內部部署 Windows 上的 DockerDocker on Windows on-premises

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

您可以透過在 Windows 上使用 Docker,來在 Cloud App Security 中設定自動記錄上傳以進行連續報告。You can configure automatic log upload for continuous reports in Cloud App Security using a Docker on Windows.

必要條件Prerequisites

  • 作業系統:OS:

    • Windows 10 (秋季建立者更新) Windows 10 (fall creators update)
    • Windows Server 1709 版 + (SAC) Windows Server version 1709+ (SAC)
    • **Windows Server 2019 (LTSC) **Windows Server 2019 (LTSC)
  • 磁碟空間:250 GBDisk space: 250 GB

  • CPU:2CPU: 2

  • RAM:4 GBRAM: 4 GB

  • 網路需求中所述,設定您的防火牆Set your firewall as described in Network requirements

  • 必須使用 Hyper-V 啟用作業系統上的虛擬化Virtualization on the operating system must be enabled with Hyper-V

重要

  • 使用者必須登入 Docker 才能收集記錄檔。A user must be signed in for Docker to collect logs. 建議您的 Docker 使用者在不登出的情況下中斷連線。We recommend advising your Docker users to disconnect without signing out.
  • VMWare 虛擬化案例中未正式支援適用於 Windows 的 Docker。Docker for Windows is not officially supported in VMWare virtualization scenarios.
  • 嵌套虛擬化案例中未正式支援適用於 Windows 的 Docker。Docker for Windows is not officially supported in nested virtualization scenarios. 如果您仍然打算使用嵌套虛擬化,請參閱 Docker 的官方指南If you still plan to use nested virtualization, refer to Docker's official guide.

注意

如果您有現有的記錄檔收集器,並且想要先將它移除,然後再重新部署,或您只想要將它移除,請執行下列命令:If you have an existing log collector and want to remove it before deploying it again, or if you simply want to remove it, run the following commands:

docker stop <collector_name>
docker rm <collector_name>

記錄收集器效能Log collector performance

記錄收集器可以處理的記錄檔容量,每小時最多 50 GB。The Log collector can successfully handle log capacity of up to 50 GB per hour. 記錄收集程序的主要瓶頸是︰The main bottlenecks in the log collection process are:

  • 網路頻寬 - 您的網路頻寬會決定記錄的上傳速度。Network bandwidth - Your network bandwidth determines the log upload speed.

  • 虛擬機器的 i/o 效能-決定記錄寫入記錄檔收集器磁片的速度。I/O performance of the virtual machine - Determines the speed at which logs are written to the log collector's disk. 記錄收集器有內建的安全機制,會監視記錄檔到達的速率,並與上傳速率相比較。The log collector has a built-in safety mechanism that monitors the rate at which logs arrive and compares it to the upload rate. 如果網路擁塞,記錄收集器就會開始卸除記錄檔。In cases of congestion, the log collector starts to drop log files. 若您的設定通常每個小時都會超過 50 GB,則建議將流量分割至多個記錄收集器。If your setup typically exceeds 50 GB per hour, it's recommended that you split the traffic between multiple log collectors.

安裝與設定Set up and configuration

  1. 前往 [自動記錄上傳]**** 設定頁面。Go to the Automatic log upload settings page.

    1. 在 Cloud App Security 入口網站中,按一下設定圖示,然後按一下 [記錄收集器]****。In the Cloud App Security portal, click the settings icon followed by Log collectors.

    設定圖示

  2. 針對每個要上傳記錄的防火牆或 Proxy,建立相符的資料來源。For each firewall or proxy from which you want to upload logs, create a matching data source.

    1. 按一下 [ 加入資料來源]。Click Add data source.
      新增資料來源Add a data source
    2. 命名 Proxy 或防火牆。Name your proxy or firewall.
      新增資料來源的名稱Add name for data source
    3. 從 [來源]**** 清單中選取設備。Select the appliance from the Source list. 如果您選取 [自訂記錄檔格式]**** 來處理未列出的網路設備,請參閱使用自訂記錄檔剖析器中的設定指示。If you select Custom log format to work with a network appliance that isn't listed, see Working with the custom log parser for configuration instructions.
    4. 比較您的記錄檔和預期的記錄檔格式範例。Compare your log with the sample of the expected log format. 如果您的記錄檔格式不符合此範例,您應該將資料來源新增為其他If your log file format doesn't match this sample, you should add your data source as Other.
    5. 將 [接收器類型]**** 設定為 [FTP]****、[FTPS]****、[Syslog – UDP]****、[Syslog – TCP]**** 或 [Syslog – TLS]****。Set the Receiver type to either FTP, FTPS, Syslog – UDP, or Syslog – TCP, or Syslog – TLS.

    注意

    與安全傳輸通訊協定 (FTPS 及 Syslog – TLS) 整合通常需要額外的設定或防火牆/Proxy。Integrating with secure transfer protocols (FTPS and Syslog – TLS) often requires additional settings or your firewall/proxy.

    f.f. 為記錄檔可用來偵測網路流量的每個防火牆和 Proxy 重複這個程序。Repeat this process for each firewall and proxy whose logs can be used to detect traffic on your network. 建議您為每部網路裝置設定專屬的資料來源,以讓您:It's recommended to set up a dedicated data source per network device to enable you to:

    • 分別監視每部裝置的狀態,以供調查使用。Monitor the status of each device separately, for investigation purposes.
    • 若各裝置分別供不同的使用者區段使用,則可探索每部裝置的 Shadow IT Discovery。Explore Shadow IT Discovery per device, if each device is used by a different user segment.
  3. 移至上方的 [記錄收集器]**** 索引標籤。Go to the Log collectors tab at the top.

    1. 按一下 [加入記錄收集器]****。Click Add log collector.
    2. 提供記錄檔收集器的 名稱Give the log collector a name.
    3. 輸入您要用來部署 Docker 的電腦主機 IP 位址Enter the Host IP address of the machine you'll use to deploy the Docker. 如果有 DNS 伺服器 (或對等項目) 能夠解析主機名稱,則機器名稱可以取代主機 IP 位址。The host IP address can be replaced with the machine name, if there is a DNS server (or equivalent) that will resolve the host name.
    4. 選取您要連接到收集器的所有 資料來源 ,然後按一下 [ 更新 ] 以儲存設定。Select all Data sources that you want to connect to the collector, and click Update to save the configuration. 選取要連接的資料來源Select data source to connect
  4. 進一步的部署資訊會出現。Further deployment information will appear. 從對話方塊複製執行命令。Copy the run command from the dialog. 您可以使用 [複製到剪貼簿] 圖示,  複製到剪貼簿圖示 You can use the copy to clipboard icon, copy to clipboard icon. 稍後您將會需要此資訊。You will need this later.

  5. 匯出預期的資料來源設定。Export the expected data source configuration. 此設定會告訴您如何在設備中設定記錄檔匯出。This configuration describes how you should set the log export in your appliances.

    建立記錄收集器

    注意

    • 單一記錄收集器可以處理多個資料來源。A single Log collector can handle multiple data sources.
    • 請複製螢幕的內容,因為當您進行記錄收集器與 Cloud App Security 的通訊設定時會需要這些資訊。Copy the contents of the screen because you will need the information when you configure the Log Collector to communicate with Cloud App Security. 如果您已選取 Syslog,則這些資訊會包含 Syslog 接聽程式會在哪個連接埠接聽的資訊。If you selected Syslog, this information will include information about which port the Syslog listener is listening on.
    • 針對第一次透過 FTP 傳送記錄資料的使用者,建議您變更 FTP 使用者的密碼。For users sending log data via FTP for the first time, we recommend changing the password for the FTP user. 如需詳細資訊,請參閱 變更 FTP 密碼For more information, see Changing the FTP password.

步驟 2 – 電腦的內部部署Step 2 – On-premises deployment of your machine

下列步驟描述 Windows 中的部署。The following steps describe the deployment in Windows. 其他平台的部署步驟有些不同。The deployment steps for other platforms are slightly different.

  1. 在 Windows 電腦上以系統管理員身分開啟 PowerShell 終端機。Open a PowerShell terminal as an administrator on your Windows machine.

  2. 執行下列命令以下載 Windows Docker installer PowerShell 腳本檔案: Invoke-WebRequest https://adaprodconsole.blob.core.windows.net/public-files/LogCollectorInstaller.ps1 -OutFile (Join-Path $Env:Temp LogCollectorInstaller.ps1)Run the following command to download the Windows Docker installer PowerShell script file: Invoke-WebRequest https://adaprodconsole.blob.core.windows.net/public-files/LogCollectorInstaller.ps1 -OutFile (Join-Path $Env:Temp LogCollectorInstaller.ps1)

    若要驗證 Microsoft 簽署的安裝程式,請參閱驗證安裝程式簽章To validate that the installer is signed by Microsoft, see Validate installer signature

  3. 若要啟用 PowerShell 腳本執行,請執行 Set-ExecutionPolicy RemoteSignedTo enable PowerShell script execution, run Set-ExecutionPolicy RemoteSigned

  4. 執行: & (Join-Path $Env:Temp LogCollectorInstaller.ps1) 這會在您的電腦上安裝 Docker 用戶端。Run: & (Join-Path $Env:Temp LogCollectorInstaller.ps1) This installs the Docker client on your machine. 安裝記錄收集器容器期間會重新啟動電腦兩次,而且您必須重新登入。While the log collector container is installed, the machine will be restarted twice and you will have to log in again. 請確定已將 Docker 用戶端設定為使用 Linux 容器。Make sure the Docker client is set to use Linux containers.

  5. 在每次重新開機之後,以您電腦上的系統管理員身分開啟 PowerShell 終端機,然後重新執行: & (Join-Path $Env:Temp LogCollectorInstaller.ps1)After each restart, open a PowerShell terminal as an administrator on your machine, re-run: & (Join-Path $Env:Temp LogCollectorInstaller.ps1)

  6. 您必須貼入稍早複製的執行命令,再完成安裝。Before the installation completes, you will have to paste in the run command you copied earlier.

  7. 透過匯入收集器設定,在主機電腦上部署收集器映像。Deploy the collector image on the hosting machine by importing the collector configuration. 透過複製入口網站中產生的執行命令來匯入設定。Import the configuration by copying the run command generated in the portal. 如果您需要設定 Proxy,請新增 Proxy IP 位址與連接埠號碼。If you need to configure a proxy, add the proxy IP address and port number. 例如,如果您的 Proxy 詳細資料是 192.168.10.1:8080,更新的執行命令是:For example, if your proxy details are 192.168.10.1:8080, your updated run command is:

    (echo db3a7c73eb7e91a0db53566c50bab7ed3a755607d90bb348c875825a7d1b2fce) | docker run --name MyLogCollector -p 21:21 -p 20000-20099:20000-20099 -e "PUBLICIP='192.168.1.1'" -e "PROXY=192.168.10.1:8080" -e "CONSOLE=mod244533.us.portal.cloudappsecurity.com" -e "COLLECTOR=MyLogCollector" --security-opt apparmor:unconfined --cap-add=SYS_ADMIN --restart unless-stopped -a stdin -i microsoft/caslogcollector starter
    

    建立記錄收集器

  8. 使用下列命令,確認收集器正常執行:docker logs <collector_name>Verify that the collector is running properly with the following command: docker logs <collector_name>

您應該會看到訊息:Finished successfully!You should see the message: Finished successfully!

確認收集器正常運作

步驟 3 - 網路設備的內部部署設定Step 3 - On-premises configuration of your network appliances

設定您的網路防火牆和 Proxy,定期將記錄匯出到對話方塊指示的 FTP 目錄專用 Syslog 連接埠。Configure your network firewalls and proxies to periodically export logs to the dedicated Syslog port of the FTP directory according to the directions in the dialog. 例如:For example:

BlueCoat_HQ - Destination path: \<<machine_name>>\BlueCoat_HQ\

步驟 4 - 確認已在 Cloud App Security 入口網站中部署成功Step 4 - Verify the successful deployment in the Cloud App Security portal

在 [記錄收集器]**** 資料表中檢查收集器狀態,並確定狀態為 [已連線]****。Check the collector status in the Log collector table and make sure the status is Connected. 如果是 [已建立]****,則記錄收集器連線和剖析可能尚未完成。If it's Created, it's possible the log collector connection and parsing haven't completed.

確認已成功部署收集器

您也可以移至 [治理記錄]**** 並確認記錄檔會定期被上傳到入口網站。You can also go to the Governance log and verify that logs are being periodically uploaded to the portal.

如果您在部署期間遇到問題,請參閱針對 Cloud Discovery 進行疑難排解If you have problems during deployment, see Troubleshooting Cloud Discovery.

選用-建立自訂連續報告 Optional - Create custom continuous reports

確認記錄正在上傳到 Cloud App Security,並且正在產生報告。Verify that the logs are being uploaded to Cloud App Security and that reports are generated. 在確認之後,建立自訂報告。After verification, create custom reports. 您可以根據 Azure Active Directory 使用者群組來建立自訂探索報告。You can create custom discovery reports based on Azure Active Directory user groups. 例如,如果您想要查看行銷部門的雲端使用情況,請使用 [匯入使用者群組] 功能來匯入行銷群組。For example, if you want to see the cloud use of your marketing department, import the marketing group using the import user group feature. 然後為此群組建立自訂報告。Then create a custom report for this group. 您也可以自訂以 IP 位址標籤或 IP 位址範圍為基礎的報告。You can also customize a report based on IP address tag or IP address ranges.

  1. 在 Cloud App Security 入口網站中的 [設定] 齒輪底下,選取 [Cloud Discovery 設定],然後選取 [ 連續報告]。In the Cloud App Security portal, under the Settings cog, select Cloud Discovery settings, and then select Continuous reports.

  2. 按一下 [建立報告]**** 按鈕並填入欄位。Click the Create report button and fill in the fields.

  3. 在 [篩選]**** 下,您可以依資料來源、依匯入的使用者群組或依 IP 位址標籤和範圍來篩選資料。Under the Filters you can filter the data by data source, by imported user group, or by IP address tags and ranges.

    自訂連續報告

選擇性 - 驗證安裝程式簽章 Optional - Validate installer signature

若要確定 Docker 安裝程式是由 Microsoft 簽署:To make sure that the docker installer is signed by Microsoft:

  1. 以滑鼠右鍵按一下檔案,然後選取 [內容]****。Right click on the file and select Properties.

  2. 按一下 [數位簽章]****,確定其顯示已確認此數位簽章Click on Digital Signatures and make sure that it says This digital signature is OK.

  3. 確認 Microsoft Corporation 為 [簽署者名稱]**** 下所列的唯一項目。Make sure that Microsoft Corporation is listed as the sole entry under Name of signer.

    數位簽章有效

若數位簽章無效,則會顯示此數位簽章無效If the digital signature is not valid, it will say This digital signature is not valid:

數位簽章無效

後續步驟Next steps

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.