Syslog 數據表的查詢
尋找 Linux 核心事件
尋找 Linux 核心進程所報告有關已終止進程的事件。
// To create an alert for this query, click '+ New alert rule'
Syslog
| where ProcessName == "kernel" and SyslogMessage contains "Killed process"
所有 Syslog
最後 100 個 Syslog。
Syslog
| top 100 by TimeGenerated desc
所有具有錯誤的 Syslog
最後 100 個 Syslog 與 erros。
Syslog
| where SeverityLevel == "err" or SeverityLevel == "error"
| top 100 by TimeGenerated desc
依設施排序的所有 Syslog
所有依設施的 Syslog。
Syslog
| summarize count() by Facility
依行程名稱排序的所有 Syslog
依行程名稱的所有 Syslog。
Syslog
| summarize count() by ProcessName
依電腦新增至Linux群組的使用者
清單 已將使用者新增至Linux群組的電腦。
Syslog
| where Facility == 'authpriv' and SyslogMessage has 'to group' and (SyslogMessage has 'add' or SyslogMessage has 'added')
| summarize by Computer
由電腦建立的新 Linux 群組
清單 建立新 Linux 群組的電腦。
Syslog
| where Facility == 'authpriv' and SyslogMessage has 'new group'
| summarize count() by Computer
失敗的Linux使用者密碼變更
清單 失敗的Linux使用者密碼變更電腦。
Syslog
| where Facility == 'authpriv' and ((SyslogMessage has 'passwd:chauthtok' and SyslogMessage has 'authentication failure') or SyslogMessage has 'password change failed')
| summarize count() by Computer
Ssh 登入失敗的電腦
清單 登入失敗的計算機。
Syslog
| where (Facility == 'authpriv' and SyslogMessage has 'sshd:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and ((SyslogMessage has 'Failed' and SyslogMessage has 'invalid user' and SyslogMessage has 'ssh2') or SyslogMessage has 'error: PAM: Authentication failure'))
| summarize count() by Computer
失敗 Su 登入的電腦
清單 失敗的 su 登入電腦。
Syslog
| where (Facility == 'authpriv' and SyslogMessage has 'su:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and SyslogMessage has 'FAILED SU')
| summarize count() by Computer
失敗 Sudo 登入的電腦
清單 失敗 sudo 登入的電腦。
Syslog
| where (Facility == 'authpriv' and SyslogMessage has 'sudo:auth' and (SyslogMessage has 'authentication failure' or SyslogMessage has 'conversation failed')) or ((Facility == 'auth' or Facility == 'authpriv') and SyslogMessage has 'user NOT in sudoers')
| summarize count() by Computer
意見反應
https://aka.ms/ContentUserFeedback。
即將登場:在 2024 年,我們將逐步淘汰 GitHub 問題作為內容的意見反應機制,並將它取代為新的意見反應系統。 如需詳細資訊,請參閱:提交並檢視相關的意見反應