Log Analytics 代理概述Log Analytics agent overview

Azure Log Analytics 代理用于跨任意云中的虚拟机和本地计算机进行全面的管理。The Azure Log Analytics agent was developed for comprehensive management across virtual machines in any cloud, and on-premises machines. Windows 和 Linux 代理将收集的数据从不同来源发送到 Azure Monitor 中的 Log Analytics 工作区,以及监视解决方案中定义的任何唯一日志或指标。The Windows and Linux agents send collected data from different sources to your Log Analytics workspace in Azure Monitor, as well as any unique logs or metrics as defined in a monitoring solution. Log Analytics 代理还支持 Azure Monitor 中的见解和其他服务,例如 Azure 安全中心Azure 自动化The Log Analytics agent also supports insights and other services in Azure Monitor such as Azure Security Center, and Azure Automation.

本文提供该代理的详细概述、系统和网络要求以及不同的部署方法。This article provides a detailed overview of the agent, system and network requirements, and the different deployment methods.

备注

你可能还会看到 Log Analytics 代理称为 Microsoft Monitoring Agent (MMA) 或 OMS Linux 代理。You may also see the Log Analytics agent referred to as the Microsoft Monitoring Agent (MMA) or OMS Linux agent.

备注

Azure 诊断扩展是可用于从计算资源的来宾操作系统收集监视数据的代理之一。Azure Diagnostics extension is one of the agents available to collect monitoring data from the guest operating system of compute resources. 有关不同代理的说明以及选择适合需求的代理的指南,请参阅 Azure Monitor 代理概述See Overview of the Azure Monitor agents for a description of the different agents and guidance on selecting the appropriate agents for your requirements.

与 Azure 诊断扩展的比较Comparison to Azure diagnostics extension

Azure Monitor 中的 Azure 诊断扩展也可用于从 Azure 虚拟机的来宾操作系统收集监视数据。The Azure diagnostics extension in Azure Monitor can also be used to collect monitoring data from the guest operating system of Azure virtual machines. 根据自己的需求,你可以选择使用任一代理或两者。You may choose to use either or both depending on your requirements. 如需详细了解 Azure Monitor 代理的比较,请参阅 Azure Monitor 代理概述See Overview of the Azure Monitor agents for a detailed comparison of the Azure Monitor agents.

需要考虑的主要区别是:The key differences to consider are:

  • Azure 诊断扩展只能在 Azure 中的虚拟机中使用。Azure Diagnostics Extension can be used only with Azure virtual machines. Log Analytics 代理可在 Azure、其他云和本地中的虚拟机中使用。The Log Analytics agent can be used with virtual machines in Azure, other clouds, and on-premises.
  • Azure 诊断扩展将数据发送到 Azure 存储、Azure Monitor 指标(仅限 Windows)和事件中心。Azure Diagnostics extension sends data to Azure Storage, Azure Monitor Metrics (Windows only) and Event Hubs. Log Analytics 代理将数据收集到 Azure Monitor 日志中。The Log Analytics agent collects data to Azure Monitor Logs.
  • 解决方案和其他服务(如 Azure 安全中心)需要 Log Analytics 代理。The Log Analytics agent is required for solutions,and other services such as Azure Security Center.

成本Costs

Log Analytics 代理不收取任何费用,但引入的数据可能产生费用。There is no cost for Log Analytics agent, but you may incur charges for the data ingested. 请查看使用 Azure Monitor 日志管理使用情况和成本,获取有关 Log Analytics 工作区中收集的数据定价的详细信息。Check Manage usage and costs with Azure Monitor Logs for detailed information on the pricing for data collected in a Log Analytics workspace.

收集的数据Data collected

下表列出了在配置 Log Analytics 工作区后即可从所有连接的代理收集的数据的类型。The following table lists the types of data you can configure a Log Analytics workspace to collect from all connected agents. 请参阅 Azure Monitor 监视的内容是什么?,获取使用 Log Analytics 代理收集其他类型的数据的见解、解决方案和其他解决方案的列表。See What is monitored by Azure Monitor? for a list of insights, solutions, and other solutions that use the Log Analytics agent to collect other kinds of data.

数据源Data Source 说明Description
Windows 事件日志Windows Event logs 发送到 Windows 事件日志记录系统的信息。Information sent to the Windows event logging system.
SyslogSyslog 发送到 Linux 事件日志记录系统的信息。Information sent to the Linux event logging system.
“性能”Performance 测量操作系统和工作负载不同方面性能的数值。Numerical values measuring performance of different aspects of operating system and workloads.
IIS 日志IIS logs 在来宾操作系统上运行的 IIS 网站的使用情况信息。Usage information for IIS web sites running on the guest operating system.
自定义日志Custom logs Windows 和 Linux 计算机上的文本文件中的事件。Events from text files on both Windows and Linux computers.

数据目标Data destinations

Log Analytics 代理将数据发送到 Azure Monitor 中的 Log Analytics 工作区。The Log Analytics agent sends data to a Log Analytics workspace in Azure Monitor. Windows 代理可以是多宿主的,将数据发送到多个工作区和 System Center Operations Manager 管理组。The Windows agent can be multihomed to send data to multiple workspaces and System Center Operations Manager management groups. Linux 代理只能发送到单个目标。The Linux agent can send to only a single destination.

其他服务Other services

适用于 Linux 和 Windows 的代理不仅可连接到 Azure Monitor,还支持使用 Azure 自动化来托管混合 Runbook 辅助角色和其他服务(例如更新管理Azure 安全中心)。The agent for Linux and Windows isn't only for connecting to Azure Monitor, it also supports Azure Automation to host the Hybrid Runbook worker role and other services such as Update Management, and Azure Security Center. 有关混合 Runbook 辅助角色的详细信息,请参阅 Azure 自动化混合 Runbook 辅助角色For more information about the Hybrid Runbook Worker role, see Azure Automation Hybrid Runbook Worker.

安装和配置Installation and configuration

使用 Log Analytics 代理收集数据时,需要了解以下内容,以便规划代理部署:When using the Log Analytics agents to collect data, you need to understand the following in order to plan your agent deployment:

  • 要从 Windows 代理收集数据,可以配置每个代理以向一个或多个工作区报告,即使它向 System Center Operations Manager 管理组报告也是如此。To collect data from Windows agents, you can configure each agent to report to one or more workspaces, even while it is reporting to a System Center Operations Manager management group. Windows 代理最多可向四个工作区报告。The Windows agent can report up to four workspaces.
  • Linux 代理不支持多宿主,只能向单个工作区报告。The Linux agent does not support multi-homing and can only report to a single workspace.
  • Windows 代理支持 FIPS 140 标准,但 Linux 代理不支持。The Windows agent supports the FIPS 140 standard, while the Linux agent does not support it.

可通过多种方法安装 Log Analytics 代理并将计算机连接到 Azure Monitor,具体取决于你的要求。There are multiple methods to install the Log Analytics agent and connect your machine to Azure Monitor depending on your requirements. 下表详细介绍了每种方法,以便用户确定组织中最适用的方法。The following table highlights each method to determine which works best in your organization.

SourceSource 方法Method 说明Description
Azure VMAzure VM 通过 Azure 门户手动安装Manually from the Azure portal 指定要从 Log Analytics 工作区部署的 VM。Specify VMs to deploy from the Log Analytics workspace.
使用 Azure CLI 或 Azure 资源管理器模板通过适用于 WindowsLinux 的 Log Analytics VM 扩展进行安装Log Analytics VM extension for Windows or Linux using Azure CLI or with an Azure Resource Manager template 该扩展在 Azure 虚拟机上安装 Log Analytics 代理,并将虚拟机注册到现有的 Azure Monitor 工作区中。The extension installs the Log Analytics agent on Azure virtual machines and enrolls them into an existing Azure Monitor workspace.
Azure 安全中心自动预配Azure Security Center Automatic provisioning Azure 安全中心可在所有受支持的 Azure VM 以及任何新建的 Azure VM 中预配 Log Analytics 代理(如果支持),以监视安全漏洞和威胁。Azure Security Center can provision the Log Analytics agent on all supported Azure VMs and any new ones that are created if you enable it to monitor for security vulnerabilities and threats. 如果启用,将预配任何没有安装代理的新的或现有 VM。If enabled, any new or existing VM without an installed agent will be provisioned.
混合 Windows 计算机Hybrid Windows computer 手动安装Manual install 从命令行安装 Microsoft Monitoring Agent.Install the Microsoft Monitoring agent from the command line.
Azure 自动化 DSCAzure Automation DSC 通过 Azure 自动化 DSC 自动执行安装。Automate the installation with Azure Automation DSC.
具有 Azure Stack 的资源管理器模板Resource Manager template with Azure Stack 如果已在数据中心部署了 Azure Stack,请使用 Azure 资源管理器模板。Use an Azure Resource Manager template if you have deployed Azure Stack in your datacenter.
混合 Linux 计算机Hybrid Linux computer 手动安装Manual install 调用 GitHub 上托管的包装器脚本安装 Linux 代理。Install the agent for Linux calling a wrapper-script hosted on GitHub.

支持的 Windows 操作系统Supported Windows operating systems

Windows 代理官方支持以下版本的 Windows 操作系统:The following versions of the Windows operating system are officially supported for the Windows agent:

  • Windows Server 2019Windows Server 2019
  • Windows Server 2016、版本 1709 和 1803Windows Server 2016, version 1709 and 1803
  • Windows Server 2012、2012 R2Windows Server 2012, 2012 R2
  • Windows Server 2008 SP2 (x64)、2008 R2Windows Server 2008 SP2 (x64), 2008 R2
  • Windows 10 Enterprise(包括多会话)和 ProWindows 10 Enterprise (including multi-session) and Pro
  • Windows 8 企业版和专业版Windows 8 Enterprise and Pro
  • Windows 7 SP1Windows 7 SP1

备注

虽然适用于 Windows 的 Log Analytics 代理旨在支持服务器监视方案,但我们意识到你可以运行 Windows 客户端以支持为服务器操作系统配置和优化的工作负载。While the Log Analytics agent for Windows was designed to support server monitoring scenarios, we realize you may run Windows client to support workloads configured and optimized for the server operating system. 该代理确实支持 Windows 客户端,但我们的监视解决方案不会专注于客户端监视方案,除非明确说明。The agent does support Windows client, however our monitoring solutions don't focus on client monitoring scenarios unless explicitly stated.

受支持的 Linux 操作系统Supported Linux operating systems

本部分提供有关受支持的 Linux 分发版的详细信息。This section provides details about the supported Linux distributions.

从 2018 年 8 月之后发布的版本开始,我们对支持模型进行了以下更改:Starting with versions released after August 2018, we are making the following changes to our support model:

  • 仅支持服务器版本,不支持客户端版本。Only the server versions are supported, not client.
  • 将支持重点放在任何 Azure Linux 认可的发行版Focus support on any of the Azure Linux Endorsed distros. 请注意,新的发行版/版本被 Azure Linux 认可和其受 Log Analytics Linux 代理支持,这两者之间可能存在一些延迟。Note that there may be some delay between a new distro/version being Azure Linux Endorsed and it being supported for the Log Analytics Linux agent.
  • 列出的每个主版本支持所有的次版本。All minor releases are supported for each major version listed.
  • 超出制造商终止支持日期的版本不受支持。Versions that have passed their manufacturer's end-of-support date are not supported.
  • 不支持新版本的 AMI。New versions of AMI are not supported.
  • 默认仅支持运行 SSL 1.x 的版本。Only versions that run SSL 1.x by default are supported.

备注

如果使用的是当前不受支持且与我们的支持模型不一致的发行版或版本,我们建议对此存储库创建分支,并接受 Microsoft 支持不会为已分支的代理版本提供帮助。If you are using a distro or version that is not currently supported and doesn't align to our support model, we recommend that you fork this repo, acknowledging that Microsoft support will not provide assistance with forked agent versions.

Python 2 要求Python 2 requirement

Log Analytics 代理需要 Python 2。The Log Analytics agent requires Python 2. 如果虚拟机使用的发行版默认情况下不包括 Python 2,则必须进行安装。If your virtual machine is using a distro that doesn't include Python 2 by default then you must install it. 以下示例命令将在不同的发行版上安装 Python 2。The following sample commands will install Python 2 on different distros.

  • Red Hat、CentOS、Oracle:yum install -y python2Red Hat, CentOS, Oracle: yum install -y python2
  • Ubuntu、Debian:apt-get install -y python2Ubuntu, Debian: apt-get install -y python2
  • SUSE: zypper install -y python2SUSE: zypper install -y python2

Python2 可执行文件必须使用以下过程将“python”设置为别名:The python2 executable must be aliased to python using the following procedure:

  1. 运行以下命令以查看任何当前的 python 别名(如果有别名存在)。Run the following command to view any current python alias, if one exists. 如果确实有别名存在,请记下下一步的优先级。If it does, then take note of the priority for the next step.

    sudo update-alternatives --display python
    
  2. 运行以下命令。Run the following command. 将 <priority> 替换为大于任何现有链接优先级的数字;如果当前不存在任何链接,则替换为 1。Replace <priority> with a number greater than any existing link's priority, or 1 if no links currently exist.

    sudo update-alternatives --install /usr/bin/python python /usr/bin/python2 <priority>
    

支持的发行版Supported distros

Linux 代理官方支持以下版本的 Linux 操作系统:The following versions of the Linux operating system are officially supported for the Linux agent:

  • Amazon Linux 2017.09 (x64)Amazon Linux 2017.09 (x64)
  • CentOS Linux 6 (x64) 和 7 (x64)CentOS Linux 6 (x64) and 7 (x64)
  • Oracle Linux 6 和 7 (x64)Oracle Linux 6 and 7 (x64)
  • Red Hat Enterprise Linux Server 6 (x64)、7 (x64) 和 8 (x64)Red Hat Enterprise Linux Server 6 (x64), 7 (x64), and 8 (x64)
  • Debian GNU/Linux 8 和 9 (x64)Debian GNU/Linux 8 and 9 (x64)
  • Ubuntu 14.04 LTS (x86/x64)、16.04 LTS (x64) 和 18.04 LTS (x64)Ubuntu 14.04 LTS (x86/x64), 16.04 LTS (x64), and 18.04 LTS (x64)
  • SUSE Linux Enterprise Server 12 (x64) 和 15 (x64)SUSE Linux Enterprise Server 12 (x64) and 15 (x64)

备注

仅 x86_x64 平台(64 位)支持 OpenSSL 1.1.0,任何平台均不支持早于 1.x 版本的 OpenSSL。OpenSSL 1.1.0 is only supported on x86_x64 platforms (64-bit) and OpenSSL earlier than 1.x is not supported on any platform.

代理必备组件Agent prerequisites

下表突出显示了支持的 Linux 发行版所需的包,将在该 Linux 发行版上安装代理。The following table highlights the packages required for supported Linux distros that the agent will be installed on.

所需程序包Required package 说明Description 最低版本Minimum version
GlibcGlibc GNU C 库GNU C Library 2.5-122.5-12
OpensslOpenssl OpenSSL 库OpenSSL Libraries 1.0.x 或 1.1.x1.0.x or 1.1.x
CurlCurl cURL Web 客户端cURL web client 7.15.57.15.5
PythonPython 2.6+ 或 3.3+2.6+ or 3.3+
Python-ctypePython-ctypes
PAMPAM 可插入验证模块Pluggable Authentication Modules

备注

收集 Syslog 消息时需要 rsyslog 或 syslog ng。Either rsyslog or syslog-ng are required to collect syslog messages. 不支持将 Red Hat Enterprise Linux 版本 5、CentOS 和 Oracle Linux 版本 (sysklog) 上的默认 syslog 守护程序用于 syslog 事件收集。The default syslog daemon on version 5 of Red Hat Enterprise Linux, CentOS, and Oracle Linux version (sysklog) is not supported for syslog event collection. 要从这些发行版的此版本中收集 syslog 数据,应安装并配置 rsyslog 守护程序以替换 sysklog。To collect syslog data from this version of these distributions, the rsyslog daemon should be installed and configured to replace sysklog.

TLS 1.2 协议TLS 1.2 protocol

为了确保传输到 Azure Monitor 日志的数据的安全性,我们强烈建议你将代理配置为至少使用传输层安全性 (TLS) 1.2。To ensure the security of data in transit to Azure Monitor logs, we strongly encourage you to configure the agent to use at least Transport Layer Security (TLS) 1.2. 我们发现旧版 TLS/安全套接字层 (SSL) 容易受到攻击,尽管目前出于向后兼容,这些协议仍可正常工作,但我们不建议使用Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are not recommended. 有关其他信息,请查看使用 TLS 1.2 安全地发送数据For additional information, review Sending data securely using TLS 1.2.

适用于 Windows 的 SHA-2 代码签名支持要求SHA-2 Code Signing Support Requirement for Windows

Windows 代理将于 2020 年 11 月 2 日开始以独占方式使用 SHA-2 签名。The Windows agent will begin to exclusively use SHA-2 signing on November 2, 2020. 此更改将影响使用旧版 OS 上的 Log Analytics 代理作为任何 Azure 服务(Azure Monitor、Azure 自动化、Azure 更新管理、Azure 更改跟踪、Azure 安全中心、Azure Sentinel、Windows Defender ATP)一部分的客户。This change will impact customers using the Log Analytics agent on a legacy OS as part of any Azure service (Azure Monitor, Azure Automation, Azure Update Management, Azure Change Tracking, Azure Security Center, Azure Sentinel, Windows Defender ATP). 除非你在旧版 OS 版本(Windows 7、Windows Server 2008 R2 和 Windows Server 2008)上运行代理,否则更改不需要任何客户操作。The change does not require any customer action unless you are running the agent on a legacy OS version (Windows 7, Windows Server 2008 R2 and Windows Server 2008). 在旧版操作系统上运行的客户需要在 2020 年 11 月 2 日之前在其计算机上执行以下操作,否则其代理将停止向其 Log Analytics 工作区发送数据:Customers running on a legacy OS version are required to take the following actions on their machines before November 2, 2020 or their agents will stop sending data to their Log Analytics workspaces:

  1. 为 OS 安装最新服务器包。Install the latest Service Pack for your OS. 必需的服务包版本包括:The required service pack versions are:

    • Windows 7 SP1Windows 7 SP1
    • Windows Server 2008 SP2Windows Server 2008 SP2
    • Windows Server 2008 R2 SP1Windows Server 2008 R2 SP1
  2. 要为 OS 安装 SHA-2 签名 Windows 更新,请参阅适用于 Windows 和 WSUS 的 2019 SHA-2 代码签名支持要求Install the SHA-2 signing Windows updates for your OS as described in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS

  3. 更新到 Windows 代理的最新版本(版本 10.20.18029)。Update to the latest version of the Windows agent (version 10.20.18029).

  4. 建议将代理配置为使用 TLS 1.2Recommended to configure the agent to use TLS 1.2.

网络要求Network requirements

适用于 Linux 和 Windows 的代理通过 TCP 端口 443 与 Azure Monitor 服务进行出站通信;如果计算机通过防火墙或代理服务器连接以通过 Internet 进行通信,请查看以下要求来了解所需的网络配置。The agent for Linux and Windows communicates outbound to the Azure Monitor service over TCP port 443, and if the machine connects through a firewall or proxy server to communicate over the Internet, review requirements below to understand the network configuration required. 如果 IT 安全策略不允许网络上的计算机连接到 Internet,则可以设置 Log Analytics 网关并将代理配置为通过该网关连接到 Azure Monitor 日志。If your IT security policies do not allow computers on the network to connect to the Internet, you can set up a Log Analytics gateway and then configure the agent to connect through the gateway to Azure Monitor logs. 然后,代理可以接收配置信息,并发送根据已在工作区中启用的数据收集规则和监视解决方案收集的数据。The agent can then receive configuration information and send data collected depending on what data collection rules and monitoring solutions you have enabled in your workspace.

Log Analytics 代理通信示意图

下表列出了实现 Linux 和 Windows 代理与 Azure Monitor 日志通信所必需的代理和防火墙配置信息。The following table lists the proxy and firewall configuration information that's required for the Linux and Windows agents to communicate with Azure Monitor logs.

防火墙要求Firewall requirements

代理资源Agent Resource 端口Ports 方向Direction 绕过 HTTPS 检查Bypass HTTPS inspection
*.ods.opinsights.azure.cn*.ods.opinsights.azure.cn 端口 443Port 443 出站Outbound Yes
*.oms.opinsights.azure.cn*.oms.opinsights.azure.cn 端口 443Port 443 出站Outbound Yes
*.blob.core.chinacloudapi.cn*.blob.core.chinacloudapi.cn 端口 443Port 443 出站Outbound Yes
*.azure-automation.cn*.azure-automation.cn 端口 443Port 443 出站Outbound Yes

如果计划使用 Azure 自动化混合 Runbook 辅助角色连接到自动化服务并在其中注册以在环境中使用 Runbook 或管理解决方案,则它必须可以访问针对混合 Runbook 辅助角色配置网络中所述的端口号和 URL。If you plan to use the Azure Automation Hybrid Runbook Worker to connect to and register with the Automation service to use runbooks or management solutions in your environment, it must have access to the port number and the URLs described in Configure your network for the Hybrid Runbook Worker.

代理配置Proxy configuration

Windows 和 Linux 代理支持使用 HTTPS 协议通过代理服务器或 Log Analytics 网关与 Azure Monitor 服务进行通信。The Windows and Linux agent supports communicating either through a proxy server or Log Analytics gateway to Azure Monitor using the HTTPS protocol. 并同时支持匿名身份验证和基本身份验证(用户名/密码)。Both anonymous and basic authentication (username/password) are supported. 对于直接连接到服务的 Windows 代理,代理配置在安装过程中指定,或在部署后从控制面板或使用 PowerShell 指定。For the Windows agent connected directly to the service, the proxy configuration is specified during installation or after deployment from Control Panel or with PowerShell.

对于 Linux 代理,代理服务器在安装过程中指定,或者在安装后通过修改 proxy.conf 配置文件来指定。For the Linux agent, the proxy server is specified during installation or after installation by modifying the proxy.conf configuration file. Linux 代理的代理配置值具有以下语法:The Linux agent proxy configuration value has the following syntax:

[protocol://][user:password@]proxyhost[:port]

备注

如果代理服务器无需进行身份验证,Linux 代理仍要求提供伪用户名/密码。If your proxy server does not require you to authenticate, the Linux agent still requires providing a pseudo user/password. 这可以是任何用户名或密码。This can be any username or password.

属性Property 说明Description
协议Protocol httpshttps
useruser 用于代理身份验证的可选用户名Optional username for proxy authentication
passwordpassword 用于代理身份验证的可选密码Optional password for proxy authentication
proxyhostproxyhost 代理服务器/Log Analytics 网关的地址或 FQDNAddress or FQDN of the proxy server/Log Analytics gateway
portport 代理服务器/Log Analytics 网关的可选端口号Optional port number for the proxy server/Log Analytics gateway

例如: https://user01:password@proxy01.contoso.com:30443For example: https://user01:password@proxy01.contoso.com:30443

备注

如果密码中使用了特殊字符(如“@”),则会收到代理连接错误,因为值解析不正确。If you use special characters such as "@" in your password, you receive a proxy connection error because value is parsed incorrectly. 若要解决此问题,请使用 URLDecode 等工具在 URL 中对密码进行编码。To work around this issue, encode the password in the URL using a tool such as URLDecode.

后续步骤Next steps

  • 查看数据源,了解可用于从 Windows 或 Linux 系统收集数据的数据源。Review data sources to understand the data sources available to collect data from your Windows or Linux system.
  • 了解日志查询以便分析从数据源和解决方案中收集的数据。Learn about log queries to analyze the data collected from data sources and solutions.
  • 了解监视解决方案如何将功能添加到 Azure Monitor,以及如何将数据收集到 Log Analytics 工作区中。Learn about monitoring solutions that add functionality to Azure Monitor and also collect data into the Log Analytics workspace.