Azure 网络观察器 VNet
编辑Azure 网络观察器 VNet
编辑VNet(虚拟网络)中的流日志在 Azure 网络观察器中跟踪虚拟网络中的 IP 流量,并将数据发送到 Azure 存储进行分析。与 NSG 流日志不同,VNet 流日志提供了增强的监控功能。它们对于了解网络活动、识别连接以及监控打开的端口至关重要。流日志是优化资源、确保合规性以及检测云环境中的入侵的主要来源,可满足初创企业和大型企业的需求。
数据流
编辑此集成支持通过 Azure Blob 存储输入来接收来自 Azure 网络观察器 VNet 的日志。
- 日志用于检索 VNet 流数据。有关更多详细信息,请参阅此处的文档 here。
要求
编辑必须安装 Elastic Agent。有关更多详细信息和安装说明,请参阅 Elastic Agent 安装指南。
安装和管理 Elastic Agent
编辑有几种安装和管理 Elastic Agent 的方法
安装由 Fleet 管理的 Elastic Agent(推荐)
编辑使用此方法,您可以安装 Elastic Agent,并在 Kibana 中使用 Fleet 在中心位置定义、配置和管理您的代理。我们建议使用 Fleet 管理,因为它使您的代理的管理和升级变得非常容易。
以独立模式安装 Elastic Agent(高级用户)
编辑使用此方法,您可以安装 Elastic Agent,并在其安装的系统上本地手动配置代理。您负责管理和升级代理。此方法仅适用于高级用户。
在容器化环境中安装 Elastic Agent
编辑您可以在容器内运行 Elastic Agent,无论使用 Fleet Server 还是独立运行。所有版本的 Elastic Agent 的 Docker 镜像都可从 Elastic Docker 注册表中获得,我们还提供了在 Kubernetes 上运行的部署清单。
请注意,运行 Elastic Agent 有最低要求。有关更多信息,请参阅 Elastic Agent 最低要求。
设置
编辑要从 Azure 网络观察器 VNet 收集数据,请按照以下步骤操作
编辑- 在 Azure 门户中,转到您的 存储帐户。
- 在 安全 + 网络 下,单击 访问密钥。您的帐户访问密钥以及每个密钥的完整连接字符串将显示。
- 单击 显示 密钥以显示您的 访问密钥 和 连接字符串,并启用复制值的按钮。
- 在 key1 下,找到密钥值。单击复制按钮以复制 帐户密钥。同样,您可以复制密钥上方显示的 存储帐户名称。
- 转到存储帐户中 数据存储 下的 容器 以复制 容器名称。
使用 参考 中提供的步骤启用虚拟网络流日志。
在 Elastic 中启用集成
编辑- 在 Kibana 中,导航到“管理”>“集成”。
- 在顶部的“搜索集成”栏中,搜索
Azure 网络观察器 VNet。 - 从搜索结果中选择“Azure 网络观察器 VNet”集成。
- 选择“添加 Azure 网络观察器 VNet”以添加集成。
-
在添加集成时,要通过 Azure Blob 存储收集日志,请保持 通过 Azure Blob 存储收集 VNet 日志 开关打开,然后配置以下参数
- 帐户名称
- 容器
- 服务帐户密钥/服务帐户 URI
- 保存集成。
日志参考
编辑日志
编辑这是 日志 数据集。
示例
日志 的示例事件如下所示
{
"@timestamp": "2022-09-14T09:00:52.562Z",
"agent": {
"ephemeral_id": "de847db6-f5bf-4453-8aed-e34625b9fbfa",
"id": "43c0b2ea-ece0-4773-bd18-10caab20c820",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.0"
},
"azure": {
"resource": {
"group": "NETWORKWATCHERRG",
"id": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_EASTUS2EUAP/FLOWLOGS/VNETFLOWLOG",
"name": "NETWORKWATCHER_EASTUS2EUAP/FLOWLOGS/VNETFLOWLOG",
"provider": "MICROSOFT.NETWORK/NETWORKWATCHERS"
},
"storage": {
"blob": {
"content_type": "application/json",
"name": "testblob"
},
"container": {
"name": "azure-container1"
}
},
"subscription_id": "00000000-0000-0000-0000-000000000000"
},
"azure_network_watcher_vnet": {
"log": {
"category": "FlowLogFlowEvent",
"flow_log": {
"guid": "abcdef01-2345-6789-0abc-def012345678",
"resource_id": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_EASTUS2EUAP/FLOWLOGS/VNETFLOWLOG",
"version": "4"
},
"mac_address": "00-22-48-71-C2-05",
"operation_name": "FlowLogFlowEvent",
"records": {
"flows": [
{
"acl_id": "00000000-1234-abcd-ef00-c1c2c3c4c5c6",
"groups": [
{
"rule": "DefaultRule_AllowInternetOutBound",
"tuples": [
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "52.239.184.180",
"port": 443
},
"flow": {
"direction": "Outbound",
"encryption": "NX",
"state": "Begin"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "10.0.0.6",
"port": 23956
},
"timestamp": "2022-09-14T09:00:03.599Z"
},
{
"bytes": {
"received": 1580,
"sent": 767
},
"destination": {
"ip": "52.239.184.180",
"port": 443
},
"flow": {
"direction": "Outbound",
"encryption": "NX",
"state": "End"
},
"packets": {
"received": 2,
"sent": 3
},
"protocol": "6",
"source": {
"ip": "10.0.0.6",
"port": 23956
},
"timestamp": "2022-09-14T09:00:03.606Z"
},
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "40.74.146.17",
"port": 443
},
"flow": {
"direction": "Outbound",
"encryption": "NX",
"state": "Begin"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "10.0.0.6",
"port": 22730
},
"timestamp": "2022-09-14T09:00:03.637Z"
},
{
"bytes": {
"received": 4569,
"sent": 705
},
"destination": {
"ip": "40.74.146.17",
"port": 443
},
"flow": {
"direction": "Outbound",
"encryption": "NX",
"state": "End"
},
"packets": {
"received": 4,
"sent": 3
},
"protocol": "6",
"source": {
"ip": "10.0.0.6",
"port": 22730
},
"timestamp": "2022-09-14T09:00:03.640Z"
},
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "40.74.146.17",
"port": 443
},
"flow": {
"direction": "Outbound",
"encryption": "NX",
"state": "Begin"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "10.0.0.6",
"port": 22732
},
"timestamp": "2022-09-14T09:00:04.251Z"
},
{
"bytes": {
"received": 4569,
"sent": 705
},
"destination": {
"ip": "40.74.146.17",
"port": 443
},
"flow": {
"direction": "Outbound",
"encryption": "NX",
"state": "End"
},
"packets": {
"received": 4,
"sent": 3
},
"protocol": "6",
"source": {
"ip": "10.0.0.6",
"port": 22732
},
"timestamp": "2022-09-14T09:00:04.251Z"
},
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "40.74.146.17",
"port": 443
},
"flow": {
"direction": "Outbound",
"encryption": "NX",
"state": "Begin"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "10.0.0.6",
"port": 22734
},
"timestamp": "2022-09-14T09:00:04.622Z"
},
{
"bytes": {
"received": 108,
"sent": 134
},
"destination": {
"ip": "40.74.146.17",
"port": 443
},
"flow": {
"direction": "Outbound",
"encryption": "NX",
"state": "End"
},
"packets": {
"received": 1,
"sent": 2
},
"protocol": "6",
"source": {
"ip": "10.0.0.6",
"port": 22734
},
"timestamp": "2022-09-14T09:00:04.622Z"
},
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "104.16.218.84",
"port": 443
},
"flow": {
"direction": "Outbound",
"encryption": "NX",
"state": "Begin"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "10.0.0.6",
"port": 36776
},
"timestamp": "2022-09-14T09:00:17.343Z"
},
{
"bytes": {
"received": 32466,
"sent": 2217
},
"destination": {
"ip": "104.16.218.84",
"port": 443
},
"flow": {
"direction": "Outbound",
"encryption": "NX",
"state": "End"
},
"packets": {
"received": 33,
"sent": 22
},
"protocol": "6",
"source": {
"ip": "10.0.0.6",
"port": 36776
},
"timestamp": "2022-09-14T09:00:22.793Z"
}
]
}
]
},
{
"acl_id": "01020304-abcd-ef00-1234-102030405060",
"groups": [
{
"rule": "BlockHighRiskTCPPortsFromInternet",
"tuples": [
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "10.0.0.6",
"port": 22
},
"flow": {
"direction": "Inbound",
"encryption": "NX",
"state": "Deny"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "101.33.218.153",
"port": 55188
},
"timestamp": "2022-09-14T08:59:58.065Z"
},
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "10.0.0.6",
"port": 119
},
"flow": {
"direction": "Inbound",
"encryption": "NX",
"state": "Deny"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "192.241.200.164",
"port": 35276
},
"timestamp": "2022-09-14T09:00:05.503Z"
}
]
},
{
"rule": "Internet",
"tuples": [
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "10.0.0.6",
"port": 44357
},
"flow": {
"direction": "Inbound",
"encryption": "NX",
"state": "Deny"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "20.106.221.10",
"port": 50557
},
"timestamp": "2022-09-14T08:59:49.563Z"
},
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "10.0.0.6",
"port": 35945
},
"flow": {
"direction": "Inbound",
"encryption": "NX",
"state": "Deny"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "20.55.117.81",
"port": 62797
},
"timestamp": "2022-09-14T08:59:49.679Z"
},
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "10.0.0.6",
"port": 65515
},
"flow": {
"direction": "Inbound",
"encryption": "NX",
"state": "Deny"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "20.55.113.5",
"port": 51961
},
"timestamp": "2022-09-14T08:59:49.709Z"
},
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "10.0.0.6",
"port": 40129
},
"flow": {
"direction": "Inbound",
"encryption": "NX",
"state": "Deny"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "13.65.224.51",
"port": 40497
},
"timestamp": "2022-09-14T08:59:50.049Z"
},
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "10.0.0.6",
"port": 30472
},
"flow": {
"direction": "Inbound",
"encryption": "NX",
"state": "Deny"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "20.55.117.81",
"port": 62797
},
"timestamp": "2022-09-14T08:59:50.145Z"
},
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "10.0.0.6",
"port": 28184
},
"flow": {
"direction": "Inbound",
"encryption": "NX",
"state": "Deny"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "20.55.113.5",
"port": 51961
},
"timestamp": "2022-09-14T08:59:50.175Z"
},
{
"bytes": {
"received": 0,
"sent": 0
},
"destination": {
"ip": "10.0.0.6",
"port": 31244
},
"flow": {
"direction": "Inbound",
"encryption": "NX",
"state": "Deny"
},
"packets": {
"received": 0,
"sent": 0
},
"protocol": "6",
"source": {
"ip": "20.106.221.10",
"port": 50557
},
"timestamp": "2022-09-14T09:00:15.545Z"
}
]
}
]
}
]
},
"target_resource_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet",
"time": "2022-09-14T09:00:52.562Z"
}
},
"cloud": {
"provider": "azure"
},
"data_stream": {
"dataset": "azure_network_watcher_vnet.log",
"namespace": "ep",
"type": "logs"
},
"destination": {
"bytes": [
1580,
0,
32466,
108,
4569
],
"ip": [
"52.239.184.180",
"104.16.218.84",
"40.74.146.17",
"10.0.0.6"
],
"packets": [
33,
0,
1,
2,
4
],
"port": [
22,
44357,
65515,
40129,
31244,
443,
30472,
119,
28184,
35945
]
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "43c0b2ea-ece0-4773-bd18-10caab20c820",
"snapshot": false,
"version": "8.12.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"network"
],
"dataset": "azure_network_watcher_vnet.log",
"ingested": "2024-05-03T08:01:53Z",
"kind": "event",
"type": [
"info"
]
},
"input": {
"type": "azure-blob-storage"
},
"log": {
"file": {
"path": "http://elastic-package-service-azure-network-watcher-vnet-log-1:10000/devstoreaccount1/azure-container1/testblob"
},
"offset": 1
},
"network": {
"direction": [
"inbound",
"outbound"
],
"iana_number": [
"6"
]
},
"related": {
"ip": [
"52.239.184.180",
"104.16.218.84",
"40.74.146.17",
"10.0.0.6",
"13.65.224.51",
"20.106.221.10",
"20.55.113.5",
"192.241.200.164",
"20.55.117.81",
"101.33.218.153"
]
},
"rule": {
"name": [
"DefaultRule_AllowInternetOutBound",
"BlockHighRiskTCPPortsFromInternet",
"Internet"
]
},
"source": {
"bytes": [
0,
2217,
134,
767,
705
],
"ip": [
"13.65.224.51",
"20.106.221.10",
"20.55.113.5",
"192.241.200.164",
"10.0.0.6",
"20.55.117.81",
"101.33.218.153"
],
"mac": "00-22-48-71-C2-05",
"packets": [
22,
0,
2,
3
],
"port": [
22734,
23956,
40497,
35276,
62797,
22730,
22732,
55188,
51961,
36776,
50557
]
},
"tags": [
"forwarded",
"azure_network_watcher_vnet-log"
]
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
azure.resource.group |
资源组。 |
关键字 |
azure.resource.id |
资源 ID。 |
关键字 |
azure.resource.name |
名称。 |
关键字 |
azure.resource.provider |
资源类型/命名空间。 |
关键字 |
azure.storage.blob.content_type |
Azure Blob 存储 blob 对象的内容类型。 |
关键字 |
azure.storage.blob.name |
Azure Blob 存储 blob 对象的名称。 |
关键字 |
azure.storage.container.name |
Azure Blob 存储容器的名称。 |
关键字 |
azure.subscription_id |
Azure 订阅 ID。 |
关键字 |
azure_network_watcher_vnet.log.category |
事件的类别。 |
关键字 |
azure_network_watcher_vnet.log.flow_log.guid |
FlowLog 资源的资源 GUID。 |
关键字 |
azure_network_watcher_vnet.log.flow_log.resource_id |
FlowLog 资源的资源 ID。 |
关键字 |
azure_network_watcher_vnet.log.flow_log.version |
流日志架构的版本。 |
关键字 |
azure_network_watcher_vnet.log.mac_address |
捕获事件的网络接口的 MAC 地址。 |
关键字 |
azure_network_watcher_vnet.log.operation_name |
始终为 FlowLogFlowEvent。 |
关键字 |
azure_network_watcher_vnet.log.records.flows.acl_id |
评估流量的资源的标识符,可以是网络安全组或虚拟网络管理器。 |
关键字 |
azure_network_watcher_vnet.log.records.flows.groups.mac |
列出流的网络接口的 MAC 地址。 |
关键字 |
azure_network_watcher_vnet.log.records.flows.groups.rule |
允许或拒绝流量的规则的名称。 |
关键字 |
azure_network_watcher_vnet.log.records.flows.groups.tuples.bytes.received |
从目标发送到源的 TCP 数据包字节总数。 |
长整型 |
azure_network_watcher_vnet.log.records.flows.groups.tuples.bytes.sent |
从源发送到目标的 TCP 数据包字节总数。 |
长整型 |
azure_network_watcher_vnet.log.records.flows.groups.tuples.destination.ip |
目标 IP 地址。 |
IP |
azure_network_watcher_vnet.log.records.flows.groups.tuples.destination.port |
目标端口。 |
长整型 |
azure_network_watcher_vnet.log.records.flows.groups.tuples.flow.direction |
流量流的方向。 |
关键字 |
azure_network_watcher_vnet.log.records.flows.groups.tuples.flow.encryption |
流的加密状态。 |
关键字 |
azure_network_watcher_vnet.log.records.flows.groups.tuples.flow.state |
流的状态。 |
关键字 |
azure_network_watcher_vnet.log.records.flows.groups.tuples.packets.received |
从目标发送到源的数据包总数。 |
长整型 |
azure_network_watcher_vnet.log.records.flows.groups.tuples.packets.sent |
从源发送到目标的数据包总数。 |
长整型 |
azure_network_watcher_vnet.log.records.flows.groups.tuples.protocol |
流的协议。 |
关键字 |
azure_network_watcher_vnet.log.records.flows.groups.tuples.source.ip |
源 IP 地址。 |
IP |
azure_network_watcher_vnet.log.records.flows.groups.tuples.source.port |
源端口。 |
长整型 |
azure_network_watcher_vnet.log.records.flows.groups.tuples.timestamp |
发生流的时间戳,采用 UNIX 纪元格式。 |
日期 |
azure_network_watcher_vnet.log.records.flows.rule |
列出流的规则。 |
关键字 |
azure_network_watcher_vnet.log.records.version |
流日志的事件架构的版本号。 |
关键字 |
azure_network_watcher_vnet.log.target_resource_id |
与 FlowLog 资源关联的目标资源的资源 ID。 |
关键字 |
azure_network_watcher_vnet.log.time |
记录事件时的 UTC 时间。 |
日期 |
data_stream.dataset |
数据流数据集。 |
常量_关键字 |
data_stream.namespace |
数据流命名空间。 |
常量_关键字 |
data_stream.type |
数据流类型。 |
常量_关键字 |
event.dataset |
事件数据集。 |
常量_关键字 |
event.module |
事件模块。 |
常量_关键字 |
input.type |
Filebeat 输入类型。 |
关键字 |
log.offset |
日志偏移。 |
长整型 |
更新日志
编辑更新日志
| 版本 | 详细信息 | Kibana 版本 |
|---|---|---|
1.1.0 |
增强 ( 查看拉取请求 ) |
8.13.0 或更高版本 |
1.0.0 |
增强 ( 查看拉取请求 ) |
8.13.0 或更高版本 |
0.3.0 |
增强 ( 查看拉取请求 ) |
— |
0.2.2 |
错误修复 ( 查看拉取请求 ) |
— |
0.2.1 |
错误修复 ( 查看拉取请求 ) |
— |
0.2.0 |
增强 ( 查看拉取请求 ) |
— |
0.1.0 |
增强 ( 查看拉取请求 ) |
— |