適用於網路安全性群組的診斷記錄Diagnostic logging for a network security group

網路安全性群組 (NSG) 包含允許或拒絕前往虛擬網路子網路、網路介面或兩者流量的規則。A network security group (NSG) includes rules that allow or deny traffic to a virtual network subnet, network interface, or both. 當您針對 NSG 啟用診斷記錄時,可以記錄下列類別的資訊:When you enable diagnostic logging for an NSG, you can log the following categories of information:

  • 事件︰ 記錄要根據 MAC 位址,將哪些 NSG 規則套用至 VM 的項目。Event: Entries are logged for which NSG rules are applied to VMs, based on MAC address.
  • 規則計數器: 包含套用每個 NSG 規則以拒絕或允許流量之次數的項目。Rule counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic. 每隔 60 秒會收集一次這些規則的狀態。The status for these rules is collected every 60 seconds.

診斷記錄僅適用於透過 Azure Resource Manager 部署模型中部署的 NSG。Diagnostic logs are only available for NSGs deployed through the Azure Resource Manager deployment model. 您無法啟用透過傳統部署模型部署的 NSG 診斷記錄。You cannot enable diagnostic logging for NSGs deployed through the classic deployment model. 若要深入了解這兩個模型,請參閱了解 Azure 部署模型For a better understanding of the two models, see Understanding Azure deployment models.

診斷記錄會針對每個您想要收集診斷資料的 NSG 分別啟用。Diagnostic logging is enabled separately for each NSG you want to collect diagnostic data for. 如果您對作業或活動記錄較感興趣,請參閱 Azure 活動記錄If you're interested in operational, or activity, logs instead, see Azure activity logging.

啟用記錄Enable logging

您可以使用 Azure 入口網站PowerShellAzure CLI 來啟用診斷記錄。You can use the Azure Portal, PowerShell, or the Azure CLI to enable diagnostic logging.

Azure 入口網站Azure Portal

  1. 登入入口網站Sign in to the portal.

  2. 選取 [所有服務],然後輸入網路安全性群組Select All services, then type network security groups. 當 [網路安全性群組] 出現在搜尋結果中時,請選取它。When Network security groups appear in the search results, select it.

  3. 選取您想要啟用記錄功能的 NSG。Select the NSG you want to enable logging for.

  4. 在 [監視] 下方,選取 [診斷記錄],然後選取 [開啟診斷],如下圖所示:Under MONITORING, select Diagnostics logs, and then select Turn on diagnostics, as shown in the following picture:

    開啟診斷

  5. 在 [診斷設定] 下方,輸入或選取下列資訊,然後選取 [儲存]:Under Diagnostics settings, enter, or select the following information, and then select Save:

    設定Setting Value
    名稱Name 您選擇的名稱。A name of your choosing. 例如:myNsgDiagnosticsFor example: myNsgDiagnostics
    封存至儲存體帳戶串流至事件中樞,以及傳送至 Log AnalyticsArchive to a storage account, Stream to an event hub, and Send to Log Analytics 您可以任意選取多個目的地。You can select as many destinations as you choose. 若要深入了解每個目的地,請參閱記錄目的地To learn more about each, see Log destinations.
    記錄LOG 選取任一或兩個記錄類別。Select either, or both log categories. 若要深入了解針對每個類別所記錄的資料,請參閱記錄類別To learn more about the data logged for each category, see Log categories.
  6. 檢視及分析記錄。View and analyze logs. 如需詳細資訊,請參閱檢視及分析記錄For more information, see View and analyze logs.

PowerShellPowerShell

注意

本文已更新為使用新的 Azure PowerShell Az 模組。This article has been updated to use the new Azure PowerShell Az module. AzureRM 模組在至少 2020 年 12 月之前都還會持續收到錯誤 (Bug) 修正,因此您仍然可以持續使用。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要深入了解新的 Az 模組和 AzureRM 的相容性,請參閱新的 Azure PowerShell Az 模組簡介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 如需 Az 模組安裝指示,請參閱安裝 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

您可以在 Azure Cloud Shell 中執行命令,或從您的電腦執行 PowerShell。You can run the commands that follow in the Azure Cloud Shell, or by running PowerShell from your computer. Azure Cloud Shell 是免費的互動式殼層。The Azure Cloud Shell is a free interactive shell. 它具有預先安裝和設定的共用 Azure 工具,可與您的帳戶搭配使用。It has common Azure tools preinstalled and configured to use with your account. 如果您從電腦執行 PowerShell,您需要 Azure PowerShell 模組1.0.0 版或更新版本。If you run PowerShell from your computer, you need the Azure PowerShell module, version 1.0.0 or later. 在您的電腦上執行 Get-Module -ListAvailable Az 來尋找已安裝的版本。Run Get-Module -ListAvailable Az on your computer, to find the installed version. 如果您需要升級,請參閱安裝 Azure PowerShell 模組If you need to upgrade, see Install Azure PowerShell module. 如果您在本機執行 PowerShell,則也需要使用具有必要許可權的帳戶來執行 Connect-AzAccount 來登入 Azure。If you are running PowerShell locally, you also need to run Connect-AzAccount to sign in to Azure with an account that has the necessary permissions.

若要啟用診斷記錄,您需要現有 NSG 的識別碼。To enable diagnostic logging, you need the Id of an existing NSG. 如果您沒有現有的 NSG,您可以使用new-aznetworksecuritygroup建立一個。If you don't have an existing NSG, you can create one with New-AzNetworkSecurityGroup.

取得您想要啟用診斷記錄的網路安全性群組,使用new-aznetworksecuritygroupRetrieve the network security group that you want to enable diagnostic logging for with Get-AzNetworkSecurityGroup. 例如,若要擷取名為 myNsg 的 NSG 且該 NSG 存在於名為 myResourceGroup 的資源群組中,請輸入下列命令:For example, to retrieve an NSG named myNsg that exists in a resource group named myResourceGroup, enter the following command:

$Nsg=Get-AzNetworkSecurityGroup `
  -Name myNsg `
  -ResourceGroupName myResourceGroup

您可以將診斷記錄寫入至三種目的地類型。You can write diagnostic logs to three destination types. 如需詳細資訊,請參閱記錄目的地For more information, see Log destinations. 舉例來說,本文中的內容會將記錄傳送到 Log Analytics 目的地。In this article, logs are sent to the Log Analytics destination, as an example. 使用AzOperationalInsightsWorkspace取得現有的 Log Analytics 工作區。Retrieve an existing Log Analytics workspace with Get-AzOperationalInsightsWorkspace. 例如,若要在名為 myWorkspaces 的資源群組中擷取名為 myWorkspace 的現有工作區,請輸入下列命令:For example, to retrieve an existing workspace named myWorkspace in a resource group named myWorkspaces, enter the following command:

$Oms=Get-AzOperationalInsightsWorkspace `
  -ResourceGroupName myWorkspaces `
  -Name myWorkspace

如果您沒有現有的工作區,您可以使用AzOperationalInsightsWorkspace建立一個。If you don't have an existing workspace, you can create one with New-AzOperationalInsightsWorkspace.

您可以啟用記錄的記錄類別有兩種。There are two categories of logging you can enable logs for. 如需詳細資訊,請參閱記錄類別For more information, see Log categories. 使用set-azdiagnosticsetting啟用 NSG 的診斷記錄。Enable diagnostic logging for the NSG with Set-AzDiagnosticSetting. 下列範例會使用您先前所擷取 NSG 和工作區的識別碼,將事件和計數器類別資料記錄到 NSG 的工作區:The following example logs both event and counter category data to the workspace for an NSG, using the IDs for the NSG and workspace you retrieved previously:

Set-AzDiagnosticSetting `
  -ResourceId $Nsg.Id `
  -WorkspaceId $Oms.ResourceId `
  -Enabled $true

如果您只想針對其中一個類別 (而非兩者) 記錄資料,請將 -Categories 選項加入至先前的命令,後面接著輸入 NetworkSecurityGroupEventNetworkSecurityGroupRuleCounterIf you only want to log data for one category or the other, rather than both, add the -Categories option to the previous command, followed by NetworkSecurityGroupEvent or NetworkSecurityGroupRuleCounter. 如果您想要記錄到 Log Analytics 工作區以外的不同目的地,請使用適用於 Azure 儲存體帳戶事件中樞的適當參數。If you want to log to a different destination than a Log Analytics workspace, use the appropriate parameters for an Azure Storage account or Event Hub.

檢視及分析記錄。View and analyze logs. 如需詳細資訊,請參閱檢視及分析記錄For more information, see View and analyze logs.

Azure CLIAzure CLI

您可以執行 Azure Cloud Shell 中採用的命令,或從您的電腦執行 Azure CLI。You can run the commands that follow in the Azure Cloud Shell, or by running the Azure CLI from your computer. Azure Cloud Shell 是免費的互動式殼層。The Azure Cloud Shell is a free interactive shell. 它具有預先安裝和設定的共用 Azure 工具,可與您的帳戶搭配使用。It has common Azure tools preinstalled and configured to use with your account. 如果您是從電腦執行 CLI,您需要版本 2.0.38 或更新版本。If you run the CLI from your computer, you need version 2.0.38 or later. 在您的電腦上執行 az --version 來尋找已安裝的版本。Run az --version on your computer, to find the installed version. 如果您需要升級,請參閱安裝 Azure CLIIf you need to upgrade, see Install Azure CLI. 如果您在本機執行 CLI,則還需要執行 az login 以使用具有必要權限的帳戶來登入 Azure。If you are running the CLI locally, you also need to run az login to sign in to Azure with an account that has the necessary permissions.

若要啟用診斷記錄,您需要現有 NSG 的識別碼。To enable diagnostic logging, you need the Id of an existing NSG. 如果您目前沒有 NSG,可以使用 az network nsg create 來建立。If you don't have an existing NSG, you can create one with az network nsg create.

使用 az network nsg show 來擷取您想要啟用診斷記錄的網路安全性群組。Retrieve the network security group that you want to enable diagnostic logging for with az network nsg show. 例如,若要擷取名為 myNsg 的 NSG 且該 NSG 存在於名為 myResourceGroup 的資源群組中,請輸入下列命令:For example, to retrieve an NSG named myNsg that exists in a resource group named myResourceGroup, enter the following command:

nsgId=$(az network nsg show \
  --name myNsg \
  --resource-group myResourceGroup \
  --query id \
  --output tsv)

您可以將診斷記錄寫入至三種目的地類型。You can write diagnostic logs to three destination types. 如需詳細資訊,請參閱記錄目的地For more information, see Log destinations. 舉例來說,本文中的內容會將記錄傳送到 Log Analytics 目的地。In this article, logs are sent to the Log Analytics destination, as an example. 如需詳細資訊,請參閱記錄類別For more information, see Log categories.

使用 az monitor diagnostic-settings create 來針對 NSG 啟用診斷記錄。Enable diagnostic logging for the NSG with az monitor diagnostic-settings create. 下列範例會將事件和計數器類別資料都記錄到名為 myWorkspace 的現有工作區,該工作區存在於名為 myWorkspaces 的資源群組中,NSG 識別碼則是您先前所擷取的:The following example logs both event and counter category data to an existing workspace named myWorkspace, which exists in a resource group named myWorkspaces, and the ID of the NSG you retrieved previously:

az monitor diagnostic-settings create \
  --name myNsgDiagnostics \
  --resource $nsgId \
  --logs '[ { "category": "NetworkSecurityGroupEvent", "enabled": true, "retentionPolicy": { "days": 30, "enabled": true } }, { "category": "NetworkSecurityGroupRuleCounter", "enabled": true, "retentionPolicy": { "days": 30, "enabled": true } } ]' \
  --workspace myWorkspace \
  --resource-group myWorkspaces

如果您目前沒有工作區,可以使用 Azure 入口網站PowerShell 來建立一個工作區。If you don't have an existing workspace, you can create one using the Azure portal or PowerShell. 您可以啟用記錄的記錄類別有兩種。There are two categories of logging you can enable logs for.

如果您只想要記錄某個類別或其他類別的資料,請在上一個命令中移除您不想要記錄資料的類別。If you only want to log data for one category or the other, remove the category you don't want to log data for in the previous command. 如果您想要記錄到 Log Analytics 工作區以外的不同目的地,請使用適用於 Azure 儲存體帳戶事件中樞的適當參數。If you want to log to a different destination than a Log Analytics workspace, use the appropriate parameters for an Azure Storage account or Event Hub.

檢視及分析記錄。View and analyze logs. 如需詳細資訊,請參閱檢視及分析記錄For more information, see View and analyze logs.

記錄目的地Log destinations

診斷資料可以:Diagnostics data can be:

記錄類別Log categories

系統針對下列記錄類別會寫入 JSON 格式的資料:JSON-formatted data is written for the following log categories:

事件Event

事件記錄包含要根據 MAC 位址,將哪些 NSG 規則套用至 VM 的相關資訊。The event log contains information about which NSG rules are applied to VMs, based on MAC address. 每個事件會記錄下列資料。The following data is logged for each event. 在下列範例中,會為 IP 位址為 192.168.1.4 且 MAC 為 00-0D-3A-92-6A-7C 的虛擬機器記錄資料:In the following example, the data is logged for a virtual machine with the IP address 192.168.1.4 and a MAC address of 00-0D-3A-92-6A-7C:

{
    "time": "[DATE-TIME]",
    "systemId": "[ID]",
    "category": "NetworkSecurityGroupEvent",
    "resourceId": "/SUBSCRIPTIONS/[SUBSCRIPTION-ID]/RESOURCEGROUPS/[RESOURCE-GROUP-NAME]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG-NAME]",
    "operationName": "NetworkSecurityGroupEvents",
    "properties": {
        "vnetResourceGuid":"[ID]",
        "subnetPrefix":"192.168.1.0/24",
        "macAddress":"00-0D-3A-92-6A-7C",
        "primaryIPv4Address":"192.168.1.4",
        "ruleName":"[SECURITY-RULE-NAME]",
        "direction":"[DIRECTION-SPECIFIED-IN-RULE]",
        "priority":"[PRIORITY-SPECIFIED-IN-RULE]",
        "type":"[ALLOW-OR-DENY-AS-SPECIFIED-IN-RULE]",
        "conditions":{
            "protocols":"[PROTOCOLS-SPECIFIED-IN-RULE]",
            "destinationPortRange":"[PORT-RANGE-SPECIFIED-IN-RULE]",
            "sourcePortRange":"[PORT-RANGE-SPECIFIED-IN-RULE]",
            "sourceIP":"[SOURCE-IP-OR-RANGE-SPECIFIED-IN-RULE]",
            "destinationIP":"[DESTINATION-IP-OR-RANGE-SPECIFIED-IN-RULE]"
            }
        }
}

規則計數器Rule counter

規則計數器記錄中針對每個套用至資源的規則,包含其相關資訊。The rule counter log contains information about each rule applied to resources. 每次套用規則時會記錄下列範例資料。The following example data is logged each time a rule is applied. 在下列範例中,會為 IP 位址為 192.168.1.4 且 MAC 為 00-0D-3A-92-6A-7C 的虛擬機器記錄資料:In the following example, the data is logged for a virtual machine with the IP address 192.168.1.4 and a MAC address of 00-0D-3A-92-6A-7C:

{
    "time": "[DATE-TIME]",
    "systemId": "[ID]",
    "category": "NetworkSecurityGroupRuleCounter",
    "resourceId": "/SUBSCRIPTIONS/[SUBSCRIPTION ID]/RESOURCEGROUPS/[RESOURCE-GROUP-NAME]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG-NAME]",
    "operationName": "NetworkSecurityGroupCounters",
    "properties": {
        "vnetResourceGuid":"[ID]",
        "subnetPrefix":"192.168.1.0/24",
        "macAddress":"00-0D-3A-92-6A-7C",
        "primaryIPv4Address":"192.168.1.4",
        "ruleName":"[SECURITY-RULE-NAME]",
        "direction":"[DIRECTION-SPECIFIED-IN-RULE]",
        "type":"[ALLOW-OR-DENY-AS-SPECIFIED-IN-RULE]",
        "matchedConnections":125
        }
}

注意

不會記錄用於通訊的來源 IP 位址。The source IP address for the communication is not logged. 但是,您可以針對 NSG 啟用 NSG 流程記錄,它會記錄所有規則計數器資訊,以及起始通訊的來源 IP 位址。You can enable NSG flow logging for an NSG however, which logs all of the rule counter information, as well as the source IP address that initiated the communication. NSG 流量記錄資料會寫入至 Azure 儲存體帳戶。NSG flow log data is written to an Azure Storage account. 您可以使用 Azure 網路監看員的流量分析功能來分析資料。You can analyze the data with the traffic analytics capability of Azure Network Watcher.

檢視及分析記錄View and analyze logs

若要了解如何檢視診斷記錄資料,請參閱 Azure 診斷記錄概觀To learn how to view diagnostic log data, see Azure Diagnostic Logs overview. 如果您將診斷資料傳送到下列位置:If you send diagnostics data to:

  • Azure 監視器記錄:您可以使用網路安全性群組分析解決方案來取得增強的見解。Azure Monitor logs: You can use the network security group analytics solution for enhanced insights. 此解決方案能提供 NSG 規則的視覺效果,以根據 MAC 位址允許或拒絕虛擬機器中網路介面的流量。The solution provides visualizations for NSG rules that allow or deny traffic, per MAC address, of the network interface in a virtual machine.
  • Azure 儲存體帳戶:資料會寫入至 PT1H.json 檔案。Azure Storage account: Data is written to a PT1H.json file. 您可以:You can find the:
    • 在下列路徑中找到事件記錄:insights-logs-networksecuritygroupevent/resourceId=/SUBSCRIPTIONS/[ID]/RESOURCEGROUPS/[RESOURCE-GROUP-NAME-FOR-NSG]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG NAME]/y=[YEAR]/m=[MONTH/d=[DAY]/h=[HOUR]/m=[MINUTE]Event log in the following path: insights-logs-networksecuritygroupevent/resourceId=/SUBSCRIPTIONS/[ID]/RESOURCEGROUPS/[RESOURCE-GROUP-NAME-FOR-NSG]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG NAME]/y=[YEAR]/m=[MONTH/d=[DAY]/h=[HOUR]/m=[MINUTE]
    • 在下列路徑中找到規則計數器記錄:insights-logs-networksecuritygrouprulecounter/resourceId=/SUBSCRIPTIONS/[ID]/RESOURCEGROUPS/[RESOURCE-GROUP-NAME-FOR-NSG]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG NAME]/y=[YEAR]/m=[MONTH/d=[DAY]/h=[HOUR]/m=[MINUTE]Rule counter log in the following path: insights-logs-networksecuritygrouprulecounter/resourceId=/SUBSCRIPTIONS/[ID]/RESOURCEGROUPS/[RESOURCE-GROUP-NAME-FOR-NSG]/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/[NSG NAME]/y=[YEAR]/m=[MONTH/d=[DAY]/h=[HOUR]/m=[MINUTE]

後續步驟Next steps

  • 深入了解活動記錄 (先前稱為稽核或作業記錄)。Learn more about Activity logging, previously known as audit or operational logs. 預設會針對透過任何一個 Azure 部署模型所建立的 NSG 啟用活動記錄。Activity logging is enabled by default for NSGs created through either Azure deployment model. 若要判斷在 NSG 上已完成哪些作業,請在活動記錄中尋找包含下列資源類型的項目:To determine which operations were completed on NSGs in the activity log, look for entries that contain the following resource types:
    • Microsoft.ClassicNetwork/networkSecurityGroupsMicrosoft.ClassicNetwork/networkSecurityGroups
    • Microsoft.ClassicNetwork/networkSecurityGroups/securityRulesMicrosoft.ClassicNetwork/networkSecurityGroups/securityRules
    • Microsoft.Network/networkSecurityGroupsMicrosoft.Network/networkSecurityGroups
    • Microsoft.Network/networkSecurityGroups/securityRulesMicrosoft.Network/networkSecurityGroups/securityRules
  • 若要了解如何記錄診斷資訊以包含每個流程的來源 IP 位址,請參閱 NSG 流程記錄To learn how to log diagnostic information, to include the source IP address for each flow, see NSG flow logging.