您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

网络安全组的资源日志记录Resource logging for a network security group

网络安全组 (NSG) 包含的规则可以用来允许或拒绝发往虚拟网络子网和/或网络接口的流量。A network security group (NSG) includes rules that allow or deny traffic to a virtual network subnet, network interface, or both.

为 NSG 启用日志记录时,可以收集以下类型的资源日志信息:When you enable logging for an NSG, you can gather the following types of resource log information:

  • 事件: 根据 MAC 地址记录的与应用到 VM 的 NSG 规则相对应的条目。Event: Entries are logged for which NSG rules are applied to VMs, based on MAC address.
  • 规则计数器: 包含应用每个 NSG 规则以拒绝或允许流量的次数的条目。Rule counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic. 每300秒收集一次这些规则的状态。The status for these rules is collected every 300 seconds.

资源日志仅适用于通过 Azure 资源管理器部署模型部署的 Nsg。Resource logs are only available for NSGs deployed through the Azure Resource Manager deployment model. 无法启用通过经典部署模型部署的 Nsg 的资源日志记录。You cannot enable resource logging for NSGs deployed through the classic deployment model. 若要更好地了解这两种模型,请参阅了解 Azure 部署模型For a better understanding of the two models, see Understanding Azure deployment models.

对于要为其收集诊断数据的 每个 NSG,将单独启用资源日志记录。Resource logging is enabled separately for each NSG you want to collect diagnostic data for. 如果对活动 (操作) 日志感兴趣,请参阅 Azure 活动日志记录If you're interested in activity (operational) logs instead, see Azure activity logging.

启用日志记录Enable logging

可以使用 Azure 门户PowerShellAzure CLI 来启用资源日志记录。You can use the Azure Portal, PowerShell, or the Azure CLI to enable resource logging.

Azure 门户Azure Portal

  1. 登录门户Sign in to the portal.

  2. 选择“所有服务”,然后键入“网络安全组”******。Select All services, then type network security groups. “网络安全组”出现在搜索结果中时,将其选中****。When Network security groups appear in the search results, select it.

  3. 选择要为其启用日志记录的 NSG。Select the NSG you want to enable logging for.

  4. 在“监视”下选择“诊断日志”,******** 然后选择“启用诊断”,如下图所示:****Under MONITORING, select Diagnostics logs, and then select Turn on diagnostics, as shown in the following picture:

    启用诊断

  5. 在“诊断设置”下输入或选择以下信息,然后选择“保存”********:Under Diagnostics settings, enter, or select the following information, and then select Save:

    设置Setting Value
    名称Name 所选名称。A name of your choosing. 例如:myNsgDiagnosticsFor example: myNsgDiagnostics
    “存档到存储帐户”****、“流式传输到事件中心”****,然后“发送到 Log Analytics”****Archive to a storage account, Stream to an event hub, and Send to Log Analytics 可以随意选择多个目标。You can select as many destinations as you choose. 若要详细了解每个目标,请参阅日志目标To learn more about each, see Log destinations.
    LOGLOG 选择一个或两个日志类别。Select either, or both log categories. 若要详细了解为每个类别记录的数据,请参阅日志类别To learn more about the data logged for each category, see Log categories.
  6. 查看和分析日志。View and analyze logs. 有关详细信息,请参阅查看和分析日志For more information, see View and analyze logs.

PowerShellPowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

可以在 Azure Cloud Shell 中运行以下命令,或者在计算机上运行 PowerShell。You can run the commands that follow in the Azure Cloud Shell, or by running PowerShell from your computer. Azure Cloud Shell 是免费的交互式 shell。The Azure Cloud Shell is a free interactive shell. 它预安装有常用 Azure 工具并将其配置与帐户一起使用。It has common Azure tools preinstalled and configured to use with your account. 如果在计算机上运行 PowerShell,需要 Azure PowerShell 模块 1.0.0 或更高版本。If you run PowerShell from your computer, you need the Azure PowerShell module, version 1.0.0 or later. 在计算机上运行 Get-Module -ListAvailable Az,找到已安装的版本。Run Get-Module -ListAvailable Az on your computer, to find the installed version. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需要运行 Connect-AzAccount,以使用具有所需权限的帐户登录到 Azure。If you are running PowerShell locally, you also need to run Connect-AzAccount to sign in to Azure with an account that has the necessary permissions.

若要启用资源日志记录,需要现有 NSG 的 Id。To enable resource logging, you need the Id of an existing NSG. 如果没有现成的 NSG,则可使用 New-AzNetworkSecurityGroup 创建一个。If you don't have an existing NSG, you can create one with New-AzNetworkSecurityGroup.

使用 AzNetworkSecurityGroup检索要为其启用资源日志记录的网络安全组。Retrieve the network security group that you want to enable resource logging for with Get-AzNetworkSecurityGroup. 例如,若要在名为 myResourceGroup 的资源组中检索现有的名为 myNsg 的 NSG,请输入以下命令:For example, to retrieve an NSG named myNsg that exists in a resource group named myResourceGroup, enter the following command:

$Nsg=Get-AzNetworkSecurityGroup `
  -Name myNsg `
  -ResourceGroupName myResourceGroup

可以将资源日志写入三个目标类型。You can write resource logs to three destination types. 有关详细信息,请参阅日志目标For more information, see Log destinations. 例如,在本文中,日志发送到 Log Analytics 目标。In this article, logs are sent to the Log Analytics destination, as an example. 使用 Get-AzOperationalInsightsWorkspace 检索现有的 Log Analytics 工作区。Retrieve an existing Log Analytics workspace with Get-AzOperationalInsightsWorkspace. 例如,若要在名为 myWorkspaces 的资源组中检索名为 myWorkspace 的现有工作区,请输入以下命令:For example, to retrieve an existing workspace named myWorkspace in a resource group named myWorkspaces, enter the following command:

$Oms=Get-AzOperationalInsightsWorkspace `
  -ResourceGroupName myWorkspaces `
  -Name myWorkspace

如果没有现成的工作区,则可使用 New-AzOperationalInsightsWorkspace 创建一个。If you don't have an existing workspace, you can create one with New-AzOperationalInsightsWorkspace.

可以为日志启用两种类别的日志记录。There are two categories of logging you can enable logs for. 有关详细信息,请参阅日志类别For more information, see Log categories. 使用 AzDiagnosticSetting为 NSG 启用资源日志记录。Enable resource logging for the NSG with Set-AzDiagnosticSetting. 以下示例使用 NSG 的 ID 和以前检索的工作区将事件和计数器类别的数据记录到 NSG 的工作区:The following example logs both event and counter category data to the workspace for an NSG, using the IDs for the NSG and workspace you retrieved previously:

Set-AzDiagnosticSetting `
  -ResourceId $Nsg.Id `
  -WorkspaceId $Oms.ResourceId `
  -Enabled $true

若要记录其中一个类别的数据而不是两个类别都记录,请将 -Categories 选项添加到前一命令,后跟 NetworkSecurityGroupEventNetworkSecurityGroupRuleCounterIf you only want to log data for one category or the other, rather than both, add the -Categories option to the previous command, followed by NetworkSecurityGroupEvent or NetworkSecurityGroupRuleCounter. 若要记录到 Log Analytics 工作区之外的目标,请使用适合 Azure 存储帐户事件中心的参数。If you want to log to a different destination than a Log Analytics workspace, use the appropriate parameters for an Azure Storage account or Event Hub.

查看和分析日志。View and analyze logs. 有关详细信息,请参阅查看和分析日志For more information, see View and analyze logs.

Azure CLIAzure CLI

可以在 Azure Cloud Shell 中运行以下命令,或者在计算机上运行 Azure CLI。You can run the commands that follow in the Azure Cloud Shell, or by running the Azure CLI from your computer. Azure Cloud Shell 是免费的交互式 shell。The Azure Cloud Shell is a free interactive shell. 它预安装有常用 Azure 工具并将其配置与帐户一起使用。It has common Azure tools preinstalled and configured to use with your account. 如果在计算机上运行 CLI,需要版本 2.0.38 或更高版本。If you run the CLI from your computer, you need version 2.0.38 or later. 在计算机上运行 az --version,找到已安装的版本。Run az --version on your computer, to find the installed version. 如果需要进行升级,请参阅安装 Azure CLIIf you need to upgrade, see Install Azure CLI. 如果在本地运行 CLI,则还需要运行 az login,以使用具有所需权限的帐户登录到 Azure。If you are running the CLI locally, you also need to run az login to sign in to Azure with an account that has the necessary permissions.

若要启用资源日志记录,需要现有 NSG 的 Id。To enable resource logging, you need the Id of an existing NSG. 如果没有现成的 NSG,则可使用 az network nsg create 创建一个。If you don't have an existing NSG, you can create one with az network nsg create.

使用 az network nsg show检索要为其启用资源日志记录的网络安全组。Retrieve the network security group that you want to enable resource logging for with az network nsg show. 例如,若要在名为 myResourceGroup 的资源组中检索现有的名为 myNsg 的 NSG,请输入以下命令:For example, to retrieve an NSG named myNsg that exists in a resource group named myResourceGroup, enter the following command:

nsgId=$(az network nsg show \
  --name myNsg \
  --resource-group myResourceGroup \
  --query id \
  --output tsv)

可以将资源日志写入三个目标类型。You can write resource logs to three destination types. 有关详细信息,请参阅日志目标For more information, see Log destinations. 例如,在本文中,日志发送到 Log Analytics 目标。In this article, logs are sent to the Log Analytics destination, as an example. 有关详细信息,请参阅日志类别For more information, see Log categories.

使用 az monitor 诊断设置创建NSG 的资源日志记录。Enable resource logging for the NSG with az monitor diagnostic-settings create. 以下示例使用前面检索到的 NSG 的 ID 将事件和计数器类别数据记录到名为 myWorkspace 的现有工作区,该工作区存在于名为 myWorkspaces 的资源组中:The following example logs both event and counter category data to an existing workspace named myWorkspace, which exists in a resource group named myWorkspaces, and the ID of the NSG you retrieved previously:

az monitor diagnostic-settings create \
  --name myNsgDiagnostics \
  --resource $nsgId \
  --logs '[ { "category": "NetworkSecurityGroupEvent", "enabled": true, "retentionPolicy": { "days": 30, "enabled": true } }, { "category": "NetworkSecurityGroupRuleCounter", "enabled": true, "retentionPolicy": { "days": 30, "enabled": true } } ]' \
  --workspace myWorkspace \
  --resource-group myWorkspaces

如果没有现成的工作区,则可以使用 Azure 门户PowerShell 创建一个。If you don't have an existing workspace, you can create one using the Azure portal or PowerShell. 可以为日志启用两种类别的日志记录。There are two categories of logging you can enable logs for.

如果只想记录一种类别或另一种类别的数据,请在上一个命令中删除不想记录其数据的类别。If you only want to log data for one category or the other, remove the category you don't want to log data for in the previous command. 若要记录到 Log Analytics 工作区之外的目标,请使用适合 Azure 存储帐户事件中心的参数。If you want to log to a different destination than a Log Analytics workspace, use the appropriate parameters for an Azure Storage account or Event Hub.

查看和分析日志。View and analyze logs. 有关详细信息,请参阅查看和分析日志For more information, see View and analyze logs.

日志目标Log destinations

诊断数据可以:Diagnostics data can be:

日志类别Log categories

将为以下日志类别写入 JSON 格式的数据:JSON-formatted data is written for the following log categories:

事件Event

此事件日志记录了根据 MAC 地址将哪些 NSG 规则应用于 VM。The event log contains information about which NSG rules are applied to VMs, based on MAC address. 对每个事件记录以下数据。The following data is logged for each event. 在以下示例中,对 IP 地址为 192.168.1.4 和 MAC 地址为 00-0D-3A-92-6A-7C 的虚拟机记录了数据:In the following example, the data is logged for a virtual machine with the IP address 192.168.1.4 and a MAC address of 00-0D-3A-92-6A-7C:

{
    "time": "[DATE-TIME]",
    "systemId": "[ID]",
    "category": "NetworkSecurityGroupEvent",
    "resourceId": "/SUBSCRIPTIONS/[SUBSCRIPTION-ID]/RESOURCEGROUPS/[RESOURCE-GROUP-NAME]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG-NAME]",
    "operationName": "NetworkSecurityGroupEvents",
    "properties": {
        "vnetResourceGuid":"[ID]",
        "subnetPrefix":"192.168.1.0/24",
        "macAddress":"00-0D-3A-92-6A-7C",
        "primaryIPv4Address":"192.168.1.4",
        "ruleName":"[SECURITY-RULE-NAME]",
        "direction":"[DIRECTION-SPECIFIED-IN-RULE]",
        "priority":"[PRIORITY-SPECIFIED-IN-RULE]",
        "type":"[ALLOW-OR-DENY-AS-SPECIFIED-IN-RULE]",
        "conditions":{
            "protocols":"[PROTOCOLS-SPECIFIED-IN-RULE]",
            "destinationPortRange":"[PORT-RANGE-SPECIFIED-IN-RULE]",
            "sourcePortRange":"[PORT-RANGE-SPECIFIED-IN-RULE]",
            "sourceIP":"[SOURCE-IP-OR-RANGE-SPECIFIED-IN-RULE]",
            "destinationIP":"[DESTINATION-IP-OR-RANGE-SPECIFIED-IN-RULE]"
            }
        }
}

规则计数器Rule counter

此规则计数器日志记录了应用到资源的每个规则。The rule counter log contains information about each rule applied to resources. 每次应用规则时会记录以下示例数据。The following example data is logged each time a rule is applied. 在以下示例中,对 IP 地址为 192.168.1.4 和 MAC 地址为 00-0D-3A-92-6A-7C 的虚拟机记录了数据:In the following example, the data is logged for a virtual machine with the IP address 192.168.1.4 and a MAC address of 00-0D-3A-92-6A-7C:

{
    "time": "[DATE-TIME]",
    "systemId": "[ID]",
    "category": "NetworkSecurityGroupRuleCounter",
    "resourceId": "/SUBSCRIPTIONS/[SUBSCRIPTION ID]/RESOURCEGROUPS/[RESOURCE-GROUP-NAME]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG-NAME]",
    "operationName": "NetworkSecurityGroupCounters",
    "properties": {
        "vnetResourceGuid":"[ID]",
        "subnetPrefix":"192.168.1.0/24",
        "macAddress":"00-0D-3A-92-6A-7C",
        "primaryIPv4Address":"192.168.1.4",
        "ruleName":"[SECURITY-RULE-NAME]",
        "direction":"[DIRECTION-SPECIFIED-IN-RULE]",
        "type":"[ALLOW-OR-DENY-AS-SPECIFIED-IN-RULE]",
        "matchedConnections":125
        }
}

备注

通信的源 IP 地址不记录。The source IP address for the communication is not logged. 但是,可以为 NSG 启用 NSG 流日志记录,以便记录所有规则计数器信息以及启动通信的源 IP 地址。You can enable NSG flow logging for an NSG however, which logs all of the rule counter information, as well as the source IP address that initiated the communication. NSG 流日志数据写入 Azure 存储帐户。NSG flow log data is written to an Azure Storage account. 可以使用 Azure 网络观察程序的流量分析功能来分析数据。You can analyze the data with the traffic analytics capability of Azure Network Watcher.

查看和分析日志View and analyze logs

若要了解如何查看资源日志数据,请参阅 Azure 平台日志概述To learn how to view resource log data, see Azure platform logs overview. 如果将诊断数据发送到:If you send diagnostics data to:

  • Azure Monitor 日志:可以使用 网络安全组分析 解决方案获得增强的见解。Azure Monitor logs: You can use the network security group analytics solution for enhanced insights. 此解决方案提供 NSG 规则的可视化效果,此类规则可以根据 MAC 地址允许或拒绝虚拟机中网络接口的流量。The solution provides visualizations for NSG rules that allow or deny traffic, per MAC address, of the network interface in a virtual machine.
  • Azure 存储帐户,则将数据写入 PT1H.json 文件。Azure Storage account: Data is written to a PT1H.json file. 可以找到:You can find the:
    • 事件日志,位于以下路径:insights-logs-networksecuritygroupevent/resourceId=/SUBSCRIPTIONS/[ID]/RESOURCEGROUPS/[RESOURCE-GROUP-NAME-FOR-NSG]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG NAME]/y=[YEAR]/m=[MONTH/d=[DAY]/h=[HOUR]/m=[MINUTE]Event log in the following path: insights-logs-networksecuritygroupevent/resourceId=/SUBSCRIPTIONS/[ID]/RESOURCEGROUPS/[RESOURCE-GROUP-NAME-FOR-NSG]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG NAME]/y=[YEAR]/m=[MONTH/d=[DAY]/h=[HOUR]/m=[MINUTE]
    • 规则计数器日志,位于以下路径:insights-logs-networksecuritygrouprulecounter/resourceId=/SUBSCRIPTIONS/[ID]/RESOURCEGROUPS/[RESOURCE-GROUP-NAME-FOR-NSG]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG NAME]/y=[YEAR]/m=[MONTH/d=[DAY]/h=[HOUR]/m=[MINUTE]Rule counter log in the following path: insights-logs-networksecuritygrouprulecounter/resourceId=/SUBSCRIPTIONS/[ID]/RESOURCEGROUPS/[RESOURCE-GROUP-NAME-FOR-NSG]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG NAME]/y=[YEAR]/m=[MONTH/d=[DAY]/h=[HOUR]/m=[MINUTE]

后续步骤Next steps

  • 了解有关 活动日志记录的详细信息。Learn more about Activity logging. 默认情况下,对通过任一 Azure 部署模型创建的 NSG 启用活动日志记录。Activity logging is enabled by default for NSGs created through either Azure deployment model. 若要在活动日志中确定完成了哪些 NSG 相关操作,请查看含有以下资源类型的条目:To determine which operations were completed on NSGs in the activity log, look for entries that contain the following resource types:
    • Microsoft.ClassicNetwork/networkSecurityGroupsMicrosoft.ClassicNetwork/networkSecurityGroups
    • Microsoft.ClassicNetwork/networkSecurityGroups/securityRulesMicrosoft.ClassicNetwork/networkSecurityGroups/securityRules
    • Microsoft.Network/networkSecurityGroupsMicrosoft.Network/networkSecurityGroups
    • Microsoft.Network/networkSecurityGroups/securityRulesMicrosoft.Network/networkSecurityGroups/securityRules
  • 若要了解如何记录诊断信息,使日志包含每个流的源 IP 地址,请参阅 NSG 流日志记录To learn how to log diagnostic information, to include the source IP address for each flow, see NSG flow logging.