在 Azure Monitor 中使用 Log Analytics 网关连接无法访问 Internet 的计算机Connect computers without internet access by using the Log Analytics gateway in Azure Monitor

备注

由于 Microsoft Operations Management Suite (OMS) 正在过渡到 Azure Monitor,因此术语即将发生变化。As Microsoft Operations Management Suite (OMS) transitions to Azure Monitor, terminology is changing. 本文将 OMS 网关称作 Azure Log Analytics 网关。This article refers to OMS Gateway as the Azure Log Analytics gateway.

本文介绍当直接连接的计算机或者受 Operations Manager 监视的计算机无法访问 Internet 时,如何使用 Log Analytics 网关来配置与 Azure 自动化和 Azure Monitor 的通信。This article describes how to configure communication with Azure Automation and Azure Monitor by using the Log Analytics gateway when computers that are directly connected or that are monitored by Operations Manager have no internet access.

Log Analytics 网关是使用 HTTP CONNECT 命令支持 HTTP 隧道的 HTTP 转发代理。The Log Analytics gateway is an HTTP forward proxy that supports HTTP tunneling using the HTTP CONNECT command. 此网关代表无法直接连接到 Internet 的计算机向 Azure 自动化和 Azure Monitor 中的 Log Analytics 工作区发送数据。This gateway sends data to Azure Automation and a Log Analytics workspace in Azure Monitor on behalf of the computers that cannot directly connect to the internet.

Log Analytics 网关支持:The Log Analytics gateway supports:

  • 向其后面的每个代理上配置的相同 Log Analytics 工作区报告,这些工作区使用 Azure 自动化混合 Runbook 辅助角色进行配置。Reporting up to the same Log Analytics workspaces configured on each agent behind it and that are configured with Azure Automation Hybrid Runbook Workers.
  • Microsoft Monitoring Agent 在其上直接连接到 Azure Monitor 中的 Log Analytics 工作区的 Windows 计算机。Windows computers on which the Microsoft Monitoring Agent is directly connected to a Log Analytics workspace in Azure Monitor.
  • 适用于 Linux 的 Log Analytics 代理在其上直接连接到 Azure Monitor 中的 Log Analytics 工作区的 Linux 计算机。Linux computers on which a Log Analytics agent for Linux is directly connected to a Log Analytics workspace in Azure Monitor.
  • 与 Log Analytics 集成的 System Center Operations Manager 2012 SP1 UR7、Operations Manager 2012 R2 UR3 或 Operations Manager 2016 或更高版本中的管理组。System Center Operations Manager 2012 SP1 with UR7, Operations Manager 2012 R2 with UR3, or a management group in Operations Manager 2016 or later that is integrated with Log Analytics.

某些 IT 安全策略不允许网络计算机连接到 Internet。Some IT security policies don't allow internet connection for network computers. 例如,这些未连接的计算机可能是销售点 (POS) 设备或支持 IT 服务的服务器。These unconnected computers could be point of sale (POS) devices or servers supporting IT services, for example. 若要将这些设备连接到 Azure 自动化或 Log Analytics 工作区以便对其进行管理和监视,可将其配置为直接与 Log Analytics 网关通信。To connect these devices to Azure Automation or a Log Analytics workspace so you can manage and monitor them, configure them to communicate directly with the Log Analytics gateway. Log Analytics 网关可以接收配置信息并代表这些设备转发数据。The Log Analytics gateway can receive configuration information and forward data on their behalf. 如果这些计算机上配置了可直接连接到 Log Analytics 工作区的 Log Analytics 代理,则它们将改为与 Log Analytics 网关通信。If the computers are configured with the Log Analytics agent to directly connect to a Log Analytics workspace, the computers instead communicate with the Log Analytics gateway.

Log Analytics 网关直接将数据从代理传输到服务。The Log Analytics gateway transfers data from the agents to the service directly. 它不会分析传输中的任何数据,并且当网关与服务失去连接时,网关不会缓存数据。It doesn't analyze any of the data in transit and the gateway does not cache data when it loses connectivity with the service. 当网关无法与服务通信时,代理将继续运行,并将收集到的数据排队放到被监视计算机的磁盘上。When the gateway is unable to communicate with service, the agent continues to run and queues the collected data on the disk of the monitored computer. 恢复连接后,代理将收集到的缓存数据发送到 Azure Monitor。When the connection is restored, the agent sends the cached data collected to Azure Monitor.

如果已将 Operations Manager 管理组与 Log Analytics 集成,可将管理服务器配置为连接到 Log Analytics 网关,以根据启用的解决方案接收配置信息并发送收集的数据。When an Operations Manager management group is integrated with Log Analytics, the management servers can be configured to connect to the Log Analytics gateway to receive configuration information and send collected data, depending on the solution you have enabled. Operations Manager 代理向管理服务器发送一些数据。Operations Manager agents send some data to the management server. 例如,代理可能会发送 Operations Manager 警报、配置评估数据、实例空间数据和容量数据。For example, agents might send Operations Manager alerts, configuration assessment data, instance space data, and capacity data. 其他大批量的数据(例如 Internet Information Services (IIS) 日志、性能数据和安全事件)将直接发送到 Log Analytics 网关。Other high-volume data, such as Internet Information Services (IIS) logs, performance data, and security events, is sent directly to the Log Analytics gateway.

如果在外围网络或隔离网络中部署了一个或多个 Operations Manager 网关服务器用于监视不受信任的系统,这些服务器无法与 Log Analytics 网关通信。If one or more Operations Manager Gateway servers are deployed to monitor untrusted systems in a perimeter network or an isolated network, those servers can't communicate with a Log Analytics gateway. Operations Manager 网关服务器只能向管理服务器报告。Operations Manager Gateway servers can report only to a management server. 如果将 Operations Manager 管理组配置为与 Log Analytics 网关通信,代理配置信息会自动分发到代理管理的、配置为收集 Azure Monitor 日志数据的每台计算机,即使设置为空。When an Operations Manager management group is configured to communicate with the Log Analytics gateway, the proxy configuration information is automatically distributed to every agent-managed computer that is configured to collect log data for Azure Monitor, even if the setting is empty.

若要为通过网关与 Log Analytics 工作区通信的直接连接的组或 Operations Management 组提供高可用性,可以使用网络负载均衡 (NLB) 在多个网关服务器之间重定向和分配流量。To provide high availability for directly connected or Operations Management groups that communicate with a Log Analytics workspace through the gateway, use network load balancing (NLB) to redirect and distribute traffic across multiple gateway servers. 这样,如果一台网关服务器发生故障,流量将重定向到另一个可用节点。That way, if one gateway server goes down, the traffic is redirected to another available node.

运行 Log Analytics 网关的计算机要求使用 Log Analytics Windows 代理来标识需要与该网关通信的服务终结点。The computer that runs the Log Analytics gateway requires the Log Analytics Windows agent to identify the service endpoints that the gateway needs to communicate with. 此外,该代理还需要指示网关向网关后的代理或 Operations Manager 管理组中配置的相同工作区报告。The agent also needs to direct the gateway to report to the same workspaces that the agents or Operations Manager management group behind the gateway are configured with. 此配置允许网关和代理与其分配的工作区通信。This configuration allows the gateway and the agent to communicate with their assigned workspace.

一个网关最多可以多重驻留到四个工作区。A gateway can be multihomed to up to four workspaces. 这是 Windows 代理支持的工作区总数。This is the total number of workspaces a Windows agent supports.

每个代理必须与网关建立网络连接,这样,代理才能自动与网关相互传输数据。Each agent must have network connectivity to the gateway so that agents can automatically transfer data to and from the gateway. 请避免在域控制器上安装网关。Avoid installing the gateway on a domain controller. 网关服务器后面的 Linux 计算机不能使用包装器脚本安装方法来安装适用于 Linux 的 Log Analytics 代理。Linux computers that are behind a gateway server cannot use the wrapper script installation method to install the Log Analytics agent for Linux. 该代理必须手动下载,复制到计算机并手动安装,因为网关仅支持与前面提到的 Azure 服务进行通信。The agent must be downloaded manually, copied to the computer, and installed manually because the gateway only supports communicating with the Azure services mentioned earlier.

下图显示了如何通过网关将数据从直接代理传送到 Azure 自动化和 Log Analytics。The following diagram shows data flowing from direct agents, through the gateway, to Azure Automation and Log Analytics. 代理配置必须与 Log Analytics 网关配置的端口相匹配。The agent proxy configuration must match the port that the Log Analytics gateway is configured with.

直接代理与服务通信的示意图

下图显示了数据如何从 Operations Manager 管理组流向 Log Analytics。The following diagram shows data flow from an Operations Manager management group to Log Analytics.

Operations Manager 与 Log Analytics 通信的示意图

设置系统Set up your system

指定为运行 Log Analytics 网关的计算机必须采用以下配置:Computers designated to run the Log Analytics gateway must have the following configuration:

  • Windows 10、Windows 8.1 或 Windows 7Windows 10, Windows 8.1, or Windows 7
  • Windows Server 2019、Windows Server 2016、Windows Server 2012 R2、Windows Server 2012、Windows Server 2008 R2 或 Windows Server 2008Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008
  • Microsoft .NET Framework 4.5Microsoft .NET Framework 4.5
  • 4 核处理器,8 GB 内存(最低要求)At least a 4-core processor and 8 GB of memory
  • 配置的适用于 Windows 的 Log Analytics 代理可以在代理通过网关通信时向同一工作区报告。A Log Analytics agent for Windows that is configured to report to the same workspace as the agents that communicate through the gateway

语言可用性Language availability

Log Analytics 网关支持以下语言:The Log Analytics gateway is available in these languages:

  • 中文(简体)Chinese (Simplified)
  • 中文(繁体)Chinese (Traditional)
  • 捷克语Czech
  • 荷兰语Dutch
  • 英语English
  • 法语French
  • 德语German
  • 匈牙利语Hungarian
  • 意大利语Italian
  • 日语Japanese
  • 朝鲜语Korean
  • 波兰语Polish
  • 葡萄牙语(巴西)Portuguese (Brazil)
  • 葡萄牙语(葡萄牙)Portuguese (Portugal)
  • 俄语Russian
  • 西班牙语(国际)Spanish (International)

支持的加密协议Supported encryption protocols

Log Analytics 网关仅支持传输层安全性 (TLS) 1.0、1.1 和 1.2。The Log Analytics gateway supports only Transport Layer Security (TLS) 1.0, 1.1, and 1.2. 它不支持安全套接字层 (SSL)。It doesn't support Secure Sockets Layer (SSL). 为了确保传输到 Log Analytics 的数据的安全性,请将网关配置为至少使用 TLS 1.2。To ensure the security of data in transit to Log Analytics, configure the gateway to use at least TLS 1.2. 旧版 TLS 或 SSL 容易受到攻击。Older versions of TLS or SSL are vulnerable. 尽管这些协议目前允许后向兼容,但请勿使用。Although they currently allow backward compatibility, avoid using them.

有关其他信息,请查看使用 TLS 1.2 安全地发送数据For additional information, review Sending data securely using TLS 1.2.

支持的代理连接数Supported number of agent connections

下表显示了可与一个网关服务器通信的大致代理数量。The following table shows approximately how many agents can communicate with a gateway server. 此项支持基于代理每 6 秒上传约 200 KB 数据。Support is based on agents that upload about 200 KB of data every 6 seconds. 对于测试的每个代理,数据量约为每天 2.7 GB。For each agent tested, data volume is about 2.7 GB per day.

网关Gateway 支持的代理数(近似)Agents supported (approximate)
CPU:Intel Xeon 处理器 E5-2660 v3 @ 2.6 GHz 双核CPU: Intel Xeon Processor E5-2660 v3 @ 2.6 GHz 2 Cores
内存:4 GBMemory: 4 GB
网络带宽:1 GbpsNetwork bandwidth: 1 Gbps
600600
CPU:Intel Xeon 处理器 E5-2660 v3 @ 2.6 GHz 4 核CPU: Intel Xeon Processor E5-2660 v3 @ 2.6 GHz 4 Cores
内存:8 GBMemory: 8 GB
网络带宽:1 GbpsNetwork bandwidth: 1 Gbps
10001000

下载 Log Analytics 网关Download the Log Analytics gateway

从 Microsoft 下载中心(下载链接)或 Azure 门户获取最新版本的 Log Analytics 网关安装程序文件。Get the latest version of the Log Analytics gateway Setup file from either Microsoft Download Center (Download Link) or the Azure portal.

若要从 Azure 门户获取 Log Analytics 网关,请执行以下步骤:To get the Log Analytics gateway from the Azure portal, follow these steps:

  1. 浏览服务列表,并选择“Log Analytics 工作区”。Browse the list of services, and then select Log Analytics workspaces.

  2. 选择工作区。Select a workspace.

  3. 在工作区边栏选项卡中,选择“概述”。In your workspace blade, select Overview.

  4. 在“选择一个或多个数据源连接到工作区”下方,选择“Windows 和 Linux 代理管理” 。Under Select one or more data sources to connect to the workspace, select Windows and Linux Agents management.

  5. 在边栏选项卡中,选择“下载 Log Analytics 网关”。In the blade, select Download Log Analytics Gateway.

    下载 Log Analytics 网关的步骤屏幕截图

or

  1. 在工作区边栏选项卡中的“设置”下方,选择“代理管理” 。In your workspace blade, under Settings, select Agents management.
  2. 选择“下载 Log Analytics 网关”。Select Download Log Analytics Gateway.

使用安装向导安装 Log Analytics 网关Install Log Analytics gateway using setup wizard

若要使用安装向导安装网关,请执行以下步骤。To install a gateway using the setup wizard, follow these steps.

  1. 在目标文件夹中,双击“Log Analytics gateway.msi”。****From the destination folder, double-click Log Analytics gateway.msi.

  2. 在“欢迎”页上,选择“下一步”。On the Welcome page, select Next.

    网关安装向导中的“欢迎”页屏幕截图

  3. 在“许可协议”页上,选择“我接受许可协议中的条款”表示同意 Microsoft 软件许可条款,然后选择“下一步”。************On the License Agreement page, select I accept the terms in the License Agreement to agree to the Microsoft Software License Terms, and then select Next.

  4. 在“端口和代理地址”页上执行以下操作:****On the Port and proxy address page:

    a.a. 输入网关使用的 TCP 端口号。Enter the TCP port number to be used for the gateway. 安装程序会使用此端口号在 Windows 防火墙中配置一个入站规则。Setup uses this port number to configure an inbound rule on Windows Firewall. 默认值为 8080。The default value is 8080. 端口号的有效范围为 1 至 65535。The valid range of the port number is 1 through 65535. 如果输入的端口号不在此范围内,会出现一条错误消息。If the input does not fall into this range, an error message appears.

    b.b. 如果安装网关的服务器需要通过代理通信,请输入网关需要连接到的代理地址,If the server where the gateway is installed needs to communicate through a proxy, enter the proxy address where the gateway needs to connect. 例如,输入 http://myorgname.corp.contoso.com:80For example, enter http://myorgname.corp.contoso.com:80. 如果将此地址留空,网关将尝试直接连接到 Internet。If you leave this field blank, the gateway will try to connect to the internet directly. 如果代理服务器要求身份验证,请输入用户名和密码。If your proxy server requires authentication, enter a username and password.

    c.c. 选择“下一步”。Select Next.

    网关代理配置的屏幕截图

  5. 如果尚未启用 Microsoft 更新,会显示“Microsoft 更新”页,可以在其中选择启用 Microsoft 更新。If you do not have Microsoft Update enabled, the Microsoft Update page appears, and you can choose to enable it. 做出选择,并选择“下一步”。Make a selection and then select Next. 否则,继续执行下一步。Otherwise, continue to the next step.

  6. 在“目标文件夹”页上,保留默认文件夹 C:\Program Files\OMS Gateway,或输入网关的安装位置。****On the Destination Folder page, either leave the default folder C:\Program Files\OMS Gateway or enter the location where you want to install the gateway. 然后,选择“下一步”。Then select Next.

  7. 在“准备安装”页上,选择“安装”。 On the Ready to install page, select Install. 如果用户帐户控制请求提供安装权限,请选择“是”。****If User Account Control requests permission to install, select Yes.

  8. 安装完成后,选择“完成”。After Setup finishes, select Finish. 若要验证该服务是否正在运行,请打开 services.msc 管理单元,并检查服务列表中是否出现“OMS 网关”并且其状态为“正在运行”。********To verify that the service is running, open the services.msc snap-in and verify that OMS Gateway appears in the list of services and that its status is Running.

    本地服务的屏幕截图,其中显示 OMS 网关正在运行

使用命令行安装 Log Analytics 网关Install the Log Analytics gateway using the command line

网关的下载文件是一个 Windows Installer 包,它支持通过命令行或其他自动化方法以无提示方式完成安装。The downloaded file for the gateway is a Windows Installer package that supports silent installation from the command line or other automated method. 如果你不熟悉 Windows Installer 的标准命令行选项,请参阅命令行选项If you are not familiar with the standard command-line options for Windows Installer, see Command-line options.

下表突出显示了安装程序支持的参数。The following table highlights the parameters supported by setup.

parametersParameters 说明Notes
PORTNUMBERPORTNUMBER 网关侦听的 TCP 端口号TCP port number for gateway to listen on
PROXYPROXY 代理服务器的 IP 地址IP address of proxy server
INSTALLDIRINSTALLDIR 完全限定的路径,用于指定网关软件文件的安装目录Fully qualified path to specify install directory of gateway software files
USERNAMEUSERNAME 用于使用代理服务器进行身份验证的用户 IDUser ID to authenticate with proxy server
PASSWORDPASSWORD 用于使用代理进行身份验证的用户 ID 的密码Password of the user ID to authenticate with proxy
LicenseAcceptedLicenseAccepted 指定值 1 表示确认接受许可协议Specify a value of 1 to verify you accept license agreement
HASAUTHHASAUTH 指定 USERNAME/PASSWORD 参数时请指定值 1Specify a value of 1 when USERNAME/PASSWORD parameters are specified
HASPROXYHASPROXY 指定 PROXY 参数的 IP 地址时请指定值 1Specify a value of 1 when specifying IP address for PROXY parameter

若要以无提示方式安装网关并使用特定的代理地址、端口号对其进行配置,请键入以下命令:To silently install the gateway and configure it with a specific proxy address, port number, type the following:

Msiexec.exe /I "oms gateway.msi" /qn PORTNUMBER=8080 PROXY="10.80.2.200" HASPROXY=1 LicenseAccepted=1 

使用 /qn 命令行选项会在无提示安装期间隐藏安装程序,而使用 /qb 则会显示安装程序。Using the /qn command-line option hides setup, /qb shows setup during silent install.

如果需要提供用于在代理服务器中进行身份验证的凭据,请键入以下命令:If you need to provide credentials to authenticate with the proxy, type the following:

Msiexec.exe /I "oms gateway.msi" /qn PORTNUMBER=8080 PROXY="10.80.2.200" HASPROXY=1 HASAUTH=1 USERNAME="<username>" PASSWORD="<password>" LicenseAccepted=1 

安装完成后,可使用以下 PowerShell cmdlet 确认接受设置(不包括用户名和密码):After installation, you can confirm the settings are accepted (excluding the username and password) using the following PowerShell cmdlets:

  • Get-OMSGatewayConfig - 返回网关配置为侦听的 TCP 端口。Get-OMSGatewayConfig - Returns the TCP Port the gateway is configured to listen on.
  • Get-OMSGatewayRelayProxy返回配置为与网关通信的代理服务器的 IP 地址。Get-OMSGatewayRelayProxy - Returns the IP address of the proxy server you configured it to communicate with.

配置网络负载均衡Configure network load balancing

可以使用 Microsoft Network Load Balancing (NLB)Azure 负载均衡器 或基于硬件的负载均衡器来配置网关,使其具有高可用性。You can configure the gateway for high availability using network load balancing (NLB) using either Microsoft Network Load Balancing (NLB), Azure Load Balancer, or hardware-based load balancers. 负载均衡器通过在其节点之间重定向 Log Analytics 代理或 Operations Manager 管理服务器请求的连接来管理流量。The load balancer manages traffic by redirecting the requested connections from the Log Analytics agents or Operations Manager management servers across its nodes. 如果一台网关服务器出现故障,流量将重定向到其他节点。If one Gateway server goes down, the traffic gets redirected to other nodes.

Microsoft 网络负载均衡Microsoft Network Load Balancing

若要了解如何设计和部署 Windows Server 2016 网络负载均衡群集,请参阅网络负载均衡To learn how to design and deploy a Windows Server 2016 network load balancing cluster, see Network load balancing. 以下步骤介绍如何配置 Microsoft 网络负载均衡群集。The following steps describe how to configure a Microsoft network load balancing cluster.

  1. 使用管理帐户登录到属于 NLB 群集的 Windows 服务器。Sign onto the Windows server that is a member of the NLB cluster with an administrative account.

  2. 在服务器管理器中打开网络负载均衡管理器,单击“工具”,并单击“网络负载均衡管理器”。********Open Network Load Balancing Manager in Server Manager, click Tools, and then click Network Load Balancing Manager.

  3. 要连接装有 Microsoft Monitoring Agent 的 Log Analytics 网关服务器,请右键单击群集的 IP 地址,然后单击“将主机添加到群集”。****To connect an Log Analytics gateway server with the Microsoft Monitoring Agent installed, right-click the cluster's IP address, and then click Add Host to Cluster.

    网络负载均衡管理器 - 将主机添加到群集

  4. 输入要连接的网关服务器的 IP 地址。Enter the IP address of the gateway server that you want to connect.

    网络负载均衡管理器 - 将主机添加到群集:连接

Azure 负载均衡器Azure Load Balancer

若要了解如何设计和部署 Azure 负载均衡器,请参阅什么是 Azure 负载均衡器?To learn how to design and deploy an Azure Load Balancer, see What is Azure Load Balancer?. 若要部署基本负载均衡器,请遵循此快速入门中所述的步骤,但不要遵循“创建后端服务器”部分所述的步骤。****To deploy a basic load balancer, follow the steps outlined in this quickstart excluding the steps outlined in the section Create back-end servers.

备注

使用基本 SKU 配置 Azure 负载均衡器需要 Azure 虚拟机属于某个可用性集。Configuring the Azure Load Balancer using the Basic SKU, requires that Azure virtual machines belong to an Availability Set. 若要详细了解可用性集,请参阅在 Azure 中管理 Windows 虚拟机的可用性To learn more about availability sets, see Manage the availability of Windows virtual machines in Azure. 若要将现有的虚拟机添加到可用性集,请参阅设置 Azure 资源管理器 VM 可用性集To add existing virtual machines to an availability set, refer to Set Azure Resource Manager VM Availability Set.

创建负载均衡器后,需要创建一个后端池,以便将流量分发到一个或多个网关服务器。After the load balancer is created, a backend pool needs to be created, which distributes traffic to one or more gateway servers. 请遵循该快速入门文章的为负载均衡器创建资源部分所述的步骤。Follow the steps described in the quickstart article section Create resources for the load balancer.

备注

配置运行状况探测时,应将它配置为使用网关服务器的 TCP 端口。When configuring the health probe it should be configured to use the TCP port of the gateway server. 运行状况探测器基于其对运行状况检查的响应,从负载均衡器中动态添加或删除网关服务器。The health probe dynamically adds or removes the gateway servers from the load balancer rotation based on their response to health checks.

配置 Log Analytics 代理和 Operations Manager 管理组Configure the Log Analytics agent and Operations Manager management group

本部分介绍有关如何使用 Log Analytics 网关配置直接连接的 Log Analytics 代理、Operations Manager 管理组或 Azure 自动化混合 Runbook 辅助角色,使其与 Azure 自动化或 Log Analytics 通信的步骤。In this section, you'll see how to configure directly connected Log Analytics agents, an Operations Manager management group, or Azure Automation Hybrid Runbook Workers with the Log Analytics gateway to communicate with Azure Automation or Log Analytics.

配置独立的 Log Analytics 代理Configure a standalone Log Analytics agent

配置 Log Analytics 代理时,请将代理服务器值替换为 Log Analytics 网关服务器的 IP 地址及其端口号。When configuring the Log Analytics agent, replace the proxy server value with the IP address of the Log Analytics gateway server and its port number. 如果在负载均衡器后面部署了多个网关服务器,Log Analytics 代理的代理配置为该负载均衡器的虚拟 IP 地址。If you have deployed multiple gateway servers behind a load balancer, the Log Analytics agent proxy configuration is the virtual IP address of the load balancer.

备注

若要在网关和直接连接到 Log Analytics 的 Windows 计算机上安装 Log Analytics 代理,请参阅将 Windows 计算机连接到 Azure 中的 Log Analytics 服务To install the Log Analytics agent on the gateway and Windows computers that directly connect to Log Analytics, see Connect Windows computers to the Log Analytics service in Azure. 若要连接 Linux 计算机,请参阅将 Linux 计算机连接到 Azure MonitorTo connect Linux computers, see Connect Linux computers to Azure Monitor.

在网关服务器上安装代理后,请将其配置为向与网关通信的工作区或工作区代理报告。After you install the agent on the gateway server, configure it to report to the workspace or workspace agents that communicate with the gateway. 如果未在网关上安装 Log Analytics Windows 代理,则会将事件 300 写入 OMS 网关事件日志,指示需要安装代理。If the Log Analytics Windows agent is not installed on the gateway, event 300 is written to the OMS Gateway event log, indicating that the agent needs to be installed. 如果代理已安装,但未配置为在代理通过它通信时向同一工作区报告,则会将事件 105 写入相同的日志,指出需要将网关上的代理配置为在代理与网关通信时,向同一工作区报告。If the agent is installed but not configured to report to the same workspace as the agents that communicate through it, event 105 is written to the same log, indicating that the agent on the gateway needs to be configured to report to the same workspace as the agents that communicate with the gateway.

完成配置后,重启 OMS 网关服务以应用所做的更改。After you complete configuration, restart the OMS Gateway service to apply the changes. 否则,网关将拒绝代理尝试与 Log Analytics 通信,并在 OMS 网关事件日志中报告事件 105。Otherwise, the gateway will reject agents that attempt to communicate with Log Analytics and will report event 105 in the OMS Gateway event log. 在网关服务器上的代理配置中添加或删除工作区时,同样会发生这种情况。This will also happen when you add or remove a workspace from the agent configuration on the gateway server.

有关自动化混合 Runbook 辅助角色的信息,请参阅通过使用混合 Runbook 辅助角色自动化数据中心或云中的资源For information related to the Automation Hybrid Runbook Worker, see Automate resources in your datacenter or cloud by using Hybrid Runbook Worker.

配置 Operations Manager,其中的所有代理使用相同的代理服务器Configure Operations Manager, where all agents use the same proxy server

即使设置为空,Operations Manager 代理配置也会自动应用到向 Operations Manager 报告的所有代理。The Operations Manager proxy configuration is automatically applied to all agents that report to Operations Manager, even if the setting is empty.

若要使用 OMS 网关来支持 Operations Manager,必须满足以下条件:To use OMS Gateway to support Operations Manager, you must have:

  • 已在 OMS 网关服务器上安装 Microsoft Monitoring Agent(版本 8.0.10900.0 或以上),并在其中配置了相同的 Log Analytics 工作区,管理组已配置为向这些工作区报告。Microsoft Monitoring Agent (version 8.0.10900.0 or later) installed on the OMS Gateway server and configured with the same Log Analytics workspaces that your management group is configured to report to.
  • Internet 连接。Internet connectivity. 或者,OMS 网关必须已连接到与 Internet 连接的代理服务器。Alternatively, OMS Gateway must be connected to a proxy server that is connected to the internet.

备注

如果未指定网关的值,会将空值推送到所有代理。If you specify no value for the gateway, blank values are pushed to all agents.

首次向 Log Analytics 工作区注册 Operations Manager 管理组时,操作控制台中不会显示为管理组指定代理配置的选项。If your Operations Manager management group is registering with a Log Analytics workspace for the first time, you won't see the option to specify the proxy configuration for the management group in the Operations console. 只有在成功向服务注册管理组之后,此选项才可用。This option is available only if the management group has been registered with the service.

若要配置集成,请在运行操作控制台的系统上,以及管理组中的所有管理服务器上,使用 Netsh 更新系统代理配置。To configure integration, update the system proxy configuration by using Netsh on the system where you're running the Operations console and on all management servers in the management group. 执行以下步骤:Follow these steps:

  1. 打开权限提升的命令提示符:Open an elevated command prompt:

    a.a. 选择“启动”并输入 cmd。****Select Start and enter cmd.

    b.b. 右键单击“命令提示符”并选择“以管理员身份运行”。 Right-click Command Prompt and select Run as administrator.

  2. 输入以下命令:Enter the following command:

    netsh winhttp set proxy <proxy>:<port>

完成与 Log Analytics 的集成后,请运行 netsh winhttp reset proxy 删除更改。After completing the integration with Log Analytics, remove the change by running netsh winhttp reset proxy. 然后在操作控制台中,使用“配置代理服务器”选项来指定 Log Analytics 网关服务器。****Then, in the Operations console, use the Configure proxy server option to specify the Log Analytics gateway server.

  1. 在 Operations Manager 控制台的“Operations Management Suite”下面,依次选择“连接”、“配置代理服务器”。************On the Operations Manager console, under Operations Management Suite, select Connection, and then select Configure Proxy Server.

    Operations Manager 的屏幕截图,其中显示了“配置代理服务器”选项

  2. 选择“使用代理服务器访问 Operations Management Suite”,然后输入 Log Analytics 网关服务器的 IP 地址或负载均衡器的虚拟 IP 地址。****Select Use a proxy server to access the Operations Management Suite and then enter the IP address of the Log Analytics gateway server or virtual IP address of the load balancer. 请注意需要以前缀 http:// 开头。Be careful to start with the prefix http://.

    Operations Manager 的屏幕截图,其中显示了代理服务器地址

  3. 选择“完成”。Select Finish. Operations Manager 管理组现已配置为通过网关服务器与 Log Analytics 服务通信。Your Operations Manager management group is now configured to communicate through the gateway server to the Log Analytics service.

配置 Operations Manager,其中的特定代理使用代理服务器Configure Operations Manager, where specific agents use a proxy server

在大型或复杂环境中,你可能只希望特定的服务器(或组)使用 Log Analytics 网关服务器。For large or complex environments, you might want only specific servers (or groups) to use the Log Analytics gateway server. 对于这些服务器,无法直接更新 Operations Manager 代理,因为此值会被管理组的全局值覆盖。For these servers, you can't update the Operations Manager agent directly because this value is overwritten by the global value for the management group. 应该重写用于推送这些值的规则。Instead, override the rule used to push these values.

备注

若要在环境中允许使用多个 Log Analytics 网关服务器,请使用此配置方法。Use this configuration technique if you want to allow for multiple Log Analytics gateway servers in your environment. 例如,你可能要求按区域指定特定的 Log Analytics 网关服务器。For example, you can require specific Log Analytics gateway servers to be specified on a regional basis.

若要将特定的服务器或组配置为使用 Log Analytics 网关服务器:To configure specific servers or groups to use the Log Analytics gateway server:

  1. 打开 Operations Manager 控制台并选择“创作”工作区。****Open the Operations Manager console and select the Authoring workspace.

  2. 在“创作”工作区中选择“规则”。****In the Authoring workspace, select Rules.

  3. 在 Operations Manager 工具栏上,选择“范围”按钮。****On the Operations Manager toolbar, select the Scope button. 如果此按钮不可用,请确保已在“监视”窗格中选择了一个对象而不是文件夹。****If this button is not available, make sure you have selected an object, not a folder, in the Monitoring pane. “范围管理包对象”对话框显示了通用目标类、组或对象的列表。****The Scope Management Pack Objects dialog box displays a list of common targeted classes, groups, or objects.

  4. 在“查找”字段中输入“运行状况服务”,并从列表中选择该服务。********In the Look for field, enter Health Service and select it from the list. 选择“确定”。Select OK.

  5. 搜索“顾问代理设置规则”。****Search for Advisor Proxy Setting Rule.

  6. 在 Operations Manager 工具栏上选择“重写”,指向“重写规则\针对类的特定对象: 运行状况服务”,然后从列表中选择一个对象。On the Operations Manager toolbar, select Overrides and then point to Override the Rule\For a specific object of class: Health Service and select an object from the list. 或者,创建一个自定义组并在其中包含要将此重写应用到的服务器的运行状况服务对象。Or create a custom group that contains the health service object of the servers you want to apply this override to. 然后应用对自定义组的重写。Then apply the override to your custom group.

  7. 在“重写属性”对话框中,勾选“WebProxyAddress”参数旁边的“重写”列。************In the Override Properties dialog box, add a check mark in the Override column next to the WebProxyAddress parameter. 在“重写值”**** 字段中,输入 Log Analytics 网关服务器的 URL。In the Override Value field, enter the URL of the Log Analytics gateway server. 请注意需要以前缀 http:// 开头。Be careful to start with the prefix http://.

    备注

    不需要启用该规则。You don't need to enable the rule. 面向 Microsoft System Center 顾问监视服务器组的 Microsoft System Center 顾问安全引用重写管理包中的某个重写会自动管理该规则。It's already managed automatically with an override in the Microsoft System Center Advisor Secure Reference Override management pack that targets the Microsoft System Center Advisor Monitoring Server Group.

  8. 从“选择目标管理包”列表中选择一个管理包,或选择“新建”创建新的未密封管理包。********Select a management pack from the Select destination management pack list, or create a new unsealed management pack by selecting New.

  9. 完成后,选择“确定”。****When you finish, select OK.

配置自动化混合 Runbook 辅助角色Configure for Automation Hybrid Runbook Workers

如果在环境中使用自动化混合 Runbook 辅助角色,请遵循以下步骤,将网关配置为支持这些辅助角色。If you have Automation Hybrid Runbook Workers in your environment, follow these steps to configure the gateway to support the workers.

请参阅自动化文档的配置网络部分,查找每个区域的 URL。Refer to the Configure your network section of the Automation documentation to find the URL for each region.

如果计算机已自动注册为混合 Runbook 辅助角色,例如,如果为一个或多个 VM 启用了更新管理解决方案,请执行以下步骤:If your computer is registered as a Hybrid Runbook Worker automatically, for example if the Update Management solution is enabled for one or more VMs, follow these steps:

  1. 将作业运行时数据服务 URL 添加到 Log Analytics 网关上的“允许的主机”列表。Add the Job Runtime Data service URLs to the Allowed Host list on the Log Analytics gateway. 例如: Add-OMSGatewayAllowedHost we-jobruntimedata-prod-su1.azure-automation.cnFor example: Add-OMSGatewayAllowedHost we-jobruntimedata-prod-su1.azure-automation.cn
  2. 使用以下 PowerShell cmdlet 重新启动 Log Analytics 网关服务:Restart-Service OMSGatewayServiceRestart the Log Analytics gateway service by using the following PowerShell cmdlet: Restart-Service OMSGatewayService

如果已使用混合 Runbook 辅助角色注册 cmdlet 将计算机加入 Azure 自动化,请遵循以下步骤:If your computer is joined to Azure Automation by using the Hybrid Runbook Worker registration cmdlet, follow these steps:

  1. 将代理服务注册 URL 添加到 Log Analytics 网关上的“允许的主机”列表。Add the agent service registration URL to the Allowed Host list on the Log Analytics gateway. 例如: Add-OMSGatewayAllowedHost ncus-agentservice-prod-1.azure-automation.cnFor example: Add-OMSGatewayAllowedHost ncus-agentservice-prod-1.azure-automation.cn
  2. 将作业运行时数据服务 URL 添加到 Log Analytics 网关上的“允许的主机”列表。Add the Job Runtime Data service URLs to the Allowed Host list on the Log Analytics gateway. 例如: Add-OMSGatewayAllowedHost we-jobruntimedata-prod-su1.azure-automation.cnFor example: Add-OMSGatewayAllowedHost we-jobruntimedata-prod-su1.azure-automation.cn
  3. 重新启动 Log Analytics 网关服务。Restart the Log Analytics gateway service. Restart-Service OMSGatewayService

有用的 PowerShell cmdletUseful PowerShell cmdlets

可以使用 cmdlet 来完成更新 Log Analytics 网关配置设置的任务。You can use cmdlets to complete the tasks to update the Log Analytics gateway's configuration settings. 在使用 cmdlet 之前,请确保:Before you use cmdlets, be sure to:

  1. 安装 Log Analytics 网关(Microsoft Windows Installer)。Install the Log Analytics gateway (Microsoft Windows Installer).
  2. 打开 PowerShell 控制台窗口。Open a PowerShell console window.
  3. 键入以下命令导入模块:Import-Module OMSGatewayImport the module by typing this command: Import-Module OMSGateway
  4. 如果上一步骤未发生错误,则表示该模块已成功导入,可以使用 cmdlet。If no error occurred in the previous step, the module was successfully imported and the cmdlets can be used. 输入 Get-Module OMSGatewayEnter Get-Module OMSGateway
  5. 使用 cmdlet 做出更改后,重启 OMS 网关服务。After you use the cmdlets to make changes, restart the OMS Gateway service.

如果步骤 3 出错,则表示该模块未导入。An error in step 3 means that the module wasn't imported. 如果 PowerShell 找不到该模块,则可能会发生此错误。The error might occur when PowerShell can't find the module. 可以在 OMS 网关安装路径中找到该模块:C:\Program Files\Microsoft OMS Gateway\PowerShell\OmsGatewayYou can find the module in the OMS Gateway installation path: C:\Program Files\Microsoft OMS Gateway\PowerShell\OmsGateway.

CmdletCmdlet 参数Parameters 说明Description 示例Example
Get-OMSGatewayConfig 密钥Key 获取服务的配置Gets the configuration of the service Get-OMSGatewayConfig
Set-OMSGatewayConfig 密钥(必需)Key (required)
Value
更改服务的配置Changes the configuration of the service Set-OMSGatewayConfig -Name ListenPort -Value 8080
Get-OMSGatewayRelayProxy 获取中继(上游)代理的地址Gets the address of relay (upstream) proxy Get-OMSGatewayRelayProxy
Set-OMSGatewayRelayProxy 地址Address
用户名Username
密码(安全字符串)Password (secure string)
设置中继(上游)代理的地址(和凭据)Sets the address (and credential) of relay (upstream) proxy 1.设置中继代理和凭据:1. Set a relay proxy and credential:
Set-OMSGatewayRelayProxy
-Address http://www.myproxy.com:8080
-Username user1 -Password 123

2.设置不需要身份验证的中继代理:Set-OMSGatewayRelayProxy2. Set a relay proxy that doesn't need authentication: Set-OMSGatewayRelayProxy
-Address http://www.myproxy.com:8080

3.清除中继代理设置:3. Clear the relay proxy setting:
Set-OMSGatewayRelayProxy
-Address ""
Get-OMSGatewayAllowedHost 获取当前允许的主机(仅限本地配置的允许主机,而不是自动下载的允许主机)Gets the currently allowed host (only the locally configured allowed host, not automatically downloaded allowed hosts) Get-OMSGatewayAllowedHost
Add-OMSGatewayAllowedHost 主机(必需)Host (required) 将主机添加到允许列表Adds the host to the allowed list Add-OMSGatewayAllowedHost -Host www.test.com
Remove-OMSGatewayAllowedHost 主机(必需)Host (required) 从允许列表中删除主机Removes the host from the allowed list Remove-OMSGatewayAllowedHost
-Host www.test.com
Add-OMSGatewayAllowedClientCertificate 使用者(必需)Subject (required) 将客户端证书使用者添加到允许列表Adds the client certificate subject to the allowed list Add-OMSGatewayAllowed
ClientCertificate
-Subject mycert
Remove-OMSGatewayAllowedClientCertificate 使用者(必需)Subject (required) 从允许列表中删除客户端证书使用者Removes the client certificate subject from the allowed list Remove-OMSGatewayAllowed
ClientCertificate
-Subject mycert
Get-OMSGatewayAllowedClientCertificate 获取当前允许的客户端证书使用者(仅限本地配置的允许使用者,而不是自动下载的允许使用者)Gets the currently allowed client certificate subjects (only the locally configured allowed subjects, not automatically downloaded allowed subjects) Get-
OMSGatewayAllowed
ClientCertificate

故障排除Troubleshooting

若要收集网关记录的事件,应该安装 Log Analytics 代理。To collect events logged by the gateway, you should have the Log Analytics agent installed.

Log Analytics 网关日志中“事件查看器”列表的屏幕截图

Log Analytics 网关事件 ID 和说明Log Analytics gateway event IDs and descriptions

下表显示了 Log Analytics 网关日志事件的事件 ID 和说明。The following table shows the event IDs and descriptions for Log Analytics gateway log events.

IDID 说明Description
400400 未提供特定 ID 的任何应用程序错误。Any application error that has no specific ID.
401401 配置错误。Wrong configuration. 例如,为 listenPort 提供的值是“文本”而不是整数。For example, listenPort = "text" instead of an integer.
402402 分析 TLS 握手消息时发生异常。Exception in parsing TLS handshake messages.
403403 网络错误。Networking error. 例如,无法连接到目标服务器。For example, cannot connect to target server.
100100 常规信息。General information.
101101 服务已启动。Service has started.
102102 服务已停止。Service has stopped.
103103 已从客户端收到 HTTP CONNECT 命令。An HTTP CONNECT command was received from client.
104104 不是 HTTP CONNECT 命令。Not an HTTP CONNECT command.
105105 目标服务器不在允许列表中,或者目标端口不是安全端口 (443)。Destination server is not in allowed list, or destination port is not secure (443).

请确保 OMS 网关服务器上的 MMA 代理以及与 OMS 网关通信的代理已连接到同一个 Log Analytics 工作区。Ensure that the MMA agent on your OMS Gateway server and the agents that communicate with OMS Gateway are connected to the same Log Analytics workspace.
105105 错误 TcpConnection - 客户端证书无效:CN=Gateway。ERROR TcpConnection - Invalid Client certificate: CN=Gateway.

确保使用 OMS 网关版本 1.0.395.0 或更高版本。Ensure that you're using OMS Gateway version 1.0.395.0 or greater. 另请确保 OMS 网关服务器上的 MMA 代理以及与 OMS 网关通信的代理已连接到同一个 Log Analytics 工作区。Also ensure that the MMA agent on your OMS Gateway server and the agents communicating with OMS Gateway are connected to the same Log Analytics workspace.
106106 不支持的 TLS/SSL 协议版本。Unsupported TLS/SSL protocol version.

Log Analytics 网关仅支持 TLS 1.0、TLS 1.1 和 1.2。The Log Analytics gateway supports only TLS 1.0, TLS 1.1, and 1.2. 它不支持 SSL。It does not support SSL.
107107 已验证 TLS 会话。The TLS session has been verified.

要收集的性能计数器Performance counters to collect

下表显示了 Log Analytics 网关可用的性能计数器。The following table shows the performance counters available for the Log Analytics gateway. 使用性能监视器来添加计数器。Use Performance Monitor to add the counters.

名称Name 说明Description
Log Analytics 网关/活动客户端连接Log Analytics Gateway/Active Client Connection 活动客户端网络 (TCP) 连接数Number of active client network (TCP) connections
Log Analytics 网关/错误计数Log Analytics Gateway/Error Count 错误数Number of errors
Log Analytics 网关/连接的客户端Log Analytics Gateway/Connected Client 连接的客户端数Number of connected clients
Log Analytics 网关/拒绝计数Log Analytics Gateway/Rejection Count 由于发生任何 TLS 验证错误而拒绝的数目Number of rejections due to any TLS validation error

Log Analytics 网关接口的屏幕截图,其中显示了性能计数器

协助Assistance

登录到 Azure 门户后,可以获取 Log Analytics 网关或其他任何 Azure 服务或功能的帮助。When you're signed in to the Azure portal, you can get help with the Log Analytics gateway or any other Azure service or feature. 若要取得帮助,请选择门户右上角的问号图标,然后选择“新建支持请求”。****To get help, select the question mark icon in the upper-right corner of the portal and select New support request. 接下来,填写新建支持请求的表单。Then complete the new support request form.

新支持请求的屏幕截图

后续步骤Next steps

添加数据源以便从连接的源中收集数据,并将数据存储在 Log Analytics 工作区中。Add data sources to collect data from connected sources, and store the data in your Log Analytics workspace.