Azure Monitor 中的 Azure 网络监视解决方案Azure networking monitoring solutions in Azure Monitor

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

Azure Monitor 提供了用于监视网络的以下解决方案:Azure Monitor offers the following solutions for monitoring your networks:

  • 网络性能监视器 (NPM)Network Performance Monitor (NPM) to
    • 监视网络的运行状况Monitor the health of your network
  • 要查看的 Azure 应用程序网关分析Azure Application Gateway analytics to review
    • Azure 应用程序网关日志Azure Application Gateway logs
    • Azure 应用程序网关指标Azure Application Gateway metrics
  • 用于监视和审核云网络上的网络活动的解决方案Solutions to monitor and audit network activity on your cloud network

网络性能监视器 (NPM)Network Performance Monitor (NPM)

网络性能监视器管理解决方案是一个网络监视解决方案,它监视网络的运行状况、可用性和可访问性。The Network Performance Monitor management solution is a network monitoring solution, that monitors the health, availability and reachability of networks. 它用来监视以下项之间的连接:It is used to monitor connectivity between:

  • 公有云与本地Public cloud and on-premises
  • 数据中心和用户位置(分支机构)Data centers and user locations (branch offices)
  • 托管多层应用程序的各个层次的子网。Subnets hosting various tiers of a multi-tiered application.

有关详细信息,请参阅网络性能监视器For more information, see Network Performance Monitor.

Azure 应用程序网关和网络安全组分析Azure Application Gateway and Network Security Group analytics

若要使用解决方案,请执行以下操作:To use the solutions:

  1. 将管理解决方案添加到 Azure Monitor,并且Add the management solution to Azure Monitor, and
  2. 启用诊断以将诊断信息定向到 Azure Monitor 中的 Log Analytics 工作区。Enable diagnostics to direct the diagnostics to a Log Analytics workspace in Azure Monitor. 不需要将日志写入 Azure Blob 存储。It is not necessary to write the logs to Azure Blob storage.

可为应用程序网关和/或网络安全组启用诊断和相应的解决方案。You can enable diagnostics and the corresponding solution for either one or both of Application Gateway and Networking Security Groups.

如果未针对特定资源类型启用诊断日志记录但安装了解决方案,该资源的仪表板边栏选项卡将为空白并显示错误消息。If you do not enable diagnostic logging for a particular resource type, but install the solution, the dashboard blades for that resource are blank and display an error message.

备注

2017 年 1 月,将应用程序网关和网络安全组中的日志发送到 Log Analytics 工作区的受支持方式已发生更改。In January 2017, the supported way of sending logs from Application Gateways and Network Security Groups to a Log Analytics workspace changed. 如果看到了“Azure 网络分析(已弃用)”解决方案,请参阅 migrating from the old Networking Analytics solution(从旧的网络分析解决方案迁移)了解需要执行的步骤。 If you see the Azure Networking Analytics (deprecated) solution, refer to migrating from the old Networking Analytics solution for steps you need to follow.

查看 Azure 网络数据收集详细信息Review Azure networking data collection details

Azure 应用程序网关分析和网络安全组分析管理解决方案直接从 Azure 应用程序网关和网络安全组收集诊断日志。The Azure Application Gateway analytics and the Network Security Group analytics management solutions collect diagnostics logs directly from Azure Application Gateways and Network Security Groups. 不需要将日志写入 Azure Blob 存储,且数据收集无需代理。It is not necessary to write the logs to Azure Blob storage and no agent is required for data collection.

下表显示了数据收集方法,以及有关如何为 Azure 应用程序网关分析和网络安全组分析收集数据的其他详细信息。The following table shows data collection methods and other details about how data is collected for Azure Application Gateway analytics and the Network Security Group analytics.

平台Platform 直接代理Direct agent Systems Center Operations Manager 代理Systems Center Operations Manager agent AzureAzure 需要 Operations Manager?Operations Manager required? Operations Manager 代理数据通过管理组发送Operations Manager agent data sent via management group 收集频率Collection frequency
AzureAzure 登录时when logged

Azure Monitor 中的 Azure 应用程序网关分析解决方案Azure Application Gateway analytics solution in Azure Monitor

“Azure 应用程序网关分析”符号

应用程序网关支持以下日志:The following logs are supported for Application Gateways:

  • ApplicationGatewayAccessLogApplicationGatewayAccessLog
  • ApplicationGatewayPerformanceLogApplicationGatewayPerformanceLog
  • ApplicationGatewayFirewallLogApplicationGatewayFirewallLog

应用程序网关支持以下指标:The following metrics are supported for Application Gateways:again

  • 5 分钟吞吐量5 minute throughput

安装和配置解决方案Install and configure the solution

使用以下说明安装并配置 Azure 应用程序网关分析解决方案:Use the following instructions to install and configure the Azure Application Gateway analytics solution:

  1. Azure 市场或者使用从解决方案库中添加 Azure Monitor 解决方案中所述的过程,启用 Azure 应用程序网关分析解决方案。Enable the Azure Application Gateway analytics solution from Azure marketplace or by using the process described in Add Azure Monitor solutions from the Solutions Gallery.
  2. 为需要监视的应用程序网关启用诊断日志记录。Enable diagnostics logging for the Application Gateways you want to monitor.

在门户中启用 Azure 应用程序网关诊断Enable Azure Application Gateway diagnostics in the portal

  1. 在 Azure 门户中,导航到要监视的应用程序网关资源。In the Azure portal, navigate to the Application Gateway resource to monitor.

  2. 选择“诊断日志”打开以下页 。Select Diagnostics logs to open the following page.

    Azure 应用程序网关资源图像

  3. 单击“启用诊断”打开以下页 。Click Turn on diagnostics to open the following page.

    Azure 应用程序网关资源图像

  4. 若要启用诊断,请单击“状态”下面的“打开” 。To turn on diagnostics, click On under Status.

  5. 单击“发送到 Log Analytics”所对应的复选框 。Click the checkbox for Send to Log Analytics.

  6. 选择现有的 Log Analytics 工作区,或创建一个工作区。Select an existing Log Analytics workspace, or create a workspace.

  7. 对于要收集的每种日志类型,请单击“日志”下面的复选框 。Click the checkbox under Log for each of the log types to collect.

  8. 单击“保存”,启用在 Azure Monitor 中记录诊断日志 。Click Save to enable the logging of diagnostics to Azure Monitor.

使用 PowerShell 启用 Azure 网络诊断Enable Azure network diagnostics using PowerShell

以下 PowerShell 脚本提供如何为应用程序网关启用诊断日志记录的示例。The following PowerShell script provides an example of how to enable diagnostic logging for application gateways.

$workspaceId = "/subscriptions/d2e37fee-1234-40b2-5678-0b2199de3b50/resourcegroups/oi-default-CNE2/providers/microsoft.operationalinsights/workspaces/rollingbaskets"

$gateway = Get-AzApplicationGateway -Name 'ContosoGateway'

Set-AzDiagnosticSetting -ResourceId $gateway.ResourceId  -WorkspaceId $workspaceId -Enabled $true

使用 Azure 应用程序网关分析Use Azure Application Gateway analytics

Azure 应用程序网关分析磁贴图像

在“概述”中单击“Azure 应用程序网关分析”磁贴后,可以查看日志摘要,并钻取以下类别的详细信息: After you click the Azure Application Gateway analytics tile on the Overview, you can view summaries of your logs and then drill in to details for the following categories:

  • 应用程序网关访问日志Application Gateway Access logs
    • 应用程序网关访问日志的客户端和服务器错误Client and server errors for Application Gateway access logs
    • 每个应用程序网关每小时请求数Requests per hour for each Application Gateway
    • 每个应用程序网关每小时失败请求数Failed requests per hour for each Application Gateway
    • 应用程序网关的用户代理引起的错误Errors by user agent for Application Gateways
  • 应用程序网关性能Application Gateway performance
    • 应用程序网关的主机运行状况Host health for Application Gateway
    • 最大和 95% 应用程序网关失败请求Maximum and 95th percentile for Application Gateway failed requests

Azure 应用程序网关分析仪表板图像

Azure 应用程序网关分析仪表板图像

在“Azure 应用程序网关分析” 仪表板上,查看其中一个边栏选项卡中的摘要信息,然后单击一项摘要,在日志搜索页查看其详细信息。On the Azure Application Gateway analytics dashboard, review the summary information in one of the blades, and then click one to view detailed information on the log search page.

在任何日志搜索页上,都可以按时间、详细结果和日志搜索历史记录查看结果。On any of the log search pages, you can view results by time, detailed results, and your log search history. 也可以按方面进行筛选以缩减搜索结果。You can also filter by facets to narrow the results.

Azure Monitor 中的 Azure 网络安全组分析解决方案Azure Network Security Group analytics solution in Azure Monitor

“Azure 网络安全组分析”符号

备注

  • Azure 快速入门模板目前提供该解决方案,但该解决方案很快将从 Azure 市场下架。The solution is now available in Azure Quickstart Templates and will soon no longer be available in the Azure Marketplace.
  • 对于已向其工作区添加该解决方案的现有客户,它将继续运行,不会有任何变化。For existing customers who already added the solution to their workspace, it will continue to function with no changes.
  • Microsoft 将继续支持使用“诊断设置”将 NSG 诊断日志发送到你的工作区。Microsoft will continue to support sending NSG diagnostic logs to your workspace using Diagnostics Settings.

网络安全组支持以下日志:The following logs are supported for network security groups:

  • NetworkSecurityGroupEventNetworkSecurityGroupEvent
  • NetworkSecurityGroupRuleCounterNetworkSecurityGroupRuleCounter

安装和配置解决方案Install and configure the solution

使用以下说明安装和配置 Azure 网络分析解决方案:Use the following instructions to install and configure the Azure Networking Analytics solution:

  1. Azure 市场或者使用从解决方案库中添加 Azure Monitor 解决方案中所述的过程,启用 Azure 网关安全组分析解决方案。Enable the Azure Network Security Group analytics solution from Azure marketplace or by using the process described in Add Azure Monitor solutions from the Solutions Gallery.

在门户中启用 Azure 网络安全组诊断Enable Azure network security group diagnostics in the portal

  1. 在 Azure 门户中,导航到要监视的网络安全组资源In the Azure portal, navigate to the Network Security Group resource to monitor

  2. 选择“诊断日志”打开以下页面 Select Diagnostics logs to open the following page

    Azure 网络安全组资源图像

  3. 单击“打开诊断”打开以下页面 Click Turn on diagnostics to open the following page

    Azure 网络安全组资源图像

  4. 若要打开诊断,请单击“状态”下面的“打开” To turn on diagnostics, click On under Status

  5. 单击“发送到 Log Analytics”对应的复选框 Click the checkbox for Send to Log Analytics

  6. 选择现有的 Log Analytics 工作区,或创建一个工作区Select an existing Log Analytics workspace, or create a workspace

  7. 对于要收集的每种日志类型,请单击“日志”下面的复选框 Click the checkbox under Log for each of the log types to collect

  8. 单击“保存”,启用在 Log Analytics 中记录诊断日志 Click Save to enable the logging of diagnostics to Log Analytics

使用 PowerShell 启用 Azure 网络诊断Enable Azure network diagnostics using PowerShell

以下 PowerShell 脚本提供了如何为网络安全组启用资源日志记录的示例The following PowerShell script provides an example of how to enable resource logging for network security groups

$workspaceId = "/subscriptions/d2e37fee-1234-40b2-5678-0b2199de3b50/resourcegroups/oi-default-CNE2/providers/microsoft.operationalinsights/workspaces/rollingbaskets"

$nsg = Get-AzNetworkSecurityGroup -Name 'ContosoNSG'

Set-AzDiagnosticSetting -ResourceId $nsg.ResourceId  -WorkspaceId $workspaceId -Enabled $true

使用 Azure 网络安全组分析Use Azure Network Security Group analytics

在“概述”中单击“Azure 网络安全组分析”磁贴后,可以查看日志摘要,并钻取以下类别的详细信息: After you click the Azure Network Security Group analytics tile on the Overview, you can view summaries of your logs and then drill in to details for the following categories:

  • 网络安全组阻止的流Network security group blocked flows
    • 具有阻止流的网络安全组规则Network security group rules with blocked flows
    • 具有阻止流的 MAC 地址MAC addresses with blocked flows
  • 网络安全组允许的流Network security group allowed flows
    • 具有允许流的网络安全组规则Network security group rules with allowed flows
    • 具有允许流的 MAC 地址MAC addresses with allowed flows

Azure 网络安全组分析仪表板图像

Azure 网络安全组分析仪表板图像

在“Azure 网络安全组分析”仪表板上,查看其中一个边栏选项卡中的摘要信息,并单击一项摘要,在日志搜索页查看其详细信息。 On the Azure Network Security Group analytics dashboard, review the summary information in one of the blades, and then click one to view detailed information on the log search page.

在任何日志搜索页上,都可以按时间、详细结果和日志搜索历史记录查看结果。On any of the log search pages, you can view results by time, detailed results, and your log search history. 还可以按方面进行筛选以缩减搜索结果。You can also filter by facets to narrow the results.

从旧的网络分析解决方案迁移Migrating from the old Networking Analytics solution

2017 年 1 月,将 Azure 应用程序网关和 Azure 网络安全组中的日志发送到 Log Analytics 工作区的受支持方式已发生更改。In January 2017, the supported way of sending logs from Azure Application Gateways and Azure Network Security Groups to a Log Analytics workspace changed. 这些更改带来了以下优势:These changes provide the following advantages:

  • 日志将直接写入 Azure Monitor,无需使用存储帐户Logs are written directly to Azure Monitor without the need to use a storage account
  • 从生成日志到在 Azure Monitor 中显示日志的延迟时间已缩短Less latency from the time when logs are generated to them being available in Azure Monitor
  • 配置步骤更少Fewer configuration steps
  • 所有类型的 Azure 诊断的通用格式A common format for all types of Azure diagnostics

若要使用更新的解决方案,请执行以下操作:To use the updated solutions:

  1. 将诊断配置为直接从 Azure 应用程序网关发送到 Azure MonitorConfigure diagnostics to be sent directly to Azure Monitor from Azure Application Gateways
  2. 将诊断配置为直接从 Azure 网络安全组发送到 Azure MonitorConfigure diagnostics to be sent directly to Azure Monitor from Azure Network Security Groups
  3. 使用从解决方案库中添加 Azure Monitor 解决方案中所述的过程,启用 Azure 应用程序网关分析Azure 网络安全组分析解决方案Enable the Azure Application Gateway Analytics and the Azure Network Security Group Analytics solution by using the process described in Add Azure Monitor solutions from the Solutions Gallery
  4. 更新所有已保存的查询、仪表板或警报,以使用的新数据类型Update any saved queries, dashboards, or alerts to use the new data type
    • 新类型为 AzureDiagnostics。Type is to AzureDiagnostics. 可以使用 ResourceType 筛选 Azure 网络日志。You can use the ResourceType to filter to Azure networking logs.

      不是:Instead of: 使用:Use:
      NetworkApplicationgateways | where OperationName=="ApplicationGatewayAccess"NetworkApplicationgateways | where OperationName=="ApplicationGatewayAccess" AzureDiagnostics | where ResourceType=="APPLICATIONGATEWAYS" and OperationName=="ApplicationGatewayAccess"AzureDiagnostics | where ResourceType=="APPLICATIONGATEWAYS" and OperationName=="ApplicationGatewayAccess"
      NetworkApplicationgateways | where OperationName=="ApplicationGatewayPerformance"NetworkApplicationgateways | where OperationName=="ApplicationGatewayPerformance" AzureDiagnostics | where ResourceType=="APPLICATIONGATEWAYS" and OperationName=="ApplicationGatewayPerformance"AzureDiagnostics | where ResourceType=="APPLICATIONGATEWAYS" and OperationName=="ApplicationGatewayPerformance"
      NetworkSecuritygroupsNetworkSecuritygroups AzureDiagnostics | where ResourceType=="NETWORKSECURITYGROUPS"AzureDiagnostics | where ResourceType=="NETWORKSECURITYGROUPS"
    • 对于名称中包含 _s、_d 或 _g 后缀的任何字段,请将第一个字符更改为小写For any field that has a suffix of _s, _d, or _g in the name, change the first character to lower case

    • 对于名称中包含 _o 后缀的任何字段,数据会根据嵌套的字段名称拆分为单个字段。For any field that has a suffix of _o in name, the data is split into individual fields based on the nested field names.

  5. 删除“Azure 网络分析(已弃用)”解决方案。 Remove the Azure Networking Analytics (Deprecated) solution.
    • 如果使用的是 PowerShell,请使用 Set-AzureOperationalInsightsIntelligencePack -ResourceGroupName <resource group that the workspace is in> -WorkspaceName <name of the log analytics workspace> -IntelligencePackName "AzureNetwork" -Enabled $falseIf you are using PowerShell, use Set-AzureOperationalInsightsIntelligencePack -ResourceGroupName <resource group that the workspace is in> -WorkspaceName <name of the log analytics workspace> -IntelligencePackName "AzureNetwork" -Enabled $false

在发生此项更改之前收集的数据不会显示在新解决方案中。Data collected before the change is not visible in the new solution. 可以继续使用旧类型和字段名称查询此数据。You can continue to query for this data using the old Type and field names.

故障排除Troubleshooting

排查 Azure 诊断问题Troubleshoot Azure Diagnostics

如果收到以下错误消息,说明未注册 Microsoft.insights 资源提供程序:If you receive the following error message, the Microsoft.insights resource provider is not registered:

Failed to update diagnostics for 'resource'. {"code":"Forbidden","message":"Please register the subscription 'subscription id' with Microsoft.Insights."}

若要注册资源提供程序,请在 Azure 门户中执行以下步骤:To register the resource provider, perform the following steps in the Azure portal:

  1. 在左侧导航窗格中,单击“订阅”In the navigation pane on the left, click Subscriptions
  2. 选择在错误消息中标识的订阅Select the subscription identified in the error message
  3. 单击“资源提供程序”Click Resource Providers
  4. 找到 Microsoft.insights 提供程序Find the Microsoft.insights provider
  5. 单击“注册”链接Click the Register link

注册 microsoft.insights 资源提供程序

注册 Microsoft.insights 资源提供程序以后,可重试配置诊断。Once the Microsoft.insights resource provider is registered, retry configuring diagnostics.

在 PowerShell 中,如果收到以下错误消息,则需更新 PowerShell 版本:In PowerShell, if you receive the following error message, you need to update your version of PowerShell:

Set-AzureRmDiagnosticSetting : A parameter cannot be found that matches parameter name 'WorkspaceId'.

根据 Get started with Azure PowerShell cmdlets(Azure PowerShell cmdlet 入门)一文的说明,将 PowerShell 更新到“2016 年 11 月(v2.3.0)”或更高版本。Update your version of PowerShell to the November 2016 (v2.3.0), or later, release using the instructions in the Get started with Azure PowerShell cmdlets article.

后续步骤Next steps