大规模配置保管库诊断设置Configure Vault Diagnostics settings at scale

Azure 备份提供的报告解决方案利用了 Log Analytics (LA)。The reporting solution provided by Azure Backup leverages Log Analytics (LA). 为了将任何给定保管库的数据发送到 LA,需要为该保管库创建诊断设置For the data of any given vault to be sent to LA, a diagnostics setting needs to be created for that vault.

通常,为每个保管库手动添加诊断设置是一项繁琐的任务。Often, adding a diagnostics setting manually per vault can be a cumbersome task. 此外,创建的任何新保管库也需要启用诊断设置才能查看此保管库的报表。In addition, any new vault created also needs to have diagnostics settings enabled in order to be able to view reports for this vault.

为了简化大规模创建诊断设置的过程(以 LA 为目标),Azure 备份提供了内置 Azure PolicyTo simplify the creation of diagnostics settings at scale (with LA as the destination), Azure Backup provides a built-in Azure Policy. 此策略可为给定订阅或资源组中的所有保管库添加 LA 诊断设置。This policy adds an LA diagnostics setting to all vaults in a given subscription or resource group. 以下部分介绍了如何使用此策略。The following sections provide instructions on how to use this policy.

支持的方案Supported Scenarios

  • 此策略可以一次应用于某个特定订阅中的所有恢复服务保管库(或该特定订阅中的资源组)。The policy can be applied at one time to all Recovery Services vaults in a particular subscription (or to a resource group within the subscription). 分配策略的用户需要对向其分配策略的订阅具有“所有者”访问权限。The user assigning the policy needs to have 'Owner' access to the subscription to which the policy is assigned.

  • 用户指定的 LA 工作区(诊断数据将发送到的工作区)可以位于与向其分配策略的保管库不同的订阅中。The LA Workspace as specified by the user (to which diagnostics data will be sent to) can be in a different subscription from the vaults to which the policy is assigned. 用户需要对存在指定 LA 工作区的订阅具有“读者”、“参与者”或“所有者”访问权限。The user needs to have 'Reader', 'Contributor' or 'Owner' access to the subscription in which the specified LA Workspace exists.

  • 当前不支持管理组范围。Management Group scope is currently unsupported.

  • 内置策略当前在国家/地区云中不可用。The built-in policy is currently not available in national clouds.

将内置策略分配到范围Assigning the built-in policy to a scope

若要为所需范围内的保管库分配策略,请遵循以下步骤进行操作:To assign the policy for vaults in the required scope, follow the steps below:

  1. 登录到 Azure 门户并导航到“策略”仪表板。Sign in to the Azure portal and navigate to the Policy Dashboard.

  2. 在左边的菜单中选择“定义”以获取跨 Azure 资源的所有内置策略的列表。Select Definitions in the left menu to get a list of all built-in policies across Azure Resources.

  3. 筛选“类别=监视”的列表。Filter the list for Category=Monitoring. 找到名为“[预览]:将恢复服务保管库的诊断设置部署到资源专有类别的 Log Analytics 工作区”的策略。Locate the policy named [Preview]: Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories.

    策略定义边栏选项卡

  4. 单击该策略的名称。Click on the name of the policy. 随后会重定向到此策略的详细定义。You will be redirected to the detailed definition for this policy.

    详细的策略定义

  5. 单击边栏选项卡顶部的“分配”按钮。Click on the Assign button at the top of the blade. 随后会重定向到“分配策略”边栏选项卡。This redirects you to the Assign Policy blade.

  6. 在“基础”下,单击“范围”字段旁边的三个点 。Under Basics, click on the three dots next to the Scope field. 随即在右侧打开一个上下文边栏选项卡,可以在其中选择要应用策略的订阅。This opens up a right context blade where you can select the subscription for the policy to be applied on. 你还可以选择资源组,以便该策略仅应用于特定资源组中的保管库。You can also optionally select a resource group, so that the policy is applied only for vaults in a particular resource group.

    策略分配基础知识

  7. 在“参数”下输入以下信息:Under Parameters, enter the following information:

    • 配置文件名称 - 将分配给策略创建的诊断设置的名称。Profile Name - The name that will be assigned to the diagnostics settings created by the policy.

    • Log Analytics 工作区 - 应与诊断设置关联的 Log Analytics 工作区。Log Analytics Workspace - The Log Analytics Workspace to which the diagnostics setting should be associated. 策略分配范围内的所有保管库的诊断数据都将被推送到指定的 LA 工作区。Diagnostics data of all vaults in the scope of the Policy assignment will be pushed to the specified LA Workspace.

    • 排除标记名称(可选)和排除标记值(可选) - 可以选择从策略分配中排除包含特定标记名称和值的保管库。Exclusion Tag Name (optional) and Exclusion Tag Value (optional) - You can choose to exclude vaults containing a certain tag name and value from the policy assignment. 例如,如果不希望将诊断设置添加到将标记“isTest”设置为“yes”值的保管库中,则必须在“排除标记名称”字段中输入“isTest”,并在“排除标记值”字段中输入“yes” 。For example, if you do not want a diagnostics setting to be added to those vaults which have a tag 'isTest' set to the value 'yes', you must enter 'isTest' in the Exclusion Tag Name field and 'yes' in the Exclusion Tag Value field. 如果这两个字段中的任何一个(或两个)为空,则策略将应用到所有相关的保管库,而不考虑它们包含的标记。If any (or both) of these two fields are left empty, the policy will be applied to all relevant vaults irrespective of the tags they contain.

    策略分配参数

  8. 创建修正任务 - 将策略分配到某个范围后,在该范围内创建的任何新保管库都会自动配置 LA 诊断设置(在创建保管库后的 30 分钟内)。Create a remediation task - Once the policy is assigned to a scope, any new vaults created in that scope automatically get LA diagnostics settings configured (within 30 minutes from the time of creation of the vault). 若要将诊断设置添加到范围内的现有保管库,可以在策略分配时触发修正任务。To add a diagnostics setting to existing vaults in the scope, you can trigger a remediation task at policy assignment time. 若要触发修正任务,请选择“创建修正任务”复选框。To trigger a remediation task, select the checkbox Create a Remediation task.

    策略分配修正

  9. 导航到“查看 + 创建”选项卡,然后单击“创建” 。Navigate to the Review+Create tab and click Create.

在什么情况下,将对保管库应用修正任务?Under what conditions will the remediation task apply to a vault?

根据策略的定义,如果保管库不符合要求,就会对其应用修正任务。The remediation task is applied to vaults that are non-compliant according to the definition of the policy. 保管库满足以下任一条件将被视为不符合要求:A vault is non-compliant if it satisfies either of the following conditions:

  • 保管库没有诊断设置。No diagnostics setting is present for the vault.
  • 保管库具有诊断设置,但是没有一个设置启用了将 LA 作为目标的所有资源特定事件,并且在切换中选择了“资源特定”事件 。Diagnostic settings are present for the vault but neither of the settings has all of the Resource specific events enabled with LA as destination, and Resource specific selected in the toggle.

因此,即使用户的保管库在 AzureDiagnostics 模式下启用了 AzureBackupReport 事件(由备份报告提供支持),也将对此保管库应用修正任务,因为该资源特定模式是今后创建诊断设置的建议方法。So even if a user has a vault with the AzureBackupReport event enabled in AzureDiagnostics mode (which is supported by Backup Reports), the remediation task will still apply to this vault, since the Resource specific mode is the recommended way of creating diagnostics settings, going forward.

此外,如果用户的保管库只启用了六个资源特定事件的子集,则将对此保管库应用修正任务,因为只有启用所有六个资源特定事件,备份报告才能按预期工作。Further, if a user has a vault with only a subset of the six Resource specific events enabled, the remediation task will apply for this vault, since Backup Reports will work as expected only if all of the six Resource specific events are enabled.

备注

如果保管库具有已启用资源特定子集的类别的现有诊断设置,并配置为将数据发送到特定的 LA 工作区(例如“工作区 X”),则当策略分配中提供的目标 LA 工作区与“工作区 X”相同时,修正任务将失败(仅针对该保管库) 。If a vault has an existing diagnostics setting with a subset of Resource specific categories enabled, configured to send data to a particular LA Workspace, say 'Workspace X', then the remediation task will fail (for that vault alone) if the destination LA Workspace provided in the Policy assignment is the same 'Workspace X'.

这是因为,如果在同一资源上由两个不同诊断设置启用的事件以某种形式重叠,则这些设置不能具有与目标相同的 LA 工作区。This is because, if the events enabled by two different diagnostics settings on the same resource overlap in some form, then the settings cannot have the same LA Workspace as the destination. 你将需要手动解决此故障,方法是导航到相关保管库并使用不同的 LA 工作区作为目标来配置诊断设置。You will have to manually resolve this failure, by navigating to the relevant vault and configuring a diagnostics setting with a different LA Workspace as the destination.

请注意,如果现有诊断设置仅启用 AzureBackupReport(以工作区 X 为目标),则修正任务不会失败,因为在这种情况下,现有设置启用的事件与修正任务创建的设置启用的事件之间不会重叠。Note that the remediation task will not fail if the existing diagnostics setting as only AzureBackupReport enabled with Workspace X as the destination, since in this case, there will be no overlap between the events enabled by the existing setting and the events enabled by the setting created by the remediation task.

后续步骤Next Steps