Syslog 表的查询

有关在 Azure 门户中使用这些查询的信息,请参阅 Log Analytics 教程。 有关 REST API,请参阅查询

查找 Linux 内核事件

查找 Linux 内核进程报告的有关已终止进程的事件。

// To create an alert for this query, click '+ New alert rule'
Syslog
| where ProcessName == "kernel" and SyslogMessage contains "Killed process"

所有 Syslog

最后 100 个 Syslog。

Syslog 
| top 100 by TimeGenerated desc

所有出现错误的 Syslog

出现错误的最后 100 个 Syslog。

Syslog 
| where SeverityLevel == "err" or  SeverityLevel == "error"
| top 100 by TimeGenerated desc

按设施列出的所有 Syslog

按设施列出的所有 Syslog。

Syslog 
| summarize count() by Facility

所有 Syslog(按进程名称)

所有 Syslog(按进程名称)。

Syslog 
| summarize count() by ProcessName

按计算机添加到 Linux 组的用户

列出已将用户添加到 Linux 组的计算机。

Syslog
| where Facility == 'authpriv' and SyslogMessage has 'to group' and (SyslogMessage has 'add' or SyslogMessage has 'added')
| summarize by Computer

计算机创建的新 Linux 组

列出已创建新 Linux 组的计算机。

Syslog
| where Facility == 'authpriv' and SyslogMessage has 'new group'
| summarize count() by Computer

Linux 用户密码更改失败

列出 Linux 用户密码更改失败的计算机。

Syslog
| where Facility == 'authpriv' and ((SyslogMessage has 'passwd:chauthtok' and SyslogMessage has 'authentication failure') or SyslogMessage has 'password change failed')
| summarize count() by Computer

Ssh 登录失败的计算机

列出 ssh 登录失败的计算机。

Syslog
| where (Facility == 'authpriv' and SyslogMessage has 'sshd:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and ((SyslogMessage has 'Failed' and SyslogMessage has 'invalid user' and SyslogMessage has 'ssh2') or SyslogMessage has 'error: PAM: Authentication failure'))
| summarize count() by Computer

Su 登录失败的计算机

列出 su 登录失败的计算机。

Syslog
| where (Facility == 'authpriv' and SyslogMessage has 'su:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and SyslogMessage has 'FAILED SU')
| summarize count() by Computer

Sudo 登录失败的计算机

列出 sudo 登录失败的计算机。

Syslog
| where (Facility == 'authpriv' and SyslogMessage has 'sudo:auth' and (SyslogMessage has 'authentication failure' or SyslogMessage has 'conversation failed')) or ((Facility == 'auth' or Facility == 'authpriv') and SyslogMessage has 'user NOT in sudoers')
| summarize count() by Computer