Log Analytics 数据安全Log Analytics data security

本文档旨在提供特定于 Azure Log Analytics 的信息(Azure Monitor 的功能),用于补充有关 Azure 信任中心的信息。This document is intended to provide information specific to Log Analytics, which is a feature of Azure Monitor, to supplement the information on Azure Trust Center.

本文介绍 Log Analytics 如何收集、处理和保护数据。This article explains how data is collected, processed, and secured by Log Analytics. 可以使用代理连接到 Web 服务、使用 System Center Operations Manager 收集操作数据或从 Azure 诊断中检索数据供 Log Analytics 使用。You can use agents to connect to the web service, use System Center Operations Manager to collect operational data, or retrieve data from Azure diagnostics for use by Log Analytics.

Log Analytics 服务使用以下方法安全地管理你基于云的数据:The Log Analytics service manages your cloud-based data securely by using the following methods:

  • 数据隔离Data segregation
  • 数据保留Data retention
  • 物理安全性Physical security
  • 事件管理Incident management
  • 合规性Compliance
  • 安全标准认证Security standards certifications

还可以使用 Azure Monitor 和 Log Analytics 中内置的附加安全功能。You can also use additional security features built into Azure Monitor and Log Analytics. 这些功能需要更多的管理员管理工作。These features require more administrator management.

  • 客户管理的(安全)密钥 对于以下任何信息(包括 Azure 支持选项的安全策略),如果你有疑问、建议或问题,请与我们联系。Customer-managed (security) keys Contact us with any questions, suggestions, or issues about any of the following information, including our security policies at Azure support options.

使用 TLS 1.2 安全地发送数据Sending data securely using TLS 1.2

为了确保传输到 Log Analytics 的数据的安全性,我们强烈建议你将代理配置为至少使用传输层安全性 (TLS) 1.2。To insure the security of data in transit to Log Analytics, we strongly encourage you to configure the agent to use at least Transport Layer Security (TLS) 1.2. 我们发现旧版 TLS/安全套接字层 (SSL) 容易受到攻击,尽管出于向后兼容,这些协议仍可正常工作,但我们 不建议使用,并且行业即将放弃对这些旧协议的支持。Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended, and the industry is quickly moving to abandon support for these older protocols.

PCI 安全标准委员会规定 2018 年 6 月 30 日是停用旧版 TLS/SSL 并升级到更安全协议的截止时间。The PCI Security Standards Council has set a deadline of June 30th, 2018 to disable older versions of TLS/SSL and upgrade to more secure protocols. 在 Azure 放弃旧版支持后,如果代理无法通过最低版本 TLS 1.2 进行通信,则你无法将数据发送到 Log Analytics。Once Azure drops legacy support, if your agents cannot communicate over at least TLS 1.2 you would not be able to send data to Log Analytics.

除非绝对必要,否则我们不建议将代理显式设置为仅使用 TLS 1.2,因为这可能会破坏平台级安全功能,导致无法自动检测并利用推出的更新且更安全的协议,例如 TLS 1.3。We do not recommend explicitly setting your agent to only use TLS 1.2 unless absolutely necessary, as it can break platform level security features that allow you to automatically detect and take advantage of newer more secure protocols as they become available, such as TLS 1.3.

特定于平台的指南Platform-specific guidance

平台/语言Platform/Language 支持Support 更多信息More Information
LinuxLinux Linux 分发版往往依赖于 OpenSSL 来提供 TLS 1.2 支持。Linux distributions tend to rely on OpenSSL for TLS 1.2 support. 请检查 OpenSSL 变更日志,确认你的 OpenSSL 版本是否受支持。Check the OpenSSL Changelog to confirm your version of OpenSSL is supported.
Windows 8.0 - 10Windows 8.0 - 10 受支持,并且默认已启用。Supported, and enabled by default. 确认是否仍在使用默认设置To confirm that you are still using the default settings.
Windows Server 2012 - 2016Windows Server 2012 - 2016 受支持,并且默认已启用。Supported, and enabled by default. 确认是否仍在使用默认设置To confirm that you are still using the default settings
Windows 7 SP1 和 Windows Server 2008 R2 SP1Windows 7 SP1 and Windows Server 2008 R2 SP1 受支持,但默认未启用。Supported, but not enabled by default. 有关启用方法的详细信息,请参阅传输层安全性 (TLS) 注册表设置页。See the Transport Layer Security (TLS) registry settings page for details on how to enable.

数据隔离Data segregation

Log Analytics 服务引入数据后,数据将在该服务的每个组件上都保持逻辑隔离。After your data is ingested by the Log Analytics service, the data is kept logically separate on each component throughout the service. 所有数据按工作区进行标记。All data is tagged per workspace. 此标记方式贯穿数据的整个生命周期,在服务的每个层强制实施。This tagging persists throughout the data lifecycle, and it is enforced at each layer of the service. 数据存储在所选区域的群集存储中的专用数据库内。Your data is stored in a dedicated database in the storage cluster in the region you have selected.

数据保留Data retention

编入索引的日志搜索数据基于定价计划进行存储和保留。Indexed log search data is stored and retained according to your pricing plan. 有关详细信息,请参阅 Log Analytics 定价For more information, see Log Analytics Pricing.

在履行订阅协议的过程中,Azure 会根据协议条款保留数据。As part of your subscription agreement, Azure will retain your data per the terms of the agreement. 在删除客户数据时,不会销毁任何物理驱动器。When customer data is removed, no physical drives are destroyed.

下表列出了可用的一些解决方案并提供了它们会收集的数据类型示例。The following table lists some of the available solutions and provides examples of the type of data they collect.

解决方案Solution 数据类型Data types
容量和性能Capacity and Performance 性能数据和元数据Performance data and metadata
更新管理Update Management 元数据和状态数据Metadata and state data
日志管理Log Management 用户定义的事件日志、Windows 事件日志和/或 IIS 日志User-defined event logs, Windows Event Logs and/or IIS Logs
更改跟踪Change Tracking 软件库存、Windows 服务和 Linux 守护程序元数据,以及 Windows/Linux 文件元数据Software inventory, Windows service and Linux daemon metadata, and Windows/Linux file metadata
SQL 和 Active Directory 评估SQL and Active Directory Assessment WMI 数据、注册表数据、性能数据和 SQL Server 动态管理视图结果WMI data, registry data, performance data, and SQL Server dynamic management view results

下表显示了数据类型的示例:The following table shows examples of data types:

数据类型Data type FieldsFields
警报Alert Alert Name、Alert Description、BaseManagedEntityId、Problem ID、IsMonitorAlert、RuleId、ResolutionState、Priority、Severity、Category、Owner、ResolvedBy、TimeRaised、TimeAdded、LastModified、LastModifiedBy、LastModifiedExceptRepeatCount、TimeResolved、TimeResolutionStateLastModified、TimeResolutionStateLastModifiedInDB、RepeatCountAlert Name, Alert Description, BaseManagedEntityId, Problem ID, IsMonitorAlert, RuleId, ResolutionState, Priority, Severity, Category, Owner, ResolvedBy, TimeRaised, TimeAdded, LastModified, LastModifiedBy, LastModifiedExceptRepeatCount, TimeResolved, TimeResolutionStateLastModified, TimeResolutionStateLastModifiedInDB, RepeatCount
配置Configuration CustomerID、AgentID、EntityID、 ManagedTypeID、ManagedTypePropertyID、CurrentValue、ChangeDateCustomerID, AgentID, EntityID, ManagedTypeID, ManagedTypePropertyID, CurrentValue, ChangeDate
事件Event EventId、EventOriginalID、BaseManagedEntityInternalId、RuleId、PublisherId、PublisherName、FullNumber、Number、Category、ChannelLevel、LoggingComputer、EventData、EventParameters、TimeGenerated、TimeAddedEventId, EventOriginalID, BaseManagedEntityInternalId, RuleId, PublisherId, PublisherName, FullNumber, Number, Category, ChannelLevel, LoggingComputer, EventData, EventParameters, TimeGenerated, TimeAdded
注意: 当将具有自定义字段的事件写入到 Windows 事件日志中时,Log Analytics 会收集它们。Note: When you write events with custom fields in to the Windows event log, Log Analytics collects them.
MetadataMetadata BaseManagedEntityId、ObjectStatus、OrganizationalUnit、ActiveDirectoryObjectSid、PhysicalProcessors、NetworkName、IPAddress、ForestDNSName、NetbiosComputerName、VirtualMachineName、LastInventoryDate、HostServerNameIsVirtualMachine、IP Address、NetbiosDomainName、LogicalProcessors、DNSName、DisplayName、DomainDnsName、ActiveDirectorySite、PrincipalName、OffsetInMinuteFromGreenwichTimeBaseManagedEntityId, ObjectStatus, OrganizationalUnit, ActiveDirectoryObjectSid, PhysicalProcessors, NetworkName, IPAddress, ForestDNSName, NetbiosComputerName, VirtualMachineName, LastInventoryDate, HostServerNameIsVirtualMachine, IP Address, NetbiosDomainName, LogicalProcessors, DNSName, DisplayName, DomainDnsName, ActiveDirectorySite, PrincipalName, OffsetInMinuteFromGreenwichTime
性能Performance ObjectName、CounterName、PerfmonInstanceName、PerformanceDataId、PerformanceSourceInternalID、SampleValue、TimeSampled、TimeAddedObjectName, CounterName, PerfmonInstanceName, PerformanceDataId, PerformanceSourceInternalID, SampleValue, TimeSampled, TimeAdded
状态State StateChangeEventId、StateId、NewHealthState、OldHealthState、Context、TimeGenerated、TimeAdded、StateId2、BaseManagedEntityId、MonitorId、HealthState、LastModified、LastGreenAlertGenerated、DatabaseTimeModifiedStateChangeEventId, StateId, NewHealthState, OldHealthState, Context, TimeGenerated, TimeAdded, StateId2, BaseManagedEntityId, MonitorId, HealthState, LastModified, LastGreenAlertGenerated, DatabaseTimeModified

物理安全性Physical security

Log Analytics 服务由 Azure 人员负责操控,将记录所有活动并且可进行审核。The Log Analytics service is managed by Azure personnel and all activities are logged and can be audited. Log Analytics 作为 Azure 服务运行,满足所有 Azure 符合性与安全要求。Log Analytics is operated as an Azure Service and meets all Azure Compliance and Security requirements. 可以在 Azure 安全概览的第 18 页上查看有关 Azure 资产的物理安全性的详细信息。You can view details about the physical security of Azure assets on page 18 of the Azure Security Overview. 对于不再负责 Log Analytics 服务的任何人员,会在一个工作日内更改该人员对安全区域的物理访问权限,包括传输和终止。Physical access rights to secure areas are changed within one business day for anyone who no longer has responsibility for the Log Analytics service, including transfer and termination. 可在 Microsoft 数据中心阅读有关我们使用的全球物理基础设施的信息。You can read about the global physical infrastructure we use at Microsoft Datacenters.

事件管理Incident management

Log Analytics 具有所有 Azure 服务都遵循的事件管理过程。Log Analytics has an incident management process that all Azure services adhere to. 总而言之,我们:To summarize, we:

  • 使用共担责任模型,其中一部分安全职责归于 Azure,一部分安全职责归于客户Use a shared responsibility model where a portion of security responsibility belongs to Azure and a portion belongs to the customer
  • 管理 Azure 安全事件:Manage Azure security incidents:
    • 在检测到事件时启动调查Start an investigation upon detection of an incident
    • 由即时事件响应团队成员评估事件的影响和严重性。Assess the impact and severity of an incident by an on-call incident response team member. 基于证据,评估有可能会进一步上报给安全响应团队。Based on evidence, the assessment may or may not result in further escalation to the security response team.
    • 由安全响应专家诊断事件,指导进行技术或取证调查,确定抑制、缓解和解决威胁的各种策略。Diagnose an incident by security response experts to conduct the technical or forensic investigation, identify containment, mitigation, and workaround strategies. 如果安全团队认为客户数据可能已泄漏给非法或未经授权的个人,会同时开始并行执行客户事件通知过程。If the security team believes that customer data may have become exposed to an unlawful or unauthorized individual, parallel execution of the Customer Incident Notification process begins in parallel.
    • 稳定事件并从中恢复。Stabilize and recover from the incident. 事件响应团队会创建用于缓解问题的恢复计划。The incident response team creates a recovery plan to mitigate the issue. 诸如隔离受影响的系统之类的危机管理步骤可能会立即执行,同时开始进行诊断。Crisis containment steps such as quarantining impacted systems may occur immediately and in parallel with diagnosis. 可能会计划眼前的风险解决之后采取的长期缓解措施。Longer term mitigations may be planned which occur after the immediate risk has passed.
    • 关闭事件,并进行事后调查。Close the incident and conduct a post-mortem. 事件响应团队会进行事后调查,概述事件的细节,旨在修订策略、过程和流程以防止事件的再次发生。The incident response team creates a post-mortem that outlines the details of the incident, with the intention to revise policies, procedures, and processes to prevent a recurrence of the event.
  • 通知客户安全事件:Notify customers of security incidents:
    • 确定受影响客户的范围,并向受影响的任何人提供尽可能详细的通知Determine the scope of impacted customers and to provide anybody who is impacted as detailed a notice as possible
    • 创建一条向客户提供足够详细信息的通知,以便他们可以执行对其终端的调查,并履行他们对其最终用户所做的任何承诺,同时不会不当地延迟通知流程。Create a notice to provide customers with detailed enough information so that they can perform an investigation on their end and meet any commitments they have made to their end users while not unduly delaying the notification process.
    • 必要时确认并声明事件。Confirm and declare the incident, as necessary.
    • 告知客户事件通知,不会无故拖延,并遵循任何法律或合同承诺。Notify customers with an incident notification without unreasonable delay and in accordance with any legal or contractual commitment. 将以 Azure 选择的任何方式(包括电子邮件)向一个或多个客户的管理员发送安全事件的通知。Notifications of security incidents are delivered to one or more of a customer's administrators by any means Azure selects, including via email.
  • 进行团队准备和培训:Conduct team readiness and training:
    • 会要求 Azure 员工完成安全和认知培训,这有助于他们识别并报告可疑的安全问题。Azure personnel are required to complete security and awareness training, which helps them to identify and report suspected security issues.
    • 基于 Azure 服务运作的运营商对于访问承载客户数据的敏感系统有额外的培训义务。Operators working on the Azure service have addition training obligations surrounding their access to sensitive systems hosting customer data.
    • Azure 安全响应人员会接受针对其所担当角色的专门培训Azure security response personnel receive specialized training for their roles

如果发生任何客户数据丢失情况,我们会在一天内通知每个客户。If loss of any customer data occurs, we notify each customer within one day. 不过,使用服务从未发生过客户数据丢失的情况。However, customer data loss has never occurred with the service.

有关 Azure 如何响应安全事件的详细信息,请参阅在云中进行 Azure 安全响应For more information about how Azure responds to security incidents, see Azure Security Response in the Cloud.

合规性Compliance

Log Analytics 软件开发和服务团队的信息安全和治理计划支持其业务需求,并遵循 Azure 信任中心Microsoft 信任中心合规性中所述的法律和法规。The Log Analytics software development and service team's information security and governance program supports its business requirements and adheres to laws and regulations as described at Azure Trust Center and Microsoft Trust Center Compliance. 其中还介绍了 Log Analytics 如何建立安全要求、识别安全控制、管理和监控风险。How Log Analytics establishes security requirements, identifies security controls, manages, and monitors risks are also described there. 每年,我们都会对策略、标准、过程和指导原则进行评审。Annually, we review polices, standards, procedures, and guidelines.

每个开发团队成员都会接受正式的应用程序安全培训。Each development team member receives formal application security training. 在内部,我们将版本控制系统用于软件开发。Internally, we use a version control system for software development. 每个软件项目都受版本控制系统保护。Each software project is protected by the version control system.

Microsoft 有安全性和合规性团队,负责对 Microsoft 中所有服务进行监控和评估。Microsoft has a security and compliance team that oversees and assesses all services in Microsoft. 由信息安全专员组成该团队,他们不会加入开发 Log Analytics 的工程团队。Information security officers make up the team and they are not associated with the engineering teams that develops Log Analytics. 安全专员有其自己的管理链,负责对产品和服务进行独立评估,以确保安全性和合规性。The security officers have their own management chain and conduct independent assessments of products and services to ensure security and compliance.

Microsoft 会向 Microsoft 董事会呈报有关所有信息安全计划的年度报告。Microsoft's board of directors is notified by an annual report about all information security programs at Microsoft.

为了获得各种认证,Log Analytics 软件开发和服务团队正积极与 Microsoft 法律和合规团队以及其他行业合作伙伴合作。The Log Analytics software development and service team are actively working with the Microsoft Legal and Compliance teams and other industry partners to acquire various certifications.

认证和证明Certifications and attestations

Azure Log Analytics 满足以下要求:Azure Log Analytics meets the following requirements:

备注

在某些认证/证明中,Log Analytics 使用其以前的名称 Operational Insights 列出。In some certifications/attestations, Log Analytics is listed under its former name of Operational Insights.

云计算安全数据流Cloud computing security data flow

下图将云安全体系结构显示为公司的信息流以及信息移动到 Log Analytics 服务(最终在 Azure 门户中呈现)时如何确保它的安全。The following diagram shows a cloud security architecture as the flow of information from your company and how it is secured as is moves to the Log Analytics service, ultimately seen by you in the Azure portal. 有关每一步的详细信息,请遵循该图所示。More information about each step follows the diagram.

Log Analytics 数据收集和安全性的图像

1.注册 Log Analytics 并收集数据1. Sign up for Log Analytics and collect data

要使组织能够将数据发送到 Log Analytics,请配置在 Azure 虚拟机中运行的,或者在自己环境或其他云提供程序中的虚拟机或物理机上运行的 Windows/Linux 代理。For your organization to send data to Log Analytics, you configure a Windows or Linux agent running on Azure virtual machines, or on virtual or physical computers in your environment or other cloud provider. 如果使用 Operations Manager,请通过管理组配置 Operations Manager 代理。If you use Operations Manager, from the management group you configure the Operations Manager agent. 用户(可能是你、其他个别用户,也可能是一组用户)会创建一个或多个 Log Analytics 工作区,并使用以下帐户之一注册代理:Users (which might be you, other individual users, or a group of people) create one or more Log Analytics workspaces, and register agents by using one of the following accounts:

在 Log Analytics 工作区中对数据进行收集、聚合、分析和呈现。A Log Analytics workspace is where data is collected, aggregated, analyzed, and presented. 工作区主要用作划分数据的一种方式,每个工作区都是唯一的。A workspace is primarily used as a means to partition data, and each workspace is unique. 例如,可能希望生产数据受一个工作区管理,测试数据受另一个工作区管理。For example, you might want to have your production data managed with one workspace and your test data managed with another workspace. 工作区还有助于管理员控制用户对数据的访问。Workspaces also help an administrator control user access to the data. 每个工作区可以有多个与它关联的用户帐户,每个用户帐户可以访问多个 Log Analytics 工作区。Each workspace can have multiple user accounts associated with it, and each user account can access multiple Log Analytics workspaces. 基于数据中心区域创建工作区。You create workspaces based on datacenter region.

对于 Operations Manager,Manager 管理组会与 Log Analytics 服务建立连接。For Operations Manager, the Operations Manager management group establishes a connection with the Log Analytics service. 然后,可以配置允许管理组中的哪些代理托管系统收集数据以及向服务发送数据。You then configure which agent-managed systems in the management group are allowed to collect and send data to the service. 根据已启用的解决方案,这些解决方案的数据可直接从 Operations Manager 管理服务器发送到 Log Analytics 服务,或者出于在代理管理系统上收集的数据量,直接从代理发送到服务。Depending on the solution you have enabled, data from these solutions are either sent directly from an Operations Manager management server to the Log Analytics service, or because of the volume of data collected by the agent-managed system, are sent directly from the agent to the service. 对于不受 Operations Manager 监视的系统,每个系统可以安全地直接连接到 Log Analytics 服务。For systems not monitored by Operations Manager, each connects securely to the Log Analytics service directly.

会对已连接系统与 Log Analytics 服务之间的所有通信进行加密。All communication between connected systems and the Log Analytics service is encrypted. TLS (HTTPS) 协议用于加密。The TLS (HTTPS) protocol is used for encryption. 遵循 Microsoft SDL 过程,已确保 Log Analytics 是最新的,加密协议也是最新的。The Microsoft SDL process is followed to ensure Log Analytics is up-to-date with the most recent advances in cryptographic protocols.

每种类型的代理都会收集 Log Analytics 的数据。Each type of agent collects data for Log Analytics. 收集的数据类型取决于所用解决方案的类型。The type of data that is collected is depends on the types of solutions used. 可以查看从解决方案库中添加 Log Analytics 解决方案中的数据收集的摘要。You can see a summary of data collection at Add Log Analytics solutions from the Solutions Gallery. 此外,会针对大多数解决方案提供更详细的收集信息。Additionally, more detailed collection information is available for most solutions. 解决方案包含一组预定义的视图、日志搜索查询、数据收集规则和处理逻辑。A solution is a bundle of predefined views, log search queries, data collection rules, and processing logic. 只有管理员可以使用 Log Analytics 导入解决方案。Only administrators can use Log Analytics to import a solution. 解决方案完成导入后,会将它移到 Operations Manager 管理服务器(如果使用),再移到你选定的任何代理。After the solution is imported, it is moved to the Operations Manager management servers (if used), and then to any agents that you have chosen. 然后,该代理收集数据。Afterward, the agents collect the data.

2.从代理发送数据2. Send data from agents

将所有代理类型注册到加密密钥,会在代理和 Log Analytics 之间使用基于证书的身份验证和 TLS 以及端口 443 建立安全连接。You register all agent types with an enrollment key and a secure connection is established between the agent and the Log Analytics service using certificate-based authentication and TLS with port 443. Log Analytics 使用机密存储生成和维护密钥。Log Analytics uses a secret store to generate and maintain keys. 私钥每隔 90 天会进行轮换、存储在 Azure 中,并受遵循严格的法规和合规性操作的 Azure Operations 管理。Private keys are rotated every 90 days and are stored in Azure and are managed by the Azure operations who follow strict regulatory and compliance practices.

借助 Operations Manager,注册到 Log Analytics 工作区的管理组可与 Operations Manager 管理服务器建立安全 HTTPS 连接。With Operations Manager, the management group registered with a Log Analytics workspace establishes a secure HTTPS connection with an Operations Manager management server.

对于在 Azure 虚拟机上运行的 Windows 或 Linux 代理,只读存储密钥用于读取 Azure 表中的诊断事件。For Windows or Linux agents running on Azure virtual machines, a read-only storage key is used to read diagnostic events in Azure tables.

由于任何代理会向与 Log Analytics 集成的 Operations Manager 管理组报告,因此,如果管理服务器出于任何原因无法与该服务通信,收集的数据将存储在管理服务器本地的临时缓存中。With any agent reporting to an Operations Manager management group that is integrated with Log Analytics, if the management server is unable to communicate with the service for any reason, the collected data is stored locally in a temporary cache on the management server. 管理服务器尝试在两小时内每隔八分钟重新发送数据。They try to resend the data every eight minutes for two hours. 对于绕过管理服务器直接发送到 Log Analytics 的数据,行为与 Windows 代理一致。For data that bypasses the management server and is sent directly to Log Analytics, the behavior is consistent with the Windows agent.

Windows 或管理服务器代理缓存的数据受操作系统的凭据存储的保护。The Windows or management server agent cached data is protected by the operating system's credential store. 如果服务在两小时后无法处理数据,代理会将该数据加入队列。If the service cannot process the data after two hours, the agents will queue the data. 如果队列已满,代理会开始丢弃数据类型,从性能数据开始。If the queue becomes full, the agent starts dropping data types, starting with performance data. 代理队列限制是一个注册表项,因此必要时可以对它进行修改。The agent queue limit is a registry key so you can modify it, if necessary. 向服务发送(绕过 Operations Manager 管理组数据库)已收集的数据时会先对数据进行压缩,因此不会向数据库添加任何负载。Collected data is compressed and sent to the service, bypassing the Operations Manager management group databases, so it does not add any load to them. 已收集的数据完成发送后,会从缓存中删除它。After the collected data is sent, it is removed from the cache.

如上所述,来自管理服务器或直连代理的数据通过 TLS 发送到 Azure 数据中心。As described above, data from the management server or direct-connected agents is sent over TLS to Azure datacenters. 可以选择使用 ExpressRoute 为数据提供额外的安全性。Optionally, you can use ExpressRoute to provide additional security for the data. 借助 ExpressRoute,可以从网络服务提供商提供的现有 WAN 网络(例如多协议标签交换 (MPLS) VPN)直接连接到 Azure。ExpressRoute is a way to directly connect to Azure from your existing WAN network, such as a multi-protocol label switching (MPLS) VPN, provided by a network service provider. 有关详细信息,请参阅 ExpressRouteFor more information, see ExpressRoute.

3.Log Analytics 服务接收并处理数据3. The Log Analytics service receives and processes data

Log Analytics 服务通过使用 Azure 身份验证对证书和数据完整性进行验证,来确保传入数据来自受信任的源。The Log Analytics service ensures that incoming data is from a trusted source by validating certificates and the data integrity with Azure authentication. 然后,将未处理的原始数据存储在区域中的 Azure 事件中心,并最终存储静态数据。The unprocessed raw data is then stored in an Azure Event Hub in the region the data will eventually be stored at rest. 存储的数据类型取决于导入的并用于收集数据的解决方案的类型。The type of data that is stored depends on the types of solutions that were imported and used to collect data. 然后,Log Analytics 服务处理原始数据并将其引入数据库。Then, the Log Analytics service processes the raw data and ingests it into the database.

存储在数据库中的已收集数据的保留期取决于所选的定价计划。The retention period of collected data stored in the database depends on the selected pricing plan. 对于“免费”层,收集的数据可以使用 7 天。For the Free tier, collected data is available for seven days. 对于 付费 层,收集的数据默认情况下可以使用 31 天,但可以延长到 730 天。For the Paid tier, collected data is available for 31 days by default, but can be extended to 730 days. 数据在 Azure 存储中采用静态加密存储,以确保数据机密性,并且数据通过本地冗余存储 (LRS) 在本地区域内进行复制。Data is stored encrypted at rest in Azure storage, to ensure data confidentiality, and the data is replicated within the local region using locally redundant storage (LRS). 过去两周的数据也存储在基于 SSD 的缓存中,此缓存未加密。The last two weeks of data are also stored in SSD-based cache and this cache is encrypted.

数据库存储中的数据在引入后将无法更改,但可以通过清除 API 路径将其删除。Data in database storage cannot be altered once ingested but can be deleted via purge API path. 尽管该数据无法更改,但某些认证要求数据保持不可变且不能在存储中更改或删除。Although data cannot be altered, some certifications require that data is kept immutable and cannot be changed or deleted in storage. 可以通过使用数据导出将数据导出到配置为不可变存储的存储帐户来实现数据不可变性。Data immutability can be achieved using data export to a storage account that is configured as immutable storage.

4.使用 Log Analytics 访问数据4. Use Log Analytics to access the data

若要访问 Log Analytics 工作区,请使用组织帐户或先前设置的 Microsoft 帐户登录到 Azure 门户。To access your Log Analytics workspace, you sign into the Azure portal using the organizational account or Microsoft account that you set up previously. 门户与 Log Analytics 服务之间的所有流量通过安全 HTTPS 通道发送。All traffic between the portal and Log Analytics service is sent over a secure HTTPS channel. 使用门户时,会在用户客户端(Web 浏览器)上生成会话 ID,会将数据存储在本地缓存中,直到该会话终止。When using the portal, a session ID is generated on the user client (web browser) and data is stored in a local cache until the session is terminated. 终止后,会删除该缓存。When terminated, the cache is deleted. 不会自动删除不包含个人身份信息的客户端 Cookie。Client-side cookies, which do not contain personally identifiable information, are not automatically removed. 会话 Cookie 标记为 HTTPOnly,并且受到保护。Session cookies are marked HTTPOnly and are secured. 在预先确定的空闲期过后,会终止 Azure 门户会话。After a pre-determined idle period, the Azure portal session is terminated.

附加安全功能Additional Security features

可以使用这些附加安全功能来进一步保护 Azure Monitor/Log Analytics 环境。You can use these additional security features to further secure your Azure Monitor/Log Analytics environment. 这些功能需要更多的管理员管理工作。These features require more administrator management.

后续步骤Next steps