监视 Azure 防火墙日志和指标Monitor Azure Firewall logs and metrics

可以使用防火墙日志来监视 Azure 防火墙。You can monitor Azure Firewall using firewall logs. 此外,可以使用活动日志来审核对 Azure 防火墙资源执行的操作。You can also use activity logs to audit operations on Azure Firewall resources. 使用指标,可以在门户中查看性能计数器。Using metrics, you can view performance counters in the portal.

可通过门户访问其中部分日志。You can access some of these logs through the portal. 可将日志发送到 Azure Monitor 日志、存储和事件中心,并使用 Azure Monitor 日志或其他工具(例如 Excel 和 Power BI)对其进行分析。Logs can be sent to Azure Monitor logs, Storage, and Event Hubs and analyzed in Azure Monitor logs or by different tools such as Excel and Power BI.

备注

本文最近已更新,从使用术语“Log Analytics”改为使用术语“Azure Monitor 日志”。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 日志数据仍然存储在 Log Analytics 工作区中,并仍然由同一 Log Analytics 服务收集并分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我们正在更新术语,以便更好地反映 Azure Monitor 中日志的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 有关详细信息,请参阅 Azure Monitor 术语更改See Azure Monitor terminology changes for details.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

在开始之前,你应该阅读 Azure 防火墙日志和指标,以概要了解可用于 Azure 防火墙的诊断日志和指标。Before starting you should read Azure Firewall logs and metrics for an overview of the diagnostics logs and metrics available for Azure Firewall.

通过 Azure 门户启用诊断日志记录Enable diagnostic logging through the Azure portal

完成此过程以启用诊断日志记录后,可能需要经过几分钟的时间,数据才会显示在日志中。It can take a few minutes for the data to appear in your logs after you complete this procedure to turn on diagnostic logging. 如果一开始未看到任何内容,请在几分钟后重新查看。If you don't see anything at first, check again in a few more minutes.

  1. 在 Azure 门户中,打开防火墙资源组并选择防火墙。In the Azure portal, open your firewall resource group and select the firewall.

  2. 在“监视”下,选择“诊断设置” 。Under Monitoring, select Diagnostic settings.

    Azure 防火墙有三个特定于服务的日志:For Azure Firewall, three service-specific logs are available:

    • AzureFirewallApplicationRuleAzureFirewallApplicationRule

    • AzureFirewallNetworkRuleAzureFirewallNetworkRule

    • AzureFirewallDnsProxyAzureFirewallDnsProxy

  3. 选择“添加诊断设置”。Select Add diagnostic setting. “诊断设置” 页提供用于诊断日志的设置。The Diagnostics settings page provides the settings for the diagnostic logs.

  4. 在此示例中,Azure Monitor 日志存储日志,因此请键入“防火墙日志分析”作为名称 。In this example, Azure Monitor logs stores the logs, so type Firewall log analytics for the name.

  5. 在“日志”下面,选择“AzureFirewallApplicationRule”、“AzureFirewallNetworkRule”和“AzureFirewallDnsProxy”以收集日志 。Under Log, select AzureFirewallApplicationRule, AzureFirewallNetworkRule, and AzureFirewallDnsProxy to collect the logs.

  6. 选择“发送到 Log Analytics”以配置工作区。Select Send to Log Analytics to configure your workspace.

  7. 选择订阅。Select your subscription.

  8. 选择“保存”。Select Save.

使用 PowerShell 启用诊断日志记录Enable diagnostic logging by using PowerShell

每个 Resource Manager 资源都会自动启用活动日志记录。Activity logging is automatically enabled for every Resource Manager resource. 必须启用诊断日志记录才能开始收集通过这些日志提供的数据。Diagnostic logging must be enabled to start collecting the data available through those logs.

若要通过 PowerShell 启用诊断日志记录,请使用以下步骤:To enable diagnostic logging with PowerShell, use the following steps:

  1. 记下 Log Analytics 工作区资源 ID,其中存储了日志数据。Note your Log Analytics Workspace resource ID, where the log data is stored. 此值的形式为:/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/microsoft.operationalinsights/workspaces/<workspace name>This value is of the form: /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/microsoft.operationalinsights/workspaces/<workspace name>.

    可以使用订阅中的任何工作区。You can use any workspace in your subscription. 可使用 Azure 门户查找此信息。You can use the Azure portal to find this information. 此信息位于资源的“属性”页中。The information is located in the resource Properties page.

  2. 记下为其启用了日志记录的防火墙的资源 ID。Note your Firewall's resource ID for which logging is enabled. 此值的形式为:/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>This value is of the form: /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>.

    可使用门户查找此信息。You can use the portal to find this information.

  3. 使用以下 PowerShell cmdlet 为所有日志和指标启用诊断日志记录:Enable diagnostic logging for all logs and metrics by using the following PowerShell cmdlet:

    $diagSettings = @{
      Name = 'toLogAnalytics'
      ResourceId = '/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>'
      WorkspaceId = '/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/microsoft.operationalinsights/workspaces/<workspace name>'
      Enabled = $true
    }
    Set-AzDiagnosticSetting  @diagSettings 
    

通过 Azure CLI 启用诊断日志记录Enable diagnostic logging by using the Azure CLI

每个 Resource Manager 资源都会自动启用活动日志记录。Activity logging is automatically enabled for every Resource Manager resource. 必须启用诊断日志记录才能开始收集通过这些日志提供的数据。Diagnostic logging must be enabled to start collecting the data available through those logs.

若要通过 Azure CLI 启用诊断日志记录,请使用以下步骤:To enable diagnostic logging with Azure CLI, use the following steps:

  1. 记下 Log Analytics 工作区资源 ID,其中存储了日志数据。Note your Log Analytics Workspace resource ID, where the log data is stored. 此值的形式为:/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>This value is of the form: /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>.

    可以使用订阅中的任何工作区。You can use any workspace in your subscription. 可使用 Azure 门户查找此信息。You can use the Azure portal to find this information. 此信息位于资源的“属性”页中。The information is located in the resource Properties page.

  2. 记下为其启用了日志记录的防火墙的资源 ID。Note your Firewall's resource ID for which logging is enabled. 此值的形式为:/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>This value is of the form: /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>.

    可使用门户查找此信息。You can use the portal to find this information.

  3. 使用以下 Azure CLI 命令为所有日志和指标启用诊断日志记录:Enable diagnostic logging for all logs and metrics by using the following Azure CLI command:

    az monitor diagnostic-settings create -n 'toLogAnalytics'
      --resource '/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>'
      --workspace '/subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/microsoft.operationalinsights/workspaces/<workspace name>'
      --logs '[{\"category\":\"AzureFirewallApplicationRule\",\"Enabled\":true}, {\"category\":\"AzureFirewallNetworkRule\",\"Enabled\":true}, {\"category\":\"AzureFirewallDnsProxy\",\"Enabled\":true}]' 
      --metrics '[{\"category\": \"AllMetrics\",\"enabled\": true}]'
    

查看和分析活动日志View and analyze the activity log

可使用以下任意方法查看和分析活动日志数据:You can view and analyze activity log data by using any of the following methods:

查看和分析网络与应用程序规则日志View and analyze the network and application rule logs

Azure Monitor 日志收集计数器和事件日志文件。Azure Monitor logs collects the counter and event log files. 它含有可视化和强大的搜索功能,可用于分析日志。It includes visualizations and powerful search capabilities to analyze your logs.

如需 Azure 防火墙 Log Analytics 示例查询,请参阅 Azure 防火墙 Log Analytics 示例For Azure Firewall log analytics sample queries, see Azure Firewall log analytics samples.

Azure 防火墙工作簿为 Azure 防火墙数据分析提供了一个灵活的画布。Azure Firewall Workbook provides a flexible canvas for Azure Firewall data analysis. 该画布可用于在 Azure 门户中创建丰富的视觉对象报表。You can use it to create rich visual reports within the Azure portal. 你可以利用跨 Azure 部署的多个防火墙,并将其组合成统一的交互式体验。You can tap into multiple Firewalls deployed across Azure, and combine them into unified interactive experiences.

还可以连接到存储帐户并检索访问和性能日志的 JSON 日志条目。You can also connect to your storage account and retrieve the JSON log entries for access and performance logs. 下载 JSON 文件后,可以将其转换为 CSV 并在 Excel、Power BI 或任何其他数据可视化工具中查看。After you download the JSON files, you can convert them to CSV and view them in Excel, Power BI, or any other data-visualization tool.

提示

如果熟悉 Visual Studio 和更改 C# 中的常量和变量值的基本概念,则可以使用 GitHub 提供的日志转换器工具If you are familiar with Visual Studio and basic concepts of changing values for constants and variables in C#, you can use the log converter tools available from GitHub.

查看指标View metrics

浏览到 Azure 防火墙,在“监视”下选择“指标” 。Browse to an Azure Firewall, under Monitoring select Metrics. 若要查看可用值,请选择“指标”下拉列表 。To view the available values, select the METRIC drop-down list.

后续步骤Next steps

将防火墙配置为收集日志后,可以浏览 Azure Monitor 日志以查看数据。Now that you've configured your firewall to collect logs, you can explore Azure Monitor logs to view your data.

使用 Azure 防火墙工作簿监视日志Monitor logs using Azure Firewall Workbook