Azure 記錄與稽核Azure logging and auditing

Azure 提供各種可設定的安全性稽核和記錄選項,協助您識別安全性原則和機制間的差距。Azure provides a wide array of configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms. 本文討論如何從 Azure 上所裝載的服務產生、收集及分析安全性記錄。This article discusses generating, collecting, and analyzing security logs from services hosted on Azure.

注意

本文的某些建議可能會導致資料、網路或計算資源使用量增加,並可能增加授權或訂用帳戶成本。Certain recommendations in this article might result in increased data, network, or compute resource usage, and increase your license or subscription costs.

Azure 中的記錄類型Types of logs in Azure

雲端應用程式相當複雜,且具有許多移動組件。Cloud applications are complex, with many moving parts. 記錄可提供資料,協助應用程式保持正常運用。Logs provide data to help keep your applications up and running. 記錄可協助您針對過去的問題進行疑難排解,或防止可能的問題。Logs help you troubleshoot past problems or prevent potential ones. 而且有助於提升應用程式效能或維護性,或是將原本需要手動介入的動作自動化。And they can help improve application performance or maintainability, or automate actions that would otherwise require manual intervention.

Azure 記錄可歸類為下列類型:Azure logs are categorized into the following types:

  • 控制/管理記錄提供 Azure Resource Manager CREATE、UPDATE 和 DELETE 作業的相關資訊。Control/management logs provide information about Azure Resource Manager CREATE, UPDATE, and DELETE operations. 如需詳細資訊,請參閱Azure 活動記錄For more information, see Azure activity logs.

  • 資料平面記錄提供使用 Azure 資源時所引發事件的相關資訊。Data plane logs provide information about events raised as part Azure resource usage. 這個記錄類型的範例是虛擬機器 (VM) 中的 Windows 事件系統、安全性和應用程式記錄,以及透過 Azure 監視器設定的診斷記錄Examples of this type of log are the Windows event system, security, and application logs in a virtual machine (VM) and the diagnostics logs that are configured through Azure Monitor.

  • 已處理的事件提供分析已代替您處理之事件/警示的相關資訊。Processed events provide information about analyzed events/alerts that have been processed on your behalf. 這個類型的範例是 Azure 資訊安全中心警示Azure 資訊安全中心已在其中處理和分析您的訂用帳戶,並提供簡要的安全性警示。Examples of this type are Azure Security Center alerts where Azure Security Center has processed and analyzed your subscription and provides concise security alerts.

下表列出 Azure 中可用的最重要記錄類型:The following table lists the most important types of logs available in Azure:

記錄分類Log category 記錄類型Log type 使用量Usage 整合Integration
活動記錄Activity logs Azure Resource Manager 資源上控制層面的事件Control-plane events on Azure Resource Manager resources 讓您了解訂用帳戶中的資源所執行之作業。Provides insight into the operations that were performed on resources in your subscription. REST API、Azure 監視器Rest API, Azure Monitor
Azure 診斷記錄Azure diagnostics logs 關於訂用帳戶中 Azure Resource Manager 作業的經常性資料Frequent data about the operation of Azure Resource Manager resources in subscription 讓您了解資源自行執行的作業。Provides insight into operations that your resource itself performed. Azure 監視器、資料流Azure Monitor, Stream
Azure AD 報告Azure AD reporting 記錄和報告Logs and reports 報告使用者登入活動,以及使用者和群組管理相關的系統活動資訊。Reports user sign-in activities and system activity information about users and group management. Graph APIGraph API
虛擬機器和雲端服務Virtual machines and cloud services Windows 事件記錄服務與 Linux SyslogWindows Event Log service and Linux Syslog 在虛擬機器上擷取系統資料和記錄資料,並將該資料傳送到您所選擇的儲存體帳戶。Captures system data and logging data on the virtual machines and transfers that data into a storage account of your choice. Azure 監視器中的 Windows (使用 Windows Azure 診斷儲存體 [WAD] 儲存體) 和 LinuxWindows (using Windows Azure Diagnostics [WAD] storage) and Linux in Azure Monitor
Azure 儲存體分析Azure Storage Analytics 儲存體記錄,提供儲存體帳戶的計量資料Storage logging, provides metrics data for a storage account 讓您了解追蹤要求、分析使用趨勢,以及診斷儲存體帳戶的問題。Provides insight into trace requests, analyzes usage trends, and diagnoses issues with your storage account. REST API 或用戶端程式庫REST API or the client library
網路安全性群組 (NSG) 流程記錄Network Security Group (NSG) flow logs JSON 格式,顯示每個規則的輸出和輸入流程JSON format, shows outbound and inbound flows on a per-rule basis 顯示透過網路安全性群組輸入和輸出 IP 流量的相關資訊。Displays information about ingress and egress IP traffic through a Network Security Group. Azure 網路監看員Azure Network Watcher
Application InsightApplication insight 記錄、例外狀況及自訂診斷Logs, exceptions, and custom diagnostics 提供多個平台上的 Web 開發人員所適用的應用程式效能監控 (APM) 服務。Provides an application performance monitoring (APM) service for web developers on multiple platforms. REST API、Power BIREST API, Power BI
處理資料 / 安全性警示Process data / security alerts Azure 資訊安全中心警示、 Azure 監視器記錄檔警示Azure Security Center alerts, Azure Monitor logs alerts 提供安全性資訊和警示。Provides security information and alerts. REST API、JSONREST APIs, JSON

活動記錄Activity logs

Azure 活動記錄能讓您深入了解在訂用帳戶資源上執行的作業。Azure activity logs provide insight into the operations that were performed on resources in your subscription. 活動記錄先前稱為「稽核記錄」或「作業記錄」,因為這些記錄會報告訂用帳戶的控制層面的事件Activity logs were previously known as “audit logs” or “operational logs,” because they report control-plane events for your subscriptions.

活動記錄可協助您判斷寫入作業 的「內容、對象及時間」(也就是 PUT、POST 或 DELETE)。Activity logs help you determine the “what, who, and when” for write operations (that is, PUT, POST, or DELETE). 活動記錄也可協助您了解作業的狀態和其他相關屬性。Activity logs also help you understand the status of the operation and other relevant properties. 活動記錄不包含讀取 (GET) 作業。Activity logs do not include read (GET) operations.

在本文中,PUT、POST、DELETE 是指資源上活動記錄包含的所有寫入作業。In this article, PUT, POST, and DELETE refer to all the write operations that an activity log contains on the resources. 例如,您可以在針對問題進行疑難排解時使用活動記錄來尋找錯誤,或是監視組織中使用者修改資源的方式。For example, you can use the activity logs to find an error when you're troubleshooting issues or to monitor how a user in your organization modified a resource.

活動記錄圖表

您可以使用 Azure 入口網站、Azure CLI、PowerShell Cmdlet 和 Azure 監視器 REST API,從活動記錄中擷取事件。You can retrieve events from an activity log by using the Azure portal, Azure CLI, PowerShell cmdlets, and Azure Monitor REST API. 活動記錄的資料保留期間為 90 天。Activity logs have 90-day data-retention period.

活動記錄事件的整合案例:Integration scenarios for an activity log event:

您可以使用並非發出記錄的同一個訂用帳戶中的儲存體帳戶或事件中樞命名空間You can use a storage account or event hub namespace that is not in the same subscription as the one that's emitting the log. 進行此設定的人員必須具有這兩個訂用帳戶的適當角色型存取控制 (RBAC) 存取權。Whoever configures the setting must have the appropriate role-based access control (RBAC) access to both subscriptions.

Azure 診斷記錄Azure diagnostics logs

Azure 診斷記錄是由資源發出的,提供有關該資源之作業的豐富、經常性資料。Azure diagnostics logs are emitted by a resource that provides rich, frequent data about the operation of that resource. 這些記錄的內容會依資源類型而有所不同。The content of these logs varies by resource type. 例如,Windows 事件系統記錄是適用於 VM 的診斷記錄類別,而 Blob、資料表和佇列記錄則是適用於儲存體帳戶的診斷記錄類別。For example, Windows event system logs are a category of diagnostics logs for VMs, and blob, table, and queue logs are categories of diagnostics logs for storage accounts. 診斷記錄與活動記錄不同,其針對在訂用帳戶中資源上所執行的作業提供深入解析。Diagnostics logs differ from activity logs, which provide insight into the operations that were performed on resources in your subscription.

Azure 診斷記錄圖表

Azure 診斷記錄提供多個組態選項,例如 Azure 入口網站、PowerShell、Azure CLI 和 REST API。Azure diagnostics logs offer multiple configuration options, such as the Azure portal, PowerShell, Azure CLI, and the REST API.

整合案例Integration scenarios

支援的服務、診斷記錄的結構描述,以及每個資源類型支援的記錄分類Supported services, schema for diagnostics logs and supported log categories per resource type

服務Service 結構描述與文件Schema and documentation 資源類型Resource type CategoryCategory
Azure Load BalancerAzure Load Balancer 負載平衡器 (預覽) 的 azure 監視器記錄檔Azure Monitor logs for Load Balancer (Preview) Microsoft.Network/loadBalancersMicrosoft.Network/loadBalancers
Microsoft.Network/loadBalancersMicrosoft.Network/loadBalancers
LoadBalancerAlertEventLoadBalancerAlertEvent
LoadBalancerProbeHealthStatusLoadBalancerProbeHealthStatus
網路安全性群組Network Security Groups 網路安全性群組的 azure 監視器記錄檔Azure Monitor logs for Network Security Groups Microsoft.Network/networksecuritygroupsMicrosoft.Network/networksecuritygroups
Microsoft.Network/networksecuritygroupsMicrosoft.Network/networksecuritygroups
NetworkSecurityGroupEventNetworkSecurityGroupEvent
NetworkSecurityGroupRuleCounterNetworkSecurityGroupRuleCounter
Azure 應用程式閘道Azure Application Gateway 應用程式閘道的診斷記錄功能Diagnostics logging for Application Gateway Microsoft.Network/applicationGatewaysMicrosoft.Network/applicationGateways
Microsoft.Network/applicationGatewaysMicrosoft.Network/applicationGateways
Microsoft.Network/applicationGatewaysMicrosoft.Network/applicationGateways
ApplicationGatewayAccessLogApplicationGatewayAccessLog
ApplicationGatewayPerformanceLogApplicationGatewayPerformanceLog
ApplicationGatewayFirewallLogApplicationGatewayFirewallLog
Azure 金鑰保存庫Azure Key Vault 金鑰保存庫記錄Key Vault logs Microsoft.KeyVault/vaultsMicrosoft.KeyVault/vaults AuditEventAuditEvent
Azure 搜尋服務Azure Search 啟用和使用搜尋流量分析Enabling and using Search Traffic Analytics Microsoft.Search/searchServicesMicrosoft.Search/searchServices OperationLogsOperationLogs
Azure Data Lake StoreAzure Data Lake Store 存取 Data Lake Store 的診斷記錄Access diagnostics logs for Data Lake Store Microsoft.DataLakeStore/accountsMicrosoft.DataLakeStore/accounts
Microsoft.DataLakeStore/accountsMicrosoft.DataLakeStore/accounts
稽核Audit
RequestsRequests
Azure Data Lake AnalyticsAzure Data Lake Analytics 存取 Data Lake Store 的診斷記錄Access diagnostics logs for Data Lake Analytics Microsoft.DataLakeAnalytics/accountsMicrosoft.DataLakeAnalytics/accounts
Microsoft.DataLakeAnalytics/accountsMicrosoft.DataLakeAnalytics/accounts
稽核Audit
RequestsRequests
Azure Logic AppsAzure Logic Apps Logic Apps B2B 自訂追蹤結構描述Logic Apps B2B custom tracking schema Microsoft.Logic/workflowsMicrosoft.Logic/workflows
Microsoft.Logic/integrationAccountsMicrosoft.Logic/integrationAccounts
WorkflowRuntimeWorkflowRuntime
IntegrationAccountTrackingEventsIntegrationAccountTrackingEvents
Azure BatchAzure Batch Azure Batch 診斷記錄Azure Batch diagnostics logs Microsoft.Batch/batchAccountsMicrosoft.Batch/batchAccounts ServiceLogServiceLog
Azure 自動化Azure Automation Azure 自動化的 azure 監視器記錄檔Azure Monitor logs for Azure Automation Microsoft.Automation/automationAccountsMicrosoft.Automation/automationAccounts
Microsoft.Automation/automationAccountsMicrosoft.Automation/automationAccounts
JobLogsJobLogs
JobStreamsJobStreams
Azure 事件中心Azure Event Hubs 事件中樞診斷記錄Event Hubs diagnostics logs Microsoft.EventHub/namespacesMicrosoft.EventHub/namespaces
Microsoft.EventHub/namespacesMicrosoft.EventHub/namespaces
ArchiveLogsArchiveLogs
OperationalLogsOperationalLogs
Azure 串流分析Azure Stream Analytics 作業診斷記錄Job diagnostics logs Microsoft.StreamAnalytics/streamingjobsMicrosoft.StreamAnalytics/streamingjobs
Microsoft.StreamAnalytics/streamingjobsMicrosoft.StreamAnalytics/streamingjobs
執行Execution
編寫Authoring
Azure 服務匯流排Azure Service Bus 服務匯流排診斷記錄Service Bus diagnostics logs Microsoft.ServiceBus/namespacesMicrosoft.ServiceBus/namespaces OperationalLogsOperationalLogs

Azure Active Directory 報告Azure Active Directory reporting

Azure Active Directory (Azure AD) 包括使用者目錄的安全性、活動和稽核報告。Azure Active Directory (Azure AD) includes security, activity, and audit reports for a user's directory. Azure AD 稽核報告可協助您識別在使用者的 Azure AD 執行個體中發生的特殊權限動作。The Azure AD audit report helps you identify privileged actions that occurred in the user's Azure AD instance. 特殊權限動作包括提高權限變更 (例如,角色建立或密碼重設)、原則設定變更 (例如密碼原則) 或目錄設定變更 (例如,網域同盟設定變更)。Privileged actions include elevation changes (for example, role creation or password resets), changing policy configurations (for example, password policies), or changes to the directory configuration (for example, changes to domain federation settings).

報告會提供的稽核記錄包括事件名稱、執行動作的使用者、受變更影響的目標資源,以及日期和時間 (UTC)。The reports provide the audit record for the event name, the user who performed the action, the target resource affected by the change, and the date and time (in UTC). 使用者能透過 Azure 入口網站擷取 Azure AD 的稽核事件清單,如檢視您的稽核記錄中所述。Users can retrieve the list of audit events for Azure AD via the Azure portal, as described in View your audit logs.

包含的報告列在下表中:The included reports are listed in the following table:

安全性報告Security reports 活動報告Activity reports 稽核報告Audit reports
從不明來源登入Sign-ins from unknown sources 應用程式使用情況:摘要Application usage: summary 目錄稽核報告Directory audit report
在多次失敗後登入Sign-ins after multiple failures 應用程式使用情況:詳細Application usage: detailed
從多個地理區域登入Sign-ins from multiple geographies 應用程式儀表板Application dashboard
從具有可疑活動的 IP 位址登入Sign-ins from IP addresses with suspicious activity 帳戶佈建錯誤Account provisioning errors
異常的登入活動Irregular sign-in activity 個別使用者裝置Individual user devices
從可能受感染的裝置登入Sign-ins from possibly infected devices 個別使用者活動Individual user activity
具有異常登入活動的使用者Users with anomalous sign-in activity 群組活動報告Groups activity report
密碼重設註冊活動報告Password reset registration activity report
密碼重設活動Password reset activity

這些報告的資料對您的應用程式 (例如安全性資訊與事件管理 (SIEM) 系統、稽核和商業智慧工具) 非常有用。The data in these reports can be useful to your applications, such as Security Information and Event Management (SIEM) systems, audit, and business intelligence tools. Azure AD 報告 API 透過一組以 REST 為基礎的 API 提供資料的程式設計方式存取。The Azure AD reporting APIs provide programmatic access to the data through a set of REST-based APIs. 您可以從各種程式設計語言和工具呼叫這些 APIYou can call these APIs from various programming languages and tools.

Azure AD 稽核報告中的事件會保留 180 天。Events in the Azure AD audit report are retained for 180 days.

注意

如需報告保留的詳細資訊,請參閱 Azure AD 報告保留原則For more information about report retention, see Azure AD report retention policies.

如果您於較常時間保留稽核事件感興趣,請使用報告 API 定期將稽核事件提取至不同的資料存放區。If you're interested in retaining your audit events longer, use the Reporting API to regularly pull audit events into a separate data store.

使用 Azure 診斷的虛擬機器記錄Virtual machine logs that use Azure Diagnostics

Azure 診斷是 Azure 中可對部署的應用程式啟用診斷資料收集的功能。Azure Diagnostics is the capability within Azure that enables the collection of diagnostics data on a deployed application. 您可以使用來自數個不同來源的診斷擴充功能。You can use the diagnostics extension from any of several sources. 目前支援 Azure 雲端服務的 Web 和背景工作角色Currently supported are Azure cloud service web and worker roles.

使用 Azure 診斷的虛擬機器記錄

執行 Microsoft Windows 和Service FabricAzure 虛擬機器Azure virtual machines that are running Microsoft Windows and Service Fabric

您可以執行下列任何作業,在虛擬機器上啟用 Azure 診斷:You can enable Azure Diagnostics on a virtual machine by doing any of the following:

存储分析Storage Analytics

Azure 儲存體分析會記錄並提供儲存體帳戶的度量資料。Azure Storage Analytics logs and provides metrics data for a storage account. 您可以使用此資料來追蹤要求、分析使用量趨勢,以及診斷儲存體帳戶的問題。You can use this data to trace requests, analyze usage trends, and diagnose issues with your storage account. 儲存體分析記錄適用於 Azure Blob、Azure 佇列及 Azure 資料表儲存體服務Storage Analytics logging is available for the Azure Blob, Azure Queue, and Azure Table storage services. 儲存體分析會記錄對儲存體服務之成功和失敗要求的詳細資訊。Storage Analytics logs detailed information about successful and failed requests to a storage service.

您可以使用這項資訊來監視個別要求,並診斷儲存體服務的問題。You can use this information to monitor individual requests and to diagnose issues with a storage service. 系統會以最佳方式來記錄要求。Requests are logged on a best-effort basis. 只有在對服務端點提出要求時,才會建立記錄項目。Log entries are created only if there are requests made against the service endpoint. 例如,如果儲存體帳戶在其 Blob 端點中有活動,而不是在其資料表或佇列端點中,則只會建立關於 Blob 儲存體服務的記錄。For example, if a storage account has activity in its blob endpoint but not in its table or queue endpoints, only logs that pertain to the Blob storage service are created.

若要使用儲存體分析,請針對想要監視的每個服務個別啟用它。To use Storage Analytics, enable it individually for each service you want to monitor. 您可以在 Azure 入口網站中將它啟用。You can enable it in the Azure portal. 如需詳細資訊,請參閱 在 Azure 入口網站中監視儲存體帳戶For more information, see Monitor a storage account in the Azure portal. 您也可以利用程式設計方式,透過 REST API 或用戶端程式庫來啟用儲存體分析。You can also enable Storage Analytics programmatically via the REST API or the client library. 使用 [設定服務屬性] 作業,分別為各個服務啟用儲存體分析。Use the Set Service Properties operation to enable Storage Analytics individually for each service.

彙總的資料會儲存於已知的 Blob (用於記錄) 和已知的資料表 (用於度量) 中,您可以使用 Blob 儲存體服務和資料表儲存體服務 API 加以存取。The aggregated data is stored in a well-known blob (for logging) and in well-known tables (for metrics), which you can access by using the Blob storage service and Table storage service APIs.

儲存體分析在儲存的資料量上有 20 TB 的限制,但此限制與儲存體帳戶的總限制無關。Storage Analytics has a 20-terabyte (TB) limit on the amount of stored data that is independent of the total limit for your storage account. 所有記錄都會儲存在名為 $logs 的容器內的區塊 Blob 中,該容器是在針對儲存體帳戶啟用儲存體分析時自動建立的。All logs are stored in block blobs in a container named $logs, which is automatically created when you enable Storage Analytics for a storage account.

注意

Storage Analytics 會記錄下列類型的已驗證與匿名要求:Storage Analytics logs the following types of authenticated and anonymous requests:

已驗證Authenticated 匿名Anonymous
成功的要求Successful requests 成功的要求Successful requests
失敗的要求,包括逾時、節流、網路、授權和其他錯誤Failed requests, including timeout, throttling, network, authorization, and other errors 使用共用存取簽章的要求,包括失敗和成功的要求Requests using a shared access signature, including failed and successful requests
使用共用存取簽章的要求,包括失敗和成功的要求Requests using a shared access signature, including failed and successful requests 用戶端與伺服器的逾時錯誤Time-out errors for both client and server
分析資料的要求Requests to analytics data 失敗的 GET 要求,錯誤碼為 304 (未修改)Failed GET requests with error code 304 (not modified)
系統不會記錄儲存體分析本身所提出的要求 (例如,記錄檔的建立或刪除)。Requests made by Storage Analytics itself, such as log creation or deletion, are not logged. 記錄資料的完整清單記錄於儲存體分析記錄作業和狀態訊息儲存體分析記錄格式中。A full list of the logged data is documented in Storage Analytics logged operations and status messages and Storage Analytics log format. 系統不會記錄所有其他失敗的匿名要求。All other failed anonymous requests are not logged. 記錄資料的完整清單記錄於儲存體分析記錄作業和狀態訊息儲存體分析記錄格式中。A full list of the logged data is documented in Storage Analytics logged operations and status messages and Storage Analytics log format.

Azure 網路記錄Azure networking logs

Azure 中的網路記錄和監視功能相當完善,主要涵蓋分類有二種:Network logging and monitoring in Azure is comprehensive and covers two broad categories:

  • 網路監看員:網路監看員的功能隨附了案例式網路監視。Network Watcher: Scenario-based network monitoring is provided with the features in Network Watcher. 這項服務包括封包擷取、下一個躍點、IP 流量驗證、安全性群組檢視、NSG 流量記錄。This service includes packet capture, next hop, IP flow verify, security group view, NSG flow logs. 案例層級監視可提供端對端的網路資源檢視,而非個別的網路資源監視。Scenario level monitoring provides an end to end view of network resources in contrast to individual network resource monitoring.

  • 資源監視:資源層級監視由診斷記錄、計量、疑難排解和資源健全狀況這四個功能所組成。Resource monitoring: Resource level monitoring comprises four features, diagnostics logs, metrics, troubleshooting, and resource health. 這些功能全是建置在網路資源層級。All these features are built at the network resource level.

Azure 網路記錄

網路監看員是一項區域性服務,可讓您監視與診斷位於和進出 Azure 的網路案例層級條件。Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. 網路監看員提供的網路診斷和視覺效果工具,可幫助您了解、診斷及洞悉您在 Azure 中的網路。Network diagnostics and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure.

網路安全性群組流量記錄Network Security Group flow logging

NSG 流量記錄是網路監看員的一項功能,您可用於檢視透過 NSG 輸入和輸出 IP 流量的相關資訊。NSG flow logs are a feature of Network Watcher that you can use to view information about ingress and egress IP traffic through an NSG. 這些流量記錄是以 JSON 格式寫入並顯示:These flow logs are written in JSON format and show:

  • 每個規則的輸出和輸入流量。Outbound and inbound flows on a per-rule basis.
  • 套用流量的 NIC。The NIC that the flow applies to.
  • 與流量相關的 5-Tuple 資訊:來源或目的地 IP、來源或目的地連接埠,以及通訊協定。5-tuple information about the flow: the source or destination IP, the source or destination port, and the protocol.
  • 允許或拒絕流量。Whether the traffic was allowed or denied.

雖然流量記錄是以 NSG 為目標,但其顯示方式與其他記錄不同。Although flow logs target NSGs, they are not displayed in the same way as the other logs. 流程記錄只會儲存於儲存體帳戶內。Flow logs are stored only within a storage account.

在其他記錄上看到的保留原則也同樣適用於流量記錄。The same retention policies that are seen on other logs apply to flow logs. 記錄的保留原則可設定為 1 天到 365 天。Logs have a retention policy that you can set from 1 day to 365 days. 如果未設定保留原則,則會永遠保留記錄。If a retention policy is not set, the logs are maintained forever.

診斷記錄Diagnostics logs

建立網路資源和登入儲存體帳戶,並傳送至事件中樞或 Azure 監視器記錄檔定期和自發地事件。Periodic and spontaneous events are created by network resources and logged in storage accounts, and sent to an event hub or Azure Monitor logs. 這些記錄可讓您深入了解資源的健全狀況。The logs provide insights into the health of a resource. 他們可以檢視 Power BI 和 Azure 監視器的記錄檔等工具中。They can be viewed in tools such as Power BI and Azure Monitor logs. 若要了解如何檢視診斷記錄檔,請參閱Azure 監視器記錄To learn how to view diagnostics logs, see Azure Monitor logs.

診斷記錄

診斷記錄適用於負載平衡器網路安全性群組、路由和應用程式閘道Diagnostics logs are available for Load Balancer, Network Security Groups, Routes, and Application Gateway.

網路監看員提供診斷記錄檢視。Network Watcher provides a diagnostics logs view. 此檢視包含所有支援診斷記錄的網路資源。This view contains all networking resources that support diagnostics logging. 從這個檢視中,您可以方便且快速地啟用和停用網路資源。From this view, you can enable and disable networking resources conveniently and quickly.

除了先前所提的記錄功能,網路監看員目前具有下列功能:In addition to the previously mentioned logging capabilities, Network Watcher currently has the following capabilities:

  • 拓撲:提供網路層級檢視,顯示資源群組中的網路資源之間的各種相互連線和關聯。Topology: Provides a network-level view that shows the various interconnections and associations between network resources in a resource group.

  • 變數封包擷取:擷取進出虛擬機器的封包資料。Variable packet capture: Captures packet data in and out of a virtual machine. 進階篩選選項和微調控制項 (例如時間和大小限制設定) 可讓您靈活擷取資料。Advanced filtering options and fine-tuning controls, such as time- and size-limitation settings, provide versatility. 封包資料可以 .cap 格式儲存在 Blob 存放區或本機磁碟上。The packet data can be stored in a blob store or on the local disk in .cap file format.

  • IP 流程驗證:根據流程資訊 5 個 Tuple 封包參數 (也就是目的地 IP、來源 IP、目的地連接埠、來源連接埠和通訊協定),查看允許或拒絕封包。IP flow verification: Checks to see whether a packet is allowed or denied based on flow information 5-tuple packet parameters (that is, destination IP, source IP, destination port, source port, and protocol). 如果封包遭到安全性群組拒絕,則會傳回拒絕封包的規則和群組。If the packet is denied by a security group, the rule and group that denied the packet is returned.

  • 下一個躍點:決定在 Azure 網路網狀架構中路由傳送封包的下一個躍點,讓您可以診斷任何設定錯誤的使用者定義路由。Next hop: Determines the next hop for packets being routed in the Azure network fabric, so that you can diagnose any misconfigured user-defined routes.

  • 安全性群組檢視:取得套用至 VM 的有效和已套用安全性規則。Security group view: Gets the effective and applied security rules that are applied on a VM.

  • 虛擬網路閘道和連線疑難排解:協助您針對虛擬網路閘道和連線進行疑難排解。Virtual network gateway and connection troubleshooting: Helps you troubleshoot virtual network gateways and connections.

  • 網路訂用帳戶限制:可讓您根據限制檢視網路資源使用狀況。Network subscription limits: Enables you to view network resource usage against limits.

Application InsightsApplication Insights

Azure Application Insights 是多個平台上的 Web 開發人員所適用的可延伸 APM 服務。Azure Application Insights is an extensible APM service for web developers on multiple platforms. 使用它來監視即時 Web 應用程式。Use it to monitor live web applications. 它會自動偵測效能異常。It automatically detects performance anomalies. 其中包括強大的分析工具可協助您診斷問題,並了解使用者實際如何運用您的應用程式。It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app.

Application Insights 設計用來協助您持續改善效能和可用性。Application Insights is designed to help you continuously improve performance and usability.

它適用於各種不同平台上的應用程式,包括裝載在內部部署或雲端中的 .NET、Node.js 和 Java EE。It works for apps on a wide variety of platforms, including .NET, Node.js, and Java EE, whether they're hosted on-premises or in the cloud. 它可與您的 DevOps 程序整合,並具有與各種開發工具的連接點。It integrates with your DevOps process and has connection points with various development tools.

Application Insights 圖表

Application Insights 是以開發小組為目標,以協助您了解您的應用程式的執行和使用情況。Application Insights is aimed at the development team, to help you understand how your app is performing and how it's being used. 它可監視︰It monitors:

  • 要求率、回應時間和失敗率:找出哪些頁面在每天哪些時段最受歡迎,以及使用者位於何處。Request rates, response times, and failure rates: Find out which pages are most popular, at what times of day, and where your users are. 查看哪些頁面的表現最好。See which pages perform best. 如果您的回應時間和失敗率隨著要求增加而提高,您可能會有資源配置問題。If your response times and failure rates go high when there are more requests, you might have a resourcing problem.

  • 相依比率、回應時間和失敗率:找出外部服務是否會使您降低效能。Dependency rates, response times, and failure rates: Find out whether external services are slowing you down.

  • 例外狀況:分析彙總的統計資料,或挑選特定執行個體並深入了解堆疊追蹤和相關要求。Exceptions: Analyze the aggregated statistics, or pick specific instances and drill into the stack trace and related requests. 伺服器和瀏覽器例外狀況都會報告。Both server and browser exceptions are reported.

  • 頁面檢視和載入效能:從使用者的瀏覽器取得報告。Page views and load performance: Get reports from your users' browsers.

  • AJAX 呼叫:取得網頁速率、回應時間和失敗率。AJAX calls: Get webpage rates, response times, and failure rates.

  • 使用者和工作階段計數User and session counts.

  • 效能計數器:從 Windows 或 Linux 伺服器電腦取得資料,例如 CPU、記憶體和網路使用量。Performance counters: Get data from your Windows or Linux server machines, such as CPU, memory, and network usage.

  • 主機診斷:從 Docker 或 Azure 取得資料。Host diagnostics: Get data from Docker or Azure.

  • 診斷追蹤記錄:從您的應用程式取得資料,以便讓追蹤事件與要求相互關聯。Diagnostics trace logs: Get data from your app, so that you can correlate trace events with requests.

  • 自訂事件和計量:取得您以用戶端或伺服器程式碼自行撰寫的資料,以追蹤商業事件,例如售出的項目或獲勝的遊戲。Custom events and metrics: Get data that you write yourself in the client or server code, to track business events such as items sold or games won.

下表列出及描述整合案例:The following table lists and describes integration scenarios:

整合案例Integration scenario 描述Description
應用程式對應Application map 應用程式的元件,包含重要計量和警示。The components of your app, with key metrics and alerts.
執行個體資料的診斷搜尋Diagnostics search for instance data 搜尋和篩選事件,例如要求、例外狀況、相依性呼叫、記錄追蹤,以及頁面檢視。Search and filter events such as requests, exceptions, dependency calls, log traces, and page views.
彙總資料的計量瀏覽器Metrics Explorer for aggregated data 瀏覽、篩選和分割彙總的資料,例如,要求、錯誤和例外狀況的比率;回應時間、頁面載入時間。Explore, filter, and segment aggregated data such as rates of requests, failures, and exceptions; response times, page load times.
儀表板Dashboards 來自多個資源的交互式資料並與其他人員共用。Mash up data from multiple resources and share with others. 非常適用於多元件的應用程式,以及小組聊天室中的連續顯示。Great for multi-component applications, and for continuous display in the team room.
即時計量串流Live Metrics Stream 當您部署新的組建時,請觀看這些近乎即時的效能指標,以確定一切如預期運作。When you deploy a new build, watch these near-real-time performance indicators to make sure everything works as expected.
分析Analytics 使用這個功能強大的查詢語言,回答有關您應用程式效能和使用方式的艱難問題。Answer tough questions about your app's performance and usage by using this powerful query language.
自動和手動警示Automatic and manual alerts 如果在常見模式之外發生一些狀況,則自動警示會適應您應用程式的一般遙測和觸發程式模式。Automatic alerts adapt to your app's normal patterns of telemetry and are triggered when there's something outside the usual pattern. 您也可以在自訂或標準計量的特定層級上設定警示。You can also set alerts on particular levels of custom or standard metrics.
Visual StudioVisual Studio 檢視程式碼中的效能資料。View performance data in the code. 從堆疊追蹤移至程式碼。Go to code from stack traces.
Power BIPower BI 整合使用量計量和其他商業智慧。Integrate usage metrics with other business intelligence.
REST APIREST API 撰寫程式碼,對您的計量和未經處理資料執行查詢。Write code to run queries over your metrics and raw data.
連續匯出Continuous export 將送達的未經處理資料大量匯出至儲存體。Bulk export of raw data to storage when it arrives.

Azure 資訊安全中心警示Azure Security Center alerts

Azure 資訊安全中心威脅偵測的運作方式如下:從您的 Azure 資源、網路及已連線的協力廠商解決方案自動收集安全性資訊。Azure Security Center threat detection works by automatically collecting security information from your Azure resources, the network, and connected partner solutions. 它會分析這項資訊 (通常是來自多個來源的相互關聯資訊) 以識別威脅。It analyzes this information, often correlating information from multiple sources, to identify threats. 資訊安全中心的安全性警示會排定優先順序,並提供如何補救威脅的建議。Security alerts are prioritized in Security Center along with recommendations on how to remediate the threat. 如需詳細資訊,請參閱 Azure 資訊安全中心For more information, see Azure Security Center.

Azure 資訊安全中心圖表

資訊安全中心會運用進階安全性分析,其遠勝於以簽章為基礎的方法。Security Center employs advanced security analytics, which go far beyond signature-based approaches. 它在大型資料和機器學習技術方面有所突破,可評估整個雲端網狀架構中的所有事件。It applies breakthroughs in large data and machine learning technologies to evaluate events across the entire cloud fabric. 如此一來,它使用手動方法並預測攻擊的進化,以偵測無法識別的威脅。In this way, it detects threats that would be impossible to identify by using manual approaches and predicting the evolution of attacks. 這些安全性分析包括︰These security analytics include:

  • 整合性威脅情報:運用 Microsoft 產品和服務、Microsoft 數位犯罪防治中心 (DCU)、Microsoft Security Response Center (MSRC) 以及外部摘要的全域威脅情報,尋找已知的不良執行者。Integrated threat intelligence: Looks for known bad actors by applying global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds.

  • 行為分析:套用已知模式來探索惡意行為。Behavioral analytics: Applies known patterns to discover malicious behavior.

  • 異常偵測:使用統計分析來建置歷程基準。Anomaly detection: Uses statistical profiling to build a historical baseline. 它會對偏離已確立基準 (符合潛在攻擊向量) 的情況提出警示。It alerts on deviations from established baselines that conform to a potential attack vector.

許多安全性作業和事件回應小組依賴 SIEM 方案對安全性警示進行分級和調查做為起點。Many security operations and incident response teams rely on a SIEM solution as the starting point for triaging and investigating security alerts. 利用 Azure 記錄整合,您可以將資訊安全中心警示和虛擬機器安全性事件,收集 Azure 診斷和稽核記錄,與您的 Azure 監視器記錄檔或 SIEM 方案以接近即時的方式同步。With Azure Log Integration, you can sync Security Center alerts and virtual machine security events, collected by Azure diagnostics and audit logs, with your Azure Monitor logs or SIEM solution in near real time.

Azure 監視器記錄Azure Monitor logs

Azure 監視器記錄檔是可協助您收集和分析資料,由您的雲端中的資源所產生,並在內部部署環境的 Azure 中的服務。Azure Monitor logs is a service in Azure that helps you collect and analyze data that's generated by resources in your cloud and on-premises environments. 它可讓您在所有工作負載和伺服器之間 (無論其實體位置為何),使用整合式搜尋和自訂儀表板輕易地分析數百萬筆記錄,提供您即時的深入資訊。It gives you real-time insights by using integrated search and custom dashboards to readily analyze millions of records across all your workloads and servers, regardless of their physical location.

Azure 監視器記錄圖表

Azure 監視器的中心記錄檔是裝載於 Azure 的 Log Analytics 工作區。At the center of Azure Monitor logs is the Log Analytics workspace, which is hosted in Azure. Azure 監視器記錄檔會收集從連接的來源工作區中的資料,藉由設定資料來源,以及將解決方案新增至您的訂用帳戶。Azure Monitor logs collects data in the workspace from connected sources by configuring data sources and adding solutions to your subscription. 資料來源和解決方案會各自建立不同的記錄類型,各有其自己的屬性集。Data sources and solutions each create different record types, each with its own set of properties. 不過,在工作區的查詢中仍可一起分析來源和解決方案。But sources and solutions can still be analyzed together in queries to the workspace. 此功能可讓您使用相同的工具和方法,來處理由各種來源收集的各種資料。This capability allows you to use the same tools and methods to work with a variety of data collected by a variety of sources.

注意

本文最近有所更新,改為使用「Azure 監視器記錄」一詞,而非 Log Analytics。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 記錄資料仍儲存在 Log Analytics 工作區中,並仍由相同的 Log Analytics 服務收集和分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我們會持續更新術語,以更精確地反映 Azure 監視器記錄的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 如需詳細資料,請參閱 Azure 監視器遙測變更See Azure Monitor terminology changes for details.

連接的來源是電腦及其他資源產生由 Azure 監視器記錄檔收集的資料。Connected sources are the computers and other resources that generate the data that's collected by Azure Monitor logs. 來源可以包括安裝在直接連線的 WindowsLinux 電腦上的代理程式,或已連線的 System Center Operations Manager 管理群組中的代理程式。Sources can include agents that are installed on Windows and Linux computers that connect directly, or agents in a connected System Center Operations Manager management group. Azure 監視器記錄檔也可以收集的資料Azure 儲存體帳戶Azure Monitor logs can also collect data from an Azure storage account.

資料來源 是從每個已連線來源收集的各種資料。Data sources are the various kinds of data that's collected from each connected source. 除了 IIS 記錄自訂文字記錄等來源,來源還包括來自 Windows 和 Linux 代理程式的事件和效能資料Sources include events and performance data from Windows and Linux agents, in addition to sources such as IIS logs and custom text logs. 您設定想要收集的每個資料來源,組態會自動傳遞到每一個已連接的來源。You configure each data source that you want to collect, and the configuration is automatically delivered to each connected source.

有四種方法可收集 Azure 服務的記錄和計量There are four ways to collect logs and metrics for Azure services:

  • Azure 診斷直達 Azure 監視器記錄檔 (診斷下表中)Azure Diagnostics direct to Azure Monitor logs (Diagnostics in the following table)

  • Azure 監視器的 Azure 儲存體的 azure 診斷記錄 (儲存體下表中)Azure Diagnostics to Azure storage to Azure Monitor logs (Storage in the following table)

  • Azure 服務的連接器 (下表中的連接器)Connectors for Azure services (Connector in the following table)

  • 使用指令碼來收集並再將資料公佈至 Azure 監視器記錄檔 (空白資料格表和未列出的服務)Scripts to collect and then post data into Azure Monitor logs (blank cells in the following table and for services that are not listed)

服務Service 資源類型Resource type 記錄Logs 度量Metrics 解決方法Solution
Azure 應用程式閘道Azure Application Gateway Microsoft.Network/Microsoft.Network/
applicationGatewaysapplicationGateways
診斷Diagnostics 診斷Diagnostics Azure 應用程式閘道分析Azure Application Gateway Analytics
Application InsightsApplication Insights 連接器Connector 連接器Connector Application Insights 連接器 (預覽) (英文)Application Insights Connector (Preview)
Azure 自動化帳戶Azure Automation accounts Microsoft.Automation/Microsoft.Automation/
AutomationAccountsAutomationAccounts
診斷Diagnostics 詳細資訊More information
Azure Batch 帳戶Azure Batch accounts Microsoft.Batch/Microsoft.Batch/
batchAccountsbatchAccounts
診斷Diagnostics 診斷Diagnostics
傳統雲端服務Classic cloud services 儲存體Storage 詳細資訊More information
認知服務Cognitive Services Microsoft.CognitiveServices/Microsoft.CognitiveServices/
accountsaccounts
診斷Diagnostics
Azure Data Lake AnalyticsAzure Data Lake Analytics Microsoft.DataLakeAnalytics/Microsoft.DataLakeAnalytics/
accountsaccounts
診斷Diagnostics
Azure Data Lake StoreAzure Data Lake Store Microsoft.DataLakeStore/Microsoft.DataLakeStore/
accountsaccounts
診斷Diagnostics
Azure 事件中樞命名空間Azure Event Hub namespace Microsoft.EventHub/Microsoft.EventHub/
namespacesnamespaces
診斷Diagnostics 診斷Diagnostics
Azure IoT 中樞Azure IoT Hub Microsoft.Devices/Microsoft.Devices/
IotHubsIotHubs
診斷Diagnostics
Azure 金鑰保存庫Azure Key Vault Microsoft.KeyVault/Microsoft.KeyVault/
vaultsvaults
診斷Diagnostics 金鑰保存庫分析Key Vault Analytics
Azure Load BalancerAzure Load Balancer Microsoft.Network/Microsoft.Network/
loadBalancersloadBalancers
診斷Diagnostics
Azure Logic AppsAzure Logic Apps Microsoft.Logic/Microsoft.Logic/
workflowsworkflows
診斷Diagnostics 診斷Diagnostics
Microsoft.Logic/Microsoft.Logic/
integrationAccountsintegrationAccounts
網路安全性群組Network Security Groups Microsoft.Network/Microsoft.Network/
networksecuritygroupsnetworksecuritygroups
診斷Diagnostics Azure 網路安全性群組分析Azure Network Security Group analytics
復原保存庫Recovery vaults Microsoft.RecoveryServices/Microsoft.RecoveryServices/
vaultsvaults
Azure 復原服務分析 (預覽)Azure Recovery Services Analytics (Preview)
搜尋服務Search services Microsoft.Search/Microsoft.Search/
searchServicessearchServices
診斷Diagnostics 診斷Diagnostics
服務匯流排命名空間Service Bus namespace Microsoft.ServiceBus/Microsoft.ServiceBus/
namespacesnamespaces
診斷Diagnostics 診斷Diagnostics 服務匯流排分析 (預覽)Service Bus Analytics (Preview)
Service FabricService Fabric 儲存體Storage Service Fabric Analytics (Service Fabric 分析) (預覽)Service Fabric Analytics (Preview)
SQL (v12)SQL (v12) Microsoft.Sql/Microsoft.Sql/
servers/servers/
資料庫databases
診斷Diagnostics
Microsoft.Sql/Microsoft.Sql/
servers/servers/
elasticPoolselasticPools
儲存體Storage 指令碼Script Azure 儲存體分析 (預覽)Azure Storage Analytics (Preview)
Azure 虛擬機器Azure Virtual Machines Microsoft.Compute/Microsoft.Compute/
virtualMachinesvirtualMachines
分機Extension 分機Extension
診斷Diagnostics
虛擬機器擴展集Virtual machine scale sets Microsoft.Compute/Microsoft.Compute/
virtualMachinesvirtualMachines
診斷Diagnostics
Microsoft.Compute/Microsoft.Compute/
virtualMachineScaleSets/virtualMachineScaleSets/
virtualMachinesvirtualMachines
Web 伺服器陣列Web server farms Microsoft.Web/Microsoft.Web/
serverfarmsserverfarms
診斷Diagnostics
網站Websites Microsoft.Web/Microsoft.Web/
sitessites
診斷Diagnostics 詳細資訊More information
Microsoft.Web/Microsoft.Web/
sites/sites/
slotsslots

與內部部署之 SIEM 系統整合的記錄Log Integration with on-premises SIEM systems

您可以使用 Azure 記錄整合,將來自 Azure 資源的未經處理記錄與內部部署 SIEM 系統 (安全性資訊與事件管理系統) 整合。With Azure Log Integration you can integrate raw logs from your Azure resources with your on-premises SIEM system (Security information and event management system). AzLog 下載已在 2018 年 6 月 27 日停用。AzLog downloads were disabled on Jun 27, 2018. 如需繼續進行的指導,請檢閱 Use Azure monitor to integrate with SIEM tools (使用 Azure 監視器與 SIEM 工具整合) 一文For guidance on what to do moving forward review the post Use Azure monitor to integrate with SIEM tools

記錄整合圖表

記錄整合會從您的 Windows 虛擬機器、Azure 活動記錄、Azure 資訊安全中心警示和 Azure 資源提供者記錄收集 Azure 診斷。Log Integration collects Azure diagnostics from your Windows virtual machines, Azure activity logs, Azure Security Center alerts, and Azure resource provider logs. 這項整合提供您內部部署或在雲端中所有資產統一的儀表板,以便您彙總、相互關聯、分析和警示安全性事件。This integration provides a unified dashboard for all your assets, whether they're on-premises or in the cloud, so that you can aggregate, correlate, analyze, and alert for security events.

記錄整合目前支援整合 Azure 活動記錄、您的 Azure 訂用帳戶中 Windows 虛擬機器的 Windows 事件記錄、Azure 資訊安全中心警示、Azure 診斷記錄及 Azure AD 稽核記錄。Log Integration currently supports the integration of Azure activity logs, Windows event logs from Windows virtual machines with your Azure subscription, Azure Security Center alerts, Azure diagnostics logs, and Azure AD audit logs.

記錄類型Log type Azure 監視器記錄支援的 JSON (Splunk、 ArcSight 和 IBM QRadar)Azure Monitor logs supporting JSON (Splunk, ArcSight, and IBM QRadar)
Azure AD 稽核記錄Azure AD audit logs Yes
活動記錄Activity logs Yes
資訊安全中心警示Security Center alerts Yes
診斷記錄 (資源記錄)Diagnostics logs (resource logs) Yes
VM 記錄VM logs 是,透過轉送的事件,而非透過 JSONYes, via forwarded events and not through JSON

開始使用 Azure 記錄整合:本教學課程將逐步引導您安裝 Azure 記錄整合,以及整合來自 Azure 儲存體、Azure 活動記錄、Azure 資訊安全中心警示以及 Azure AD 稽核記錄的記錄。Get started with Azure Log Integration: This tutorial walks you through installing Azure Log Integration and integrating logs from Azure storage, Azure activity logs, Azure Security Center alerts, and Azure AD audit logs.

SIEM 的整合案例:Integration scenarios for SIEM:

後續步驟Next steps