz
VirtualizationState_sVirtualizationState_s 未知物理虚拟虚拟机监控程序unknown, physical, virtual, hypervisor
VirtualMachineType_sVirtualMachineType_s hypervvmware 等等hyperv, vmware, and so on
VirtualMachineNativeMachineId_gVirtualMachineNativeMachineId_g 由虚拟机监控程序分配的 VM IDThe VM ID as assigned by its hypervisor
VirtualMachineName_sVirtualMachineName_s VM 的名称The name of the VM
BootTime_tBootTime_t 引导时间The boot time

ServiceMapProcess_CL 类型记录ServiceMapProcess_CL Type records

类型为 ServiceMapProcess_CL 的记录包含具有依赖项代理的服务器上 TCP 连接进程的库存数据。Records with a type of ServiceMapProcess_CL have inventory data for TCP-connected processes on servers with the Dependency agent. 这些记录的属性在下表中列出:These records have the properties in the following table:

属性Property 说明Description
TypeType ServiceMapProcess_CLServiceMapProcess_CL
SourceSystemSourceSystem OpsManagerOpsManager
ResourceIdResourceId 工作区中进程的唯一标识符The unique identifier for a process within the workspace
ResourceName_sResourceName_s 进程在运行它的计算机中的唯一标识符The unique identifier for a process within the machine on which it is running
MachineResourceName_sMachineResourceName_s 计算机的资源名称The resource name of the machine
ExecutableName_sExecutableName_s 进程可执行文件的名称The name of the process executable
StartTime_tStartTime_t 进程池启动时间The process pool start time
FirstPid_dFirstPid_d 进程池中的第一个 PIDThe first PID in the process pool
Description_sDescription_s 进程说明The process description
CompanyName_sCompanyName_s 公司名称The name of the company
InternalName_sInternalName_s 内部名称The internal name
ProductName_sProductName_s 产品名称The name of the product
ProductVersion_sProductVersion_s 产品版本The product version
FileVersion_sFileVersion_s 文件版本The file version
CommandLine_sCommandLine_s 命令行The command line
ExecutablePath_sExecutablePath_s 可执行文件的路径The path to the executable file
WorkingDirectory_sWorkingDirectory_s 工作目录The working directory
UserNameUserName 执行进程所用的帐户The account under which the process is executing
UserDomainUserDomain 执行进程所在的域The domain under which the process is executing

示例日志搜索Sample log searches

列出所有已知计算机List all known machines

ServiceMapComputer_CL | summarize arg_max(TimeGenerated, *) by ResourceId`

VM 上次重启的时间When was the VM last rebooted

let Today = now(); ServiceMapComputer_CL | extend DaysSinceBoot = Today - BootTime_t | summarize by Computer, DaysSinceBoot, BootTime_t | sort by BootTime_t asc`

按映像、位置和 SKU 分类的 Azure VM 摘要Summary of Azure VMs by image, location, and SKU

ServiceMapComputer_CL | where AzureLocation_s != "" | summarize by ComputerName_s, AzureImageOffering_s, AzureLocation_s, AzureImageSku_s`

列出所有托管计算机的物理内存容量。List the physical memory capacity of all managed computers.

ServiceMapComputer_CL | summarize arg_max(TimeGenerated, *) by ResourceId | project PhysicalMemory_d, ComputerName_s`

列出计算机名称、DNS、IP 和 OS。List computer name, DNS, IP, and OS.

ServiceMapComputer_CL | summarize arg_max(TimeGenerated, *) by ResourceId | project ComputerName_s, OperatingSystemFullName_s, DnsNames_s, Ipv4Addresses_s`

在命令行中查找带有“sql”的所有进程Find all processes with "sql" in the command line

ServiceMapProcess_CL | where CommandLine_s contains_cs "sql" | summarize arg_max(TimeGenerated, *) by ResourceId`

按资源名称查找计算机(最新记录)Find a machine (most recent record) by resource name

search in (ServiceMapComputer_CL) "m-4b9c93f9-bc37-46df-b43c-899ba829e07b" | summarize arg_max(TimeGenerated, *) by ResourceId`

按 IP 地址查找计算机(最新记录)Find a machine (most recent record) by IP address

search in (ServiceMapComputer_CL) "10.229.243.232" | summarize arg_max(TimeGenerated, *) by ResourceId`

列出指定计算机上的所有已知进程List all known processes on a specified machine

ServiceMapProcess_CL | where MachineResourceName_s == "m-559dbcd8-3130-454d-8d1d-f624e57961bc" | summarize arg_max(TimeGenerated, *) by ResourceId`

列出所有运行 SQL Server 的计算机List all computers running SQL Server

ServiceMapComputer_CL | where ResourceName_s in ((search in (ServiceMapProcess_CL) "\*sql\*" | distinct MachineResourceName_s)) | distinct ComputerName_s`

在我的数据中心列出 curl 的所有唯一产品版本List all unique product versions of curl in my datacenter

ServiceMapProcess_CL | where ExecutableName_s == "curl" | distinct ProductVersion_s`

创建由运行 CentOS 的所有计算机组成的计算机组Create a computer group of all computers running CentOS

ServiceMapComputer_CL | where OperatingSystemFullName_s contains_cs "CentOS" | distinct ComputerName_s`
VMConnection | summarize sum(BytesSent), sum(BytesReceived) by bin(TimeGenerated,1hr), Computer | order by Computer desc | render timechart`

哪些 Azure VM 传输的字节数最多Which Azure VMs are transmitting the most bytes

VMConnection | join kind=fullouter(ServiceMapComputer_CL) on $left.Computer == $right.ComputerName_s | summarize count(BytesSent) by Computer, AzureVMSize_s | sort by count_BytesSent desc`
VMConnection | where TimeGenerated >= ago(24hr) | where Computer == "acme-demo" | summarize  dcount(LinksEstablished), dcount(LinksLive), dcount(LinksFailed), dcount(LinksTerminated) by bin(TimeGenerated, 1h) | render timechart`

连接失败趋势Connection failures trend

VMConnection | where Computer == "acme-demo" | extend bythehour = datetime_part("hour", TimeGenerated) | project bythehour, LinksFailed | summarize failCount = count() by bythehour | sort by bythehour asc | render timechart`

绑定端口Bound Ports

VMBoundPort
| where TimeGenerated >= ago(24hr)
| where Computer == 'admdemo-appsvr'
| distinct Port, ProcessName

在计算机之间打开端口数Number of open ports across machines

VMBoundPort
| where Ip != "127.0.0.1"
| summarize by Computer, Machine, Port, Protocol
| summarize OpenPorts=count() by Computer, Machine
| order by OpenPorts desc

它们具有的端口数目来打开评分工作区中的进程Score processes in your workspace by the number of ports they have open

VMBoundPort
| where Ip != "127.0.0.1"
| summarize by ProcessName, Port, Protocol
| summarize OpenPorts=count() by ProcessName
| order by OpenPorts desc

每个端口的聚合行为Aggregate behavior for each port

此查询可以然后使用要评分的端口由活动,例如,大多数的入站/出站流量的端口,与大多数连接的端口This query can then be used to score ports by activity, e.g., ports with most inbound/outbound traffic, ports with most connections

// 
VMBoundPort
| where Ip != "127.0.0.1"
| summarize BytesSent=sum(BytesSent), BytesReceived=sum(BytesReceived), LinksEstablished=sum(LinksEstablished), LinksTerminated=sum(LinksTerminated), arg_max(TimeGenerated, LinksLive) by Machine, Computer, ProcessName, Ip, Port, IsWildcardBind
| project-away TimeGenerated
| order by Machine, Computer, Port, Ip, ProcessName

汇总一组计算机的出站连接Summarize the outbound connections from a group of machines

// the machines of interest
let machines = datatable(m: string) ["m-82412a7a-6a32-45a9-a8d6-538354224a25"];
// map of ip to monitored machine in the environment
let ips=materialize(ServiceMapComputer_CL
| summarize ips=makeset(todynamic(Ipv4Addresses_s)) by MonitoredMachine=ResourceName_s
| mvexpand ips to typeof(string));
// all connections to/from the machines of interest
let out=materialize(VMConnection
| where Machine in (machines)
| summarize arg_max(TimeGenerated, *) by ConnectionId);
// connections to localhost augmented with RemoteMachine
let local=out
| where RemoteIp startswith "127."
| project ConnectionId, Direction, Machine, Process, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol, RemoteIp, RemoteMachine=Machine;
// connections not to localhost augmented with RemoteMachine
let remote=materialize(out
| where RemoteIp !startswith "127."
| join kind=leftouter (ips) on $left.RemoteIp == $right.ips
| summarize by ConnectionId, Direction, Machine, Process, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol, RemoteIp, RemoteMachine=MonitoredMachine);
// the remote machines to/from which we have connections
let remoteMachines = remote | summarize by RemoteMachine;
// all augmented connections
(local)
| union (remote)
//Take all outbound records but only inbound records that come from either //unmonitored machines or monitored machines not in the set for which we are computing dependencies.
| where Direction == 'outbound' or (Direction == 'inbound' and RemoteMachine !in (machines))
| summarize by ConnectionId, Direction, Machine, Process, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol, RemoteIp, RemoteMachine
// identify the remote port
| extend RemotePort=iff(Direction == 'outbound', DestinationPort, 0)
// construct the join key we'll use to find a matching port
| extend JoinKey=strcat_delim(':', RemoteMachine, RemoteIp, RemotePort, Protocol)
// find a matching port
| join kind=leftouter (VMBoundPort 
| where Machine in (remoteMachines) 
| summarize arg_max(TimeGenerated, *) by PortId 
| extend JoinKey=strcat_delim(':', Machine, Ip, Port, Protocol)) on JoinKey
// aggregate the remote information
| summarize Remote=makeset(iff(isempty(RemoteMachine), todynamic('{}'), pack('Machine', RemoteMachine, 'Process', Process1, 'ProcessName', ProcessName1))) by ConnectionId, Direction, Machine, Process, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol

后续步骤Next steps