教程:监视 Azure 防火墙日志和指标Tutorial: Monitor Azure Firewall logs and metrics

可以使用防火墙日志来监视 Azure 防火墙。You can monitor Azure Firewall using firewall logs. 此外,可以使用活动日志来审核对 Azure 防火墙资源执行的操作。You can also use activity logs to audit operations on Azure Firewall resources. 使用指标,可以在门户中查看性能计数器。Using metrics, you can view performance counters in the portal.

可通过门户访问其中部分日志。You can access some of these logs through the portal. 可将日志发送到 Azure Monitor 日志、存储和事件中心,并使用 Azure Monitor 日志或其他工具(例如 Excel 和 Power BI)对其进行分析。Logs can be sent to Azure Monitor logs, Storage, and Event Hubs and analyzed in Azure Monitor logs or by different tools such as Excel and Power BI.

备注

本文最近已更新,从使用术语“Log Analytics”改为使用术语“Azure Monitor 日志”。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 日志数据仍然存储在 Log Analytics 工作区中,并仍然由同一 Log Analytics 服务收集并分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我们正在更新术语,以便更好地反映 Azure Monitor 中日志的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 有关详细信息,请参阅 Azure Monitor 术语更改See Azure Monitor terminology changes for details.

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 通过 Azure 门户启用日志记录Enable logging through the Azure portal
  • 使用 PowerShell 启用日志记录Enable logging with PowerShell
  • 查看和分析活动日志View and analyze the activity log
  • 查看和分析网络与应用程序规则日志View and analyze the network and application rule logs
  • 查看指标View metrics

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

必备条件Prerequisites

在开始本教程之前,你应该阅读 Azure 防火墙日志和指标,以概要了解可用于 Azure 防火墙的诊断日志和指标。Before starting this tutorial, you should read Azure Firewall logs and metrics for an overview of the diagnostics logs and metrics available for Azure Firewall.

通过 Azure 门户启用诊断日志记录Enable diagnostic logging through the Azure portal

完成此过程以启用诊断日志记录后,可能需要经过几分钟的时间,数据才会显示在日志中。It can take a few minutes for the data to appear in your logs after you complete this procedure to turn on diagnostic logging. 如果一开始未看到任何内容,请在几分钟后重新查看。If you don't see anything at first, check again in a few more minutes.

  1. 在 Azure 门户中,打开防火墙资源组并单击防火墙。In the Azure portal, open your firewall resource group and click the firewall.

  2. 在“监视”下面,单击“诊断设置”。Under Monitoring, click Diagnostic settings.

    Azure 防火墙有两个特定于服务的日志:For Azure Firewall, two service-specific logs are available:

    • AzureFirewallApplicationRuleAzureFirewallApplicationRule
    • AzureFirewallNetworkRuleAzureFirewallNetworkRule
  3. 若要开始收集数据,请单击“启用诊断” 。To start collecting data, click Turn on diagnostics.

  4. “诊断设置” 页提供用于诊断日志的设置。The Diagnostics settings page provides the settings for the diagnostic logs.

  5. 在此示例中,Azure Monitor 日志存储日志,因此请键入“防火墙日志分析”作为名称 。In this example, Azure Monitor logs stores the logs, so type Firewall log analytics for the name.

  6. 单击“发送到 Log Analytics”以配置工作区。Click Send to Log Analytics to configure your workspace. 也可使用事件中心和存储帐户保存诊断日志。You can also use event hubs and a storage account to save the diagnostic logs.

  7. 在“Log Analytics”下面 ,单击“配置” 。Under Log Analytics, click Configure.

  8. 在“Log Analytics 工作区”页中,单击“创建新工作区”。In the Log Analytics workspaces page, click Create New Workspace.

  9. 在“Log Analytics 工作区”页中,键入 firewall-oms 作为新 Log Analytics 工作区的名称。On the Log analytics workspace page, type firewall-oms for the new Log Analytics workspace name.

  10. 选择订阅,使用现有的防火墙资源组 (Test-FW-RG),选择“中国东部”作为位置,然后选择“免费”定价层。Select your subscription, use the existing firewall resource group (Test-FW-RG), select China East for the location, and select the Free pricing tier.

  11. 单击“确定”。Click OK.

    ![启动配置过程][1] OMS 工作区现在称为 Log Analytics 工作区。![Starting the configuration process][1] OMS workspaces are now referred to as Log Analytics workspaces.

  12. 在“日志”下面,单击“AzureFirewallApplicationRule”和“AzureFirewallNetworkRule”收集应用程序和网络规则的日志。Under Log, click AzureFirewallApplicationRule and AzureFirewallNetworkRule to collect logs for application and network rules.

    ![保存诊断设置][2]![Save diagnostics settings][2]

  13. 单击“保存” 。Click Save.

使用 PowerShell 启用日志记录Enable logging with PowerShell

每个 Resource Manager 资源都会自动启用活动日志记录。Activity logging is automatically enabled for every Resource Manager resource. 必须启用诊断日志记录才能开始收集通过这些日志提供的数据。Diagnostic logging must be enabled to start collecting the data available through those logs.

若要启用诊断日志记录,请使用以下步骤:To enable diagnostic logging, use the following steps:

  1. 记下存储日志数据的存储帐户资源 ID。Note your storage account's resource ID, where the log data is stored. 此值采用以下格式: /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name>This value is of the form: /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name>.

    订阅中的所有存储帐户均可使用。You can use any storage account in your subscription. 可使用 Azure 门户查找此信息。You can use the Azure portal to find this information. 此信息位于资源的“属性”页中。The information is located in the resource Property page.

  2. 记下为其启用了日志记录的防火墙的资源 ID。Note your Firewall's resource ID for which logging is enabled. 此值采用以下格式: /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>This value is of the form: /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>.

    可使用门户查找此信息。You can use the portal to find this information.

  3. 使用以下 PowerShell cmdlet 启用诊断日志记录:Enable diagnostic logging by using the following PowerShell cmdlet:

    Set-AzDiagnosticSetting  -ResourceId /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name> `
    -StorageAccountId /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name> `
    -Enabled $true     
    

提示

诊断日志不需要单独的存储帐户。Diagnostic logs do not require a separate storage account. 使用存储来记录访问和性能需支付服务费用。The use of storage for access and performance logging incurs service charges.

查看和分析活动日志View and analyze the activity log

可使用以下任一方法查看和分析活动日志数据:You can view and analyze activity log data by using any of the following methods:

查看和分析网络与应用程序规则日志View and analyze the network and application rule logs

Azure Monitor 日志收集计数器和事件日志文件。Azure Monitor logs collects the counter and event log files. 它含有可视化和强大的搜索功能,可用于分析日志。It includes visualizations and powerful search capabilities to analyze your logs.

如需 Azure 防火墙 Log Analytics 示例查询,请参阅 Azure 防火墙 Log Analytics 示例For Azure Firewall log analytics sample queries, see Azure Firewall log analytics samples.

还可以连接到存储帐户并检索访问和性能日志的 JSON 日志条目。You can also connect to your storage account and retrieve the JSON log entries for access and performance logs. 下载 JSON 文件后,可以将它们转换为 CSV 并在 Excel、Power BI 或任何其他数据可视化工具中查看。After you download the JSON files, you can convert them to CSV and view them in Excel, Power BI, or any other data-visualization tool.

提示

如果熟悉 Visual Studio 和更改 C# 中的常量和变量值的基本概念,则可以使用 GitHub 提供的日志转换器工具If you are familiar with Visual Studio and basic concepts of changing values for constants and variables in C#, you can use the log converter tools available from GitHub.

查看指标View metrics

浏览到 Azure 防火墙,并在“监视”下单击“指标” 。Browse to an Azure Firewall, under Monitoring click Metrics. 若要查看可用值,请选择“指标”下拉列表 。To view the available values, select the METRIC drop-down list.