在 Proxy 後方啟用記錄收集器Enable the log collector behind a proxy

設定記錄收集器之後,若您是在 Proxy 後方執行,記錄收集器可能無法傳送資料到 Cloud App Security。After you configured the log collector, if you are running behind a proxy, the log collector might have trouble sending data to Cloud App Security. 這可能是因為記錄收集器不信任 Proxy 的根憑證授權單位且無法連線到 Microsoft Cloud App Security 以擷取其設定或上傳已擷取的記錄所致。This may happen because the log collector doesn't trust the proxy's root certificate authority and is not able to connect to Microsoft Cloud App Security to retrieve its configuration or upload the received logs.

注意

如需如何變更 Syslog 或 FTP 之記錄檔收集器所使用之憑證的相關資訊,以及如何解決防火牆和記錄檔收集器 proxy 的連接問題,請參閱 記錄收集器 FTP設定。For information on how to change the certificates used by the log collector for Syslog or FTP, and to resolve connectivity issues from the firewalls and proxies to the log collector, see Log collector FTP configuration.

在 Proxy 後方設定記錄收集器Set up the log collector behind a proxy

確定您已執行必要步驟以在 Windows 或 Linux 電腦上執行 Docker 並成功地在該電腦上下載 Cloud App Security Docker 映像。Make sure you performed the necessary steps run Docker on a Windows or Linux machine and successfully download the Cloud App Security Docker image on the machine. 如需詳細資訊,請參閱針對連續報告設定自動記錄上傳For more information, see Configure automatic log upload for continuous reports.

驗證 Docker 記錄收集器容器建立Validate Docker log collector container creation

在殼層中,使用下列命令確認容器已建立並正在執行:In the shell, verify that the container was created and is running using the following command:

docker ps

docker ps

將 Proxy 根 CA 憑證複製到容器Copy proxy root CA certificate to the container

從您虛擬機器,將 CA 憑證複製到 Cloud App Security 容器。From your virtual machine, copy the CA certificate to the Cloud App Security container. 在下列範例中,容器的名稱是 Ubuntu-LogCollector 而 CA 憑證的名稱是 Proxy-CA.crtIn the following example, the container is named Ubuntu-LogCollector and the CA certificate is named Proxy-CA.crt. 在 Ubuntu 主機上執行命令。Run the command on the Ubuntu host. 該命令會將憑證複製到執行中容器的資料夾中:It copies the certificate to a folder in the running container:

docker cp Proxy-CA.crt Ubuntu-LogCollector:/var/adallom/ftp/discovery

設定組態以搭配 CA 憑證使用Set the configuration to work with the CA certificate

  1. 使用下列命令移至容器。Go into the container, using the following command. 該命令將會在記錄收集器容器中開啟 bash:It will open bash in the log collector container:

    docker exec -it Ubuntu-LogCollector /bin/bash
    
  2. 從容器內的 bash,移至 [JAVA jre ] 資料夾。From the bash inside the container, go to the Java jre folder. 若要避免版本相關路徑錯誤,請使用此命令:To avoid a version related path error, use this command:

    cd "$(find /opt/jdk/*/jre -name "bin" -printf '%h' -quit)"
    
  3. 匯入您稍早從 [ 探索 ] 資料夾複製到 JAVA 金鑰儲存區中的根憑證,並定義密碼。Import the root certificate that you copied earlier, from the discovery folder into the Java KeyStore and define a password. 預設密碼是 ">changeit"。The default password is "changeit". 如需變更密碼的相關資訊,請參閱 如何變更 JAVA 金鑰存放區密碼。For information about changing the password, see How to change the Java KeyStore password.

    ./keytool --import --noprompt --trustcacerts --alias SelfSignedCert --file /var/adallom/ftp/discovery/Proxy-CA.crt --keystore ../lib/security/cacerts --storepass <password>
    
  4. 使用下列命令搜尋您在匯入期間提供的別名 (SelfSignedCert),驗證憑證是否已正確匯入到 CA 金鑰存放區:Validate that the certificate was imported correctly into the CA keystore, by using the following command to search for the alias you provided during the import (SelfSignedCert):

    ./keytool --list --keystore ../lib/security/cacerts | grep self
    

    keytoolkeytool

您應該會看到已匯入的 Proxy CA 憑證。You should see your imported proxy CA certificate.

將記錄收集器設定為使用新的設定執行Set the log collector to run with the new configuration

容器現在已就緒。The container is now ready.

使用您在建立記錄收集器時使用的 API 權杖來執行 collector_config 命令:Run the collector_config command using the API token that you used during the creation of your log collector:

API 權杖API token

當您執行該命令時,請指定您自己的 API 權杖:When you run the command, specify your own API token:

collector_config abcd1234abcd1234abcd1234abcd1234 ${CONSOLE} ${COLLECTOR}

組態更新Configuration update

記錄收集器現在將能與 Cloud App Security 通訊。The log collector is now able to communicate with Cloud App Security. 傳送資料到其中之後,Cloud App Security 入口網站中的狀態將從「健康情況良好」**** 變更為「已連線」****。After sending data to it, the status will change from Healthy to Connected in the Cloud App Security portal.

狀態Status

注意

若您必須更新收集器的設定 (例如,為了要新增或移除資料來源),您一般必須刪除容器並重新執行前面的步驟。If you have to update the configuration of the log collector, to add or remove a data source for example, you normally have to delete the container and perform the previous steps again. 為避免此情況,您可以使用在 Cloud App Security 入口網站中產生的新 API 權杖來重新執行 collector_config 工具。To avoid this, you can re-run the collector_config tool with the new API token generated in the Cloud App Security portal.

如何變更 JAVA 金鑰儲存區密碼How to change the Java KeyStore password

  1. 停止 JAVA 金鑰儲存區伺服器。Stop the Java KeyStore server.

  2. 在容器內開啟 bash shell,並移至 appdata/會議 資料夾。Open a bash shell inside the container and go to the appdata/conf folder.

  3. 使用下列命令來變更伺服器金鑰儲存區密碼:Change the server KeyStore password by using this command:

    keytool -storepasswd -new newStorePassword -keystore server.keystore
    -storepass changeit
    

    注意

    預設伺服器密碼為 >changeitThe default server password is changeit.

  4. 使用此命令變更憑證密碼:Change the certificate password by using this command:

    keytool -keypasswd -alias server -keypass changeit -new newKeyPassword -keystore server.keystore -storepass newStorePassword
    

    注意

    預設伺服器別名為 serverThe default server alias is server.

  5. 在文字編輯器中開啟 server-install\conf\server\secured-installed.properties 檔案,然後新增下列幾行程式碼,然後儲存變更:In a text editor, open the server-install\conf\server\secured-installed.properties file, and then add the following lines of code, and then save the changes:

    1. 指定伺服器的新 JAVA 金鑰儲存區密碼: server.keystore.password=newStorePasswordSpecify the new Java KeyStore password for the server: server.keystore.password=newStorePassword
    2. 指定伺服器的新憑證密碼: server.key.password=newKeyPasswordSpecify the new Certificate password for the server: server.key.password=newKeyPassword
  6. 啟動伺服器。Start the server.

後續步驟Next steps

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.