Azure Monitor 日志查询中的计算机组Computer groups in Azure Monitor log queries

使用 Azure Monitor 中的计算机组可为一组特定的计算机设定日志查询的范围。Computer groups in Azure Monitor allow you to scope log queries to a particular set of computers. 每个组使用定义的查询或通过从不同源导入组填充计算机。Each group is populated with computers either using a query that you define or by importing groups from different sources. 当日志查询中包括组时,结果仅限于与组中的计算机匹配的记录。When the group is included in a log query, the results are limited to records that match the computers in the group.

备注

本文最近已更新,从使用术语“Log Analytics”改为使用术语“Azure Monitor 日志”。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 日志数据仍然存储在 Log Analytics 工作区中,并仍然由同一 Log Analytics 服务收集并分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我们正在更新术语,以便更好地反映 Azure Monitor 中日志的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 有关详细信息,请参阅 Azure Monitor 术语更改See Azure Monitor terminology changes for details.

创建计算机组Creating a computer group

可以使用下表中的任一方法在 Azure Monitor 中创建计算机组。You can create a computer group in Azure Monitor using any of the methods in the following table. 在以下各节中提供了每个方法的详细信息。Details on each method are provided in the sections below.

方法Method 说明Description
日志查询Log query 创建将返回计算机列表的日志查询。Create a log query that returns a list of computers.
日志搜索 APILog Search API 使用日志搜索 API 基于日志查询结果以编程方式创建计算机组。Use the Log Search API to programmatically create a computer group based on the results of a log query.
Active DirectoryActive Directory 自动扫描属于 Active Directory 域成员的任何代理计算机的组成员身份,并在 Azure Monitor 中为每个安全组创建一个组。Automatically scan the group membership of any agent computers that are members of an Active Directory domain and create a group in Azure Monitor for each security group. (仅限 Windows 计算机)(Windows machines only)
配置管理器Configuration Manager 从 Microsoft Endpoint Configuration Manager 中导入集合并在 Azure Monitor 中为每个集合创建一个组。Import collections from Microsoft Endpoint Configuration Manager and create a group in Azure Monitor for each.
Windows Server Update ServicesWindows Server Update Services 为目标组自动扫描 WSUS 服务器或客户端,并在 Azure Monitor 中为每个组创建一个组。Automatically scan WSUS servers or clients for targeting groups and create a group in Azure Monitor for each.

日志查询Log query

从日志查询创建的计算机组包含由你定义的查询返回的所有计算机。Computer groups created from a log query contain all of the computers returned by a query that you define. 每次使用计算机组时都会运行此查询,以反映创建组之后所做的任何更改。This query is run every time the computer group is used so that any changes since the group was created is reflected.

可以将任何查询用于计算机组,但它必须通过使用 distinct Computer 返回一组不同的计算机。You can use any query for a computer group, but it must return a distinct set of computers by using distinct Computer. 下面是可以用于计算机组的一个典型示例查询。Following is a typical example query that you could use for as a computer group.

Heartbeat | where Computer contains "srv" | distinct Computer

在 Azure 门户中,可以使用以下过程从日志搜索创建计算机组。Use the following procedure to create a computer group from a log search in the Azure portal.

  1. 在 Azure 门户中,单击“Azure Monitor”菜单中的“日志”。 Click Logs in the Azure Monitor menu in the Azure portal.
  2. 创建并运行一个查询,以返回组中所需的计算机。Create and run a query that returns the computers that you want in the group.
  3. 单击屏幕顶部的“保存”。 Click Save at the top of the screen.
  4. 将“另存为”更改为“函数”,然后选择“将此查询另存为计算机组”。 Change Save as to Function and select Save this query as a computer group.
  5. 为表中所述计算机组的每个属性提供值,然后单击“保存”。 Provide values for each property for the computer group described in the table and click Save.

下表介绍了用于定义计算机组的属性。The following table describes the properties that define a computer group.

propertiesProperty 说明Description
名称Name 要在门户中显示的查询名称。Name of the query to display in the portal.
函数别名Function alias 查询中用于标识计算机组的唯一别名。A unique alias used to identify the computer group in a query.
类别Category 用于在门户中对查询进行组织的类别。Category to organize the queries in the portal.

Active DirectoryActive Directory

将 Azure Monitor 配置为导入 Active Directory 组成员身份时,它将使用 Log Analytics 代理分析任何加入域的 Windows 计算机的组成员身份。When you configure Azure Monitor to import Active Directory group memberships, it analyzes the group membership of any Windows domain joined computers with the Log Analytics agent. 系统会在 Azure Monitor 中为 Active Directory 中的每个安全组创建一个计算机组,并将每台 Windows 计算机添加到与其所属安全组对应的计算机组。A computer group is created in Azure Monitor for each security group in Active Directory, and each Windows computer is added to the computer groups corresponding to the security groups they are members of. 此成员身份每 4 小时持续更新一次。This membership is continuously updated every 4 hours.

备注

导入的 Active Directory 组仅包含 Windows 计算机。Imported Active Directory groups only contain Windows machines.

通过 Azure 门户上 Log Analytics 工作区的“高级设置”配置 Azure Monitor,以导入 Active Directory 安全组。 You configure Azure Monitor to import Active Directory security groups from Advanced settings in your Log Analytics workspace in the Azure portal. 依次选择“计算机组”、“Active Directory”和“从计算机导入 Active Directory 组成员身份”。 Select Computer Groups, Active Directory, and then Import Active Directory group memberships from computers. 无需进一步的配置。There is no further configuration required.

Active Directory 中的计算机组

导入组后时,菜单将列出检测到组成员身份的计算机数以及导入的组数。When groups have been imported, the menu lists the number of computers with group membership detected and the number of groups imported. 可以单击任一链接以返回包含此信息的 ComputerGroup 记录。You can click on either of these links to return the ComputerGroup records with this information.

Windows Server Update ServiceWindows Server Update Service

将 Azure Monitor 配置为导入 WSUS 组成员身份时,它将使用 Log Analytics 代理分析任何计算机的目标组成员身份。When you configure Azure Monitor to import WSUS group memberships, it analyzes the targeting group membership of any computers with the Log Analytics agent. 如果使用客户端目标,连接到 Azure Monitor 并且属于任意 WSUS 目标组的所有计算机的组成员身份会导入到 Azure Monitor。If you are using client-side targeting, any computer that is connected to Azure Monitor and is part of any WSUS targeting groups has its group membership imported to Azure Monitor. 如果使用服务器端目标,Log Analytics 代理应安装在 WSUS 服务器上,以便将组成员身份信息导入到 Azure Monitor。If you are using server-side targeting, the Log Analytics agent should be installed on the WSUS server in order for the group membership information to be imported to Azure Monitor. 此成员身份每 4 小时持续更新一次。This membership is continuously updated every 4 hours.

通过 Azure 门户上 Log Analytics 工作区的“高级设置”配置 Azure Monitor,以导入 WSUS 组。 You configure Azure Monitor to import WSUS groups from Advanced settings in your Log Analytics workspace in the Azure portal. 依次选择“计算机组”、“WSUS”和“导入 WSUS 组成员身份”。 Select Computer Groups, WSUS, and then Import WSUS group memberships. 无需进一步的配置。There is no further configuration required.

WSUS 中的计算机组

导入组后时,菜单将列出检测到组成员身份的计算机数以及导入的组数。When groups have been imported, the menu lists the number of computers with group membership detected and the number of groups imported. 可以单击任一链接以返回包含此信息的 ComputerGroup 记录。You can click on either of these links to return the ComputerGroup records with this information.

配置管理器Configuration Manager

当配置 Azure Monitor 来导入 Configuration Manager 集合成员身份时,它将为每个集合创建计算机组。When you configure Azure Monitor to import Configuration Manager collection memberships, it creates a computer group for each collection. 每隔 3 小时会检索一次集合成员身份信息,以使计算机组保持最新。The collection membership information is retrieved every 3 hours to keep the computer groups current.

必须将 Configuration Manager 连接到 Azure Monitor 才能导入 Configuration Manager 集合。Before you can import Configuration Manager collections, you must connect Configuration Manager to Azure Monitor.

SCCM 中的计算机组

导入集合后,菜单将列出具有检测到的组成员身份的计算机数以及导入的组数。When collections have been imported, the menu lists the number of computers with group membership detected and the number of groups imported. 可以单击任一链接以返回包含此信息的 ComputerGroup 记录。You can click on either of these links to return the ComputerGroup records with this information.

管理计算机组Managing computer groups

可以查看通过日志查询或通过 Azure 门户上 Log Analytics 工作区“高级设置”中的日志搜索 API 创建的计算机组。 You can view computer groups that were created from a log query or the Log Search API from Advanced settings in your Log Analytics workspace in the Azure portal. 选择“计算机组”,然后选择“已保存的组”。 Select Computer Groups and then Saved Groups.

单击“删除”列中的“x”可删除计算机组。Click the x in the Remove column to delete the computer group. 单击组的“查看成员” 图标可运行返回其成员的组的日志搜索。Click the View members icon for a group to run the group's log search that returns its members. 无法修改计算机组,而是必须删除该组,然后使用修改的设置重新创建它。You can't modify a computer group but instead must delete and then recreate it with the modified settings.

已保存的计算机组

在日志查询中使用计算机组Using a computer group in a log query

通过将计算机组的别名视为函数,可在查询中使用从日志查询创建的计算机组,通常使用以下语法:You use a Computer group created from a log query in a query by treating its alias as a function, typically with the following syntax:

Table | where Computer in (ComputerGroup)`

例如,可以使用以下语法仅返回名为 mycomputergroup 的计算机组中的计算机的 UpdateSummary 记录。For example, you could use the following to return UpdateSummary records for only computers in a computer group called mycomputergroup.

UpdateSummary | where Computer in (mycomputergroup)`

导入的计算机组及其包含的计算机存储在 ComputerGroup 表中 。Imported computer groups and their included computers are stored in the ComputerGroup table. 例如,以下查询会从 Active Directory 返回域计算机组中的计算机列表。For example, the following query would return a list of computers in the Domain Computers group from Active Directory.

ComputerGroup | where GroupSource == "ActiveDirectory" and Group == "Domain Computers" | distinct Computer

以下查询将仅针对域计算机中的计算机返回 UpdateSummary 记录。The following query would return UpdateSummary records for only computers in Domain Computers.

let ADComputers = ComputerGroup | where GroupSource == "ActiveDirectory" and Group == "Domain Computers" | distinct Computer;
  UpdateSummary | where Computer in (ADComputers)

计算机组记录Computer group records

会在通过 Active Directory 或 WSUS 创建的每个计算机组成员身份的 Log Analytics 工作区中创建记录。A record is created in the Log Analytics workspace for each computer group membership created from Active Directory or WSUS. 这些记录的类型为 ComputerGroup,并且具有下表中的属性。These records have a type of ComputerGroup and have the properties in the following table. 不会基于日志查询为计算机组创建记录。Records are not created for computer groups based on log queries.

propertiesProperty 说明Description
Type ComputerGroupComputerGroup
SourceSystem SourceSystemSourceSystem
Computer 成员计算机的名称。Name of the member computer.
Group 组名称。Name of the group.
GroupFullName 包括源和源名称的组的完整路径。Full path to the group including the source and source name.
GroupSource 从中收集组的源。Source that group was collected from.

ActiveDirectoryActiveDirectory
WSUSWSUS
WSUSClientTargetingWSUSClientTargeting
GroupSourceName 从中收集组的源名称。Name of the source that the group was collected from. 对于 Active Directory,这是域名。For Active Directory, this is the domain name.
ManagementGroupName SCOM 代理的管理组名称。Name of the management group for SCOM agents. 对于其他代理,这是 AOI-<workspace ID>For other agents, this is AOI-<workspace ID>
TimeGenerated 创建或更新计算机组的日期和时间。Date and time the computer group was created or updated.

后续步骤Next steps

  • 了解日志查询以便分析从数据源和解决方案中收集的数据。Learn about log queries to analyze the data collected from data sources and solutions.