有关在 Azure 门户中使用这些查询的信息,请参阅 Log Analytics 教程。 有关 REST API,请参阅 查询。
每个源 IP 的 Kubernetes API 审核事件量
显示从每个 Nexus 群集的给定源 IP 地址生成的 Kubernetes API 审核事件的计数。
NCCKubernetesAPIAuditLogs
| where ResponseStatusCode != 401 // Exclude unauthorized responses
| summarize Count = count() by SourceIps, ClusterName
| sort by Count desc
每个用户的 Kubernetes API 审核事件量
显示从给定用户为每个 Nexus 群集生成的 Kubernetes API 审核事件的计数。
NCCKubernetesAPIAuditLogs
| where ResponseStatusCode != 401 // Exclude unauthorized responses
| summarize Count = count() by User, ClusterName
| sort by Count desc
Kubernetes API 请求失败
显示失败的 Kubernetes API 请求(4xx 和 5xx 状态代码),按每个 Nexus 群集的响应代码和谓词分组。
NCCKubernetesAPIAuditLogs
| where ResponseStatusCode >= 400 // Failed requests (4xx and 5xx)
| summarize Count = count() by ResponseStatusCode, Verb, ClusterName
| sort by Count desc
Kubernetes 部署修改审核事件
查询 Kubernetes API 审核事件,其中显示了对 Nexus 群集中的部署的修改(创建、更新、修补、删除)。
NCCKubernetesAPIAuditLogs
| where ObjectRef contains "deployments"
| where Verb in ("create", "update", "patch", "delete")
| project TimeGenerated, Verb, RequestUri, User, ObjectRef, ResponseStatusCode, ClusterName
| sort by TimeGenerated desc
| limit 100