Azure 安全中心中的数据收集Data collection in Azure Security Center

安全中心从 Azure 虚拟机 (VM)、虚拟机规模集、IaaS 容器和非 Azure(包括本地)计算机收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) computers to monitor for security vulnerabilities and threats. 数据是使用 Log Analytics 代理收集的,该代理从计算机中读取各种与安全相关的配置和事件日志,然后将数据复制到工作区进行分析。Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. 此类数据的示例包括:操作系统类型和版本、操作系统日志(Windows 事件日志)、正在运行的进程、计算机名称、IP 地址和已登录的用户。Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user. Log Analytics 代理还会将故障转储文件复制到工作区。The Log Analytics agent also copies crash dump files to your workspace.

必须收集数据才能深入了解缺少的更新、配置不当的 OS 安全设置、Endpoint Protection 状态情况,以及运行状况和威胁防护。Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection.

本文介绍如何安装 Log Analytics 代理以及如何设置 Log Analytics 工作区,以便在其中存储收集的数据。This article describes how to install a Log Analytics agent and set a Log Analytics workspace in which to store the collected data. 这两项操作都需要启用数据收集。Both operations are required to enable data collection.

备注

  • 只需对计算资源(VM、虚拟机规模集、IaaS 容器和非 Azure 计算机)启用数据收集。Data collection is only needed for Compute resources (VMs, virtual machine scale sets, IaaS containers, and non-Azure computers). 即使未预配代理,也能从 Azure 安全中心受益;但是,安全性会受到限制,并且上面列出的功能不受支持。You can benefit from Azure Security Center even if you don’t provision agents; however, you will have limited security and the capabilities listed above are not supported.
  • 有关支持的平台列表,请参阅 Azure 安全中心支持的平台For the list of supported platforms, see Supported platforms in Azure Security Center.
  • 在 Log Analytics 中存储数据,无论使用的是新工作区还是现有工作区,都可能会产生额外的数据存储费用。Storing data in Log Analytics, whether you use a new or existing workspace, might incur additional charges for data storage. 有关详细信息,请参阅定价页For more information, see the pricing page.

启用 Log Analytics 代理的自动预配Enable automatic provisioning of the Log Analytics agent

要从计算机收集数据,应安装 Log Analytics 代理。To collect the data from the machines, you should have the Log Analytics agent installed. 可以自动安装该代理(建议),也可以手动安装。Installation of the agent can be done automatically (recommended) or you can install the agent manually. 自动预配默认处于关闭状态。By default, automatic provisioning is off.

启用自动预配后,安全中心可在所有受支持的 Azure VM 以及任何新建的 Azure VM 中部署 Log Analytics 代理。When automatic provisioning is on, Security Center deploys the Log Analytics agent on all supported Azure VMs and any new ones that are created. 建议使用自动预配,但如有需要,可以手动安装代理(请参阅手动安装 Log Analytics 代理)。Automatic provisioning is recommended but you can install the agent manually if necessary (see Manual installation of the Log Analytics agent).

若要启用对 Log Analytics 代理的自动预配,请执行以下操作:To enable automatic provisioning of the Log Analytics agent:

  1. 在门户的“安全中心”菜单中,选择“定价和设置”。From Security Center's menu in the portal, select Pricing & settings.

  2. 选择相关订阅。Select the relevant subscription.

    选择订阅

  3. 选择“数据收集”。Select Data Collection.

  4. 在“自动设置”下,选择“打开”以启用自动设置 。Under Auto Provisioning, select On to enable automatic provisioning.

  5. 选择“保存” 。Select Save. 代理将在 15 分钟内部署到所有 VM。The agent will be deployed on all VMs within 15 minutes.

提示

如果需要预配工作区,代理安装最多可能需要 25 分钟时间。If a workspace needs to be provisioned, agent installation might take up to 25 minutes.

启用自动设置

备注

工作区配置Workspace configuration

安全中心收集的数据存储在 Log Analytics 工作区中。Data collected by Security Center is stored in Log Analytics workspace(s). 可以从存储在安全中心创建的工作区或你创建的现有工作区中的 Azure VM 收集数据。Your data can be collected from Azure VMs stored in workspaces created by Security Center or in an existing workspace you created.

工作区配置是按订阅设置的,多个订阅可以使用同一个工作区。Workspace configuration is set per subscription, and many subscriptions may use the same workspace.

使用安全中心创建的工作区Using a workspace created by Security Center

安全中心可以自动创建用于存储数据的默认工作区。Security center can automatically create a default workspace in which to store the data.

选择安全中心创建的工作区:To select a workspace created by Security Center:

  1. 在“默认工作区配置”下,选择“使用安全中心创建的工作区”。Under Default workspace configuration, select Use workspace(s) created by Security center. 选择定价层Select pricing tier

  2. 单击“保存” 。Click Save.
    安全中心会在该地理位置创建新的资源组和默认工作区,并将代理连接到该工作区。Security Center creates a new resource group and default workspace in that geolocation, and connects the agent to that workspace. 工作区和资源组的命名约定是:The naming convention for the workspace and resource group is:
    工作区:DefaultWorkspace-[subscription-ID]-[geo]
    资源组:DefaultResourceGroup-[geo]
    Workspace: DefaultWorkspace-[subscription-ID]-[geo]
    Resource Group: DefaultResourceGroup-[geo]

    如果订阅包含多个地理位置中的 VM,则安全中心会创建多个工作区。If a subscription contains VMs from multiple geolocations, then Security Center creates multiple workspaces. 创建多个工作区的目的是维护数据隐私规则。Multiple workspaces are created to maintain data privacy rules.

  3. 安全中心将会根据针对订阅设置的定价层,在工作区中自动启用安全中心解决方案。Security Center will automatically enable a Security Center solution on the workspace per the pricing tier set for the subscription.

备注

安全中心创建的工作区的 Log Analytics 定价层不会影响安全中心计费。The Log Analytics pricing tier of workspaces created by Security Center does not affect Security Center billing. 安全中心的计费始终依据工作区上安装的以下安全中心安全策略和解决方案。Security Center billing is always based on your Security Center security policy and the solutions installed on a workspace. 对于“免费层”,安全中心将在默认工作区中启用 SecurityCenterFree 解决方案。For the Free tier, Security Center enables the SecurityCenterFree solution on the default workspace. 对于“标准层”,安全中心将在默认工作区中启用 Security 解决方案。For the Standard tier, Security Center enables the Security solution on the default workspace. 在 Log Analytics 中存储数据可能会产生额外的数据存储费用。Storing data in Log Analytics might incur additional charges for data storage. 有关详细信息,请参阅定价页For more information, see the pricing page.

有关现有 Log Analytics 帐户的详细信息,请参阅现有 Log Analytics 客户For more information about existing log analytics accounts, see Existing log analytics customers.

使用现有工作区Using an existing workspace

如果已有一个 Log Analytics 工作区,可以使用该工作区。If you already have an existing Log Analytics workspace, you might want to use the same workspace.

若要使用现有 Log Analytics 工作区,必须对该工作区拥有读取和写入权限。To use your existing Log Analytics workspace, you must have read and write permissions on the workspace.

备注

在现有工作区中启用的解决方案将应用到与该工作区相连接的 Azure VM。Solutions enabled on the existing workspace will be applied to Azure VMs that are connected to it. 对于付费的解决方案,这可能会产生额外的费用。For paid solutions, this could result in additional charges. 出于数据隐私的考虑,请确保所选工作区位于适当的地理区域。For data privacy considerations, make sure your selected workspace is in the right geographic region. 在 Log Analytics 中存储数据可能会产生额外的数据存储费用。Storing data in log analytics might incur additional charges for data storage. 有关详细信息,请参阅定价页For more information, see the pricing page.

选择现有 Log Analytics 工作区的具体步骤:To select an existing Log Analytics workspace:

  1. 在“默认工作区配置”下,选择“使用其他工作区” 。Under Default workspace configuration, select Use another workspace.

    选择现有工作区

  2. 从下拉菜单中,选择一个工作区,用于存储所收集的数据。From the pull-down menu, select a workspace to store collected data.

    备注

    下拉菜单提供跨所有订阅的所有工作区。In the pull down menu, all the workspaces across all of your subscriptions are available. 请参阅跨订阅工作区选择以获取详细信息。See cross subscription workspace selection for more information. 必须有权访问该工作区。You must have permission to access the workspace.

  3. 选择“保存” 。Select Save.

  4. 选择“保存”后,系统会询问是否要重新配置以前已连接到默认工作区的受监视 VM。After selecting Save, you will be asked if you would like to reconfigure monitored VMs that were previously connected to a default workspace.

    • 如果只希望在新 VM 上应用新的工作区设置,请选择“否”。Select No if you want the new workspace settings to apply on new VMs only. 新的工作区设置只会应用于新的代理安装;新发现的 VM 没有安装 Log Analytics 代理。The new workspace settings only apply to new agent installations; newly discovered VMs that do not have the Log Analytics agent installed.
    • 如果希望在所有 VM 上应用新的工作区设置,请选择“是”。Select Yes if you want the new workspace settings to apply on all VMs. 此外,所有连接到安全中心创建的工作区的 VM 也都会重新连接到新的目标工作区。In addition, every VM connected to a Security Center created workspace is reconnected to the new target workspace.

    备注

    如果选择“是”,不得删除安全中心创建的工作区,除非所有 VM 已重新连接到新的目标工作区。If you select Yes, you must not delete the workspace(s) created by Security Center until all VMs have been reconnected to the new target workspace. 如果过早删除工作区,此操作将会失败。This operation fails if a workspace is deleted too early.

    • 选择“取消”,以取消该操作。Select Cancel to cancel the operation.

      选择现有工作区

  5. 选择要在其中设置 Log Analytics 代理的所需工作区的定价层。Select the pricing tier for the desired workspace you intend to set the Log Analytics agent.
    若要使用现有工作区,请设置该工作区的定价层。To use an existing workspace, set the pricing tier for the workspace. 这会在该工作区中安装一个安全中心解决方案(如果尚不存在)。This will install a security Center solution on the workspace if one is not already present.

    a.a. 在“安全中心”主菜单下,选择“定价和设置”。In the Security Center main menu, select Pricing & settings.

    b.b. 选择要在其中连接代理的所需工作区。Select the desired Workspace in which you intend to connect the agent. 选择工作区 c.Select workspace c. 设置定价层。Set the pricing tier. 选择定价层Select pricing tier

    备注

    如果工作区中已启用 SecuritySecurityCenterFree 解决方案,则会自动设置定价层。If the workspace already has a Security or SecurityCenterFree solution enabled, the pricing will be set automatically.

跨订阅工作区选择Cross-subscription workspace selection

选择用于存储数据的工作区时,跨所有订阅的所有工作区可用。When you select a workspace in which to store your data, all the workspaces across all your subscriptions are available. 通过跨订阅工作区选择,可以从不同订阅中运行的虚拟机收集数据并将其存储在所选的工作区中。Cross-subscription workspace selection allows you to collect data from virtual machines running in different subscriptions and store it in the workspace of your choice. 如果在组织中使用集中式工作区,并想要使用该工作区来收集安全数据,则这种选择非常有用。This selection is useful if you are using a centralized workspace in your organization and want to use it for security data collection. 有关如何管理工作区的详细信息,请参阅管理工作区访问权限For more information on how to manage workspaces, see Manage workspace access.

数据收集层Data collection tier

在 Azure 安全中心选择数据收集层只会影响 Log Analytics 工作区中安全事件的存储。Selecting a data collection tier in Azure Security Center will only affect the storage of security events in your Log Analytics workspace. 无论你选择在 Log Analytics 工作区中存储哪一层安全事件(如果有),Log Analytics 代理仍将收集和分析 Azure 安全中心威胁防护所需的安全事件。The Log Analytics agent will still collect and analyze the security events required for Azure Security Center’s threat protection, regardless of which tier of security events you choose to store in your Log Analytics workspace (if any). 选择在工作区中存储安全事件将允许在工作区中调查、搜索和审核这些事件。Choosing to store security events in your workspace will enable investigation, search, and auditing of those events in your workspace.

备注

在 Log Analytics 中存储数据可能会产生额外的数据存储费用。Storing data in log analytics might incur additional charges for data storage. 有关详细信息,请参阅定价页For more information, see the pricing page.

可以根据要在工作区中存储的四组事件为订阅和工作区选择正确的筛选策略:You can choose the right filtering policy for your subscriptions and workspaces from four sets of events to be stored in your workspace:

  • - 禁用安全事件存储。None – Disable security event storage. 此设置为默认设置。This is the default setting.
  • 最小 – 一个较小事件集,适合希望最大程度地减小事件量的客户。Minimal – A smaller set of events for customers who want to minimize the event volume.
  • 通用 – 这是一个事件集,可满足大多数客户的需求,使他们可以进行完整的审核跟踪。Common – This is a set of events that satisfies most customers and allows them a full audit trail.
  • 所有事件 - 适用于想要确保存储所有事件的客户。All events – For customers who want to make sure all events are stored.

备注

这些安全事件集仅在安全中心的标准层上可用。These security events sets are available only on Security Center’s Standard tier. 若要详细了解安全中心的定价层,请参阅定价See Pricing to learn more about Security Center's pricing tiers. 这些集合专门用于典型应用场景。These sets were designed to address typical scenarios. 请务必先评估哪个事件集适合你的需求,再进行实现。Make sure to evaluate which one fits your needs before implementing it.

为了确定属于通用和最小事件集的事件,我们与客户进行协作,参照行业标准,了解了每个事件及其使用情况的未筛选频率。To determine the events that will belong to the Common and Minimal event sets, we worked with customers and industry standards to learn about the unfiltered frequency of each event and their usage. 我们在此过程中使用了以下准则:We used the following guidelines in this process:

  • 最小 - 确保此集只涵盖可能指示成功违反的事件以及数量很少的重要事件。Minimal - Make sure that this set covers only events that might indicate a successful breach and important events that have a very low volume. 例如,此集包含用户成功和失败的登录(事件 ID 4624 和 4625),但不包含对审核很重要但对检测毫无意义且数量相对较多的注销。For example, this set contains user successful and failed login (event IDs 4624, 4625), but it doesn’t contain sign out which is important for auditing but not meaningful for detection and has relatively high volume. 此集的大多数数据量是登录事件和进程创建事件(事件 ID 4688)。Most of the data volume of this set is the login events and process creation event (event ID 4688).
  • 通用 - 提供此集中的完整用户审核跟踪。Common - Provide a full user audit trail in this set. 例如,此集包含用户登录和用户注销(事件 ID 4634)。For example, this set contains both user logins and user sign outs (event ID 4634). 我们加入审核操作,如安全组更改、关键域控制器 Kerberos 操作以及行业组织建议的其他事件。We include auditing actions like security group changes, key domain controller Kerberos operations, and other events that are recommended by industry organizations.

数量非常少的事件包含在通用集中,因为在所有事件中选择该集的主要动机是为了减少数量,而不是筛选出特定事件。Events that have very low volume were included in the Common set as the main motivation to choose it over all the events is to reduce the volume and not to filter out specific events.

下面是对每个集的安全和 App Locker 事件 ID 的完整分类:Here is a complete breakdown of the Security and App Locker event IDs for each set:

数据层Data tier 收集的事件指示器Collected event indicators
最少Minimal 1102,4624,4625,4657,4663,4688,4700,4702,4719,4720,4722,4723,4724,4727,4728,4732,4735,4737,4739,4740,4754,4755,1102,4624,4625,4657,4663,4688,4700,4702,4719,4720,4722,4723,4724,4727,4728,4732,4735,4737,4739,4740,4754,4755,
4756,4767,4799,4825,4946,4948,4956,5024,5033,8001,8002,8003,8004,8005,8006,8007,82224756,4767,4799,4825,4946,4948,4956,5024,5033,8001,8002,8003,8004,8005,8006,8007,8222
通用Common 1,299,300,324,340,403,404,410,411,412,413,431,500,501,1100,1102,1107,1108,4608,4610,4611,4614,4622,1,299,300,324,340,403,404,410,411,412,413,431,500,501,1100,1102,1107,1108,4608,4610,4611,4614,4622,
4624,4625,4634,4647,4648,4649,4657,4661,4662,4663,4665,4666,4667,4688,4670,4672,4673,4674,4675,4689,4697,4624,4625,4634,4647,4648,4649,4657,4661,4662,4663,4665,4666,4667,4688,4670,4672,4673,4674,4675,4689,4697,
4700,4702,4704,4705,4716,4717,4718,4719,4720,4722,4723,4724,4725,4726,4727,4728,4729,4733,4732,4735,4737,4700,4702,4704,4705,4716,4717,4718,4719,4720,4722,4723,4724,4725,4726,4727,4728,4729,4733,4732,4735,4737,
4738,4739,4740,4742,4744,4745,4746,4750,4751,4752,4754,4755,4756,4757,4760,4761,4762,4764,4767,4768,4771,4738,4739,4740,4742,4744,4745,4746,4750,4751,4752,4754,4755,4756,4757,4760,4761,4762,4764,4767,4768,4771,
4774,4778,4779,4781,4793,4797,4798,4799,4800,4801,4802,4803,4825,4826,4870,4886,4887,4888,4893,4898,4902,4774,4778,4779,4781,4793,4797,4798,4799,4800,4801,4802,4803,4825,4826,4870,4886,4887,4888,4893,4898,4902,
4904,4905,4907,4931,4932,4933,4946,4948,4956,4985,5024,5033,5059,5136,5137,5140,5145,5632,6144,6145,6272,4904,4905,4907,4931,4932,4933,4946,4948,4956,4985,5024,5033,5059,5136,5137,5140,5145,5632,6144,6145,6272,
6273,6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,300046273,6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,30004

备注

  • 如果使用组策略对象 (GPO),建议启用审核策略过程创建事件 4688 以及事件 4688 内的 CommandLine 字段。If you are using Group Policy Object (GPO), it is recommended that you enable audit policies Process Creation Event 4688 and the CommandLine field inside event 4688. 有关过程创建事件 4688 的详细信息,请参阅安全中心的常见问题解答For more information about Process Creation Event 4688, see Security Center's FAQ. 有关这些审核策略的详细信息,请参阅审核策略建议For more information about these audit policies, see Audit Policy Recommendations.
  • 若要为自适应应用程序控件启用数据收集,安全中心会在审核模式下配置本地 AppLocker 策略以允许所有应用程序。To enable data collection for Adaptive Application Controls, Security Center configures a local AppLocker policy in Audit mode to allow all applications. 这将导致 AppLocker 生成事件,然后由安全中心收集和利用这些事件。This will cause AppLocker to generate events which are then collected and leveraged by Security Center. 请务必注意,不会在已配置 AppLocker 策略的任何计算机上配置此策略。It is important to note that this policy will not be configured on any machines on which there is already a configured AppLocker policy.
  • 若要收集 Windows 筛选平台事件 ID 5156,需要启用审核筛选平台连接 (Auditpol /set /subcategory:"Filtering Platform Connection" /Success:Enable)To collect Windows Filtering Platform Event ID 5156, you need to enable Audit Filtering Platform Connection (Auditpol /set /subcategory:"Filtering Platform Connection" /Success:Enable)

选择筛选策略的具体步骤:To choose your filtering policy:

  1. 在“数据收集”页面,选择“安全事件”下的筛选策略 。On the Data Collection page, select your filtering policy under Security Events.

  2. 选择“保存” 。Select Save.

    选择筛选策略

对现有的代理安装进行自动预配Automatic provisioning in cases of a pre-existing agent installation

以下用例指定在已安装代理或扩展的情况下如何进行自动预配。The following use cases specify how automatic provision works in cases when there is already an agent or extension installed.

  • Log Analytics 代理已安装在计算机上,但不是作为扩展(直接代理)安装的Log Analytics agent is installed on the machine, but not as an extension (Direct agent)
    如果直接在 VM 上安装 Log Analytics 代理(而不是作为 Azure 扩展安装),安全中心将会安装 Log Analytics 代理扩展,并且可能会将 Log Analytics 代理升级到最新版本。If the Log Analytics agent is installed directly on the VM (not as an Azure extension), Security Center will install the Log Analytics agent extension, and may upgrade the Log Analytics agent to the latest version. 安装的代理继续向已配置的工作区报告,此外,还会向安全中心内配置的工作区报告(在 Windows 计算机上支持多宿主功能)。The agent installed will continue to report to its already configured workspace(s), and additionally will report to the workspace configured in Security Center (Multi-homing is supported on Windows machines). 如果配置的工作区是用户工作区(而不是安全中心的默认工作区),则需要在其上安装“Security”/“securityFree”解决方案,这样,安全中心才会开始处理向该工作区报告的 VM 和计算机发来的事件。If the configured workspace is a user workspace (not Security Center's default workspace), then you will need to install the "security/"securityFree" solution on it for Security Center to start processing events from VMs and computers reporting to that workspace.

    对于 Linux 计算机,尚不支持代理多宿主,因此,如果检测到现有的代理安装,则不会进行自动预配,也不会更改计算机的配置。For Linux machines, Agent multi-homing is not yet supported - hence, if an existing agent installation is detected, automatic provisioning will not occur and the machine's configuration will not be altered.
    对于在 2019 年 3 月 17 日之前已加入安全中心的订阅中的现有计算机,检测到现有代理时,不会安装 Log Analytics 代理扩展,且计算机不受影响。For existing machines on subscriptions onboarded to Security Center before 2019-03-17, when an existing agent will be detected, the Log Analytics agent extension will not be installed and the machine will not be affected. 对于这些计算机,请参阅“解决计算机上的监视代理运行状况问题”中的建议来解决这些计算机上的代理安装问题。For these machines, see to the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines.

  • 计算机上已安装 System Center Operations Manager 代理System Center Operations Manager agent is installed on the machine
    安全中心会安装 Log Analytics 代理扩展,并保留现有的 Operations Manager 代理。Security center will install the Log Analytics agent extension side by side to the existing Operations Manager. 正常情况下,现有的 Operations Manager 代理将继续向 Operations Manager 服务器报告。The existing Operations Manager agent will continue to report to the Operations Manager server normally. Operations Manager 代理和 Log Analytics 代理共享通用的运行时库,在此过程中,这些库会更新到最新版本。The Operations Manager agent and Log Analytics agent share common run-time libraries, which will be updated to the latest version during this process. 如果已安装 Operations Manager 代理版本 2012,则不会启用自动预配功能。If Operations Manager agent version 2012 is installed, do not enable automatic provisioning.

  • 存在现有的 VM 扩展A pre-existing VM extension is present

    • 将 Monitoring Agent 作为扩展安装时,扩展配置仅允许向单个工作区报告。When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. 安全中心不会覆盖用户工作区的现有连接。Security Center does not override existing connections to user workspaces. 安全中心会将来自 VM 的安全数据存储在已连接的工作区中,前提是已在该工作区中安装“security”或“securityFree”解决方案。Security Center will store security data from the VM in the workspace already connected, provided that the "security" or "securityFree" solution has been installed on it. 在此过程中,安全中心可将扩展版本升级到最新版本。Security Center may upgrade the extension version to the latest version in this process.
    • 若要查看现有扩展将数据发送到哪个工作区,请运行测试来验证与 Azure 安全中心的连接To see to which workspace the existing extension is sending data to, run the test to Validate connectivity with Azure Security Center. 也可以打开 Log Analytics 工作区,选择一个工作区,再选择 VM,然后查看 Log Analytics 代理连接。Alternatively, you can open Log Analytics workspaces, select a workspace, select the VM, and look at the Log Analytics agent connection.
    • 如果环境中的 Log Analytics 代理安装在客户端工作站上并向现有的 Log Analytics 工作区报告,请查看 Azure 安全中心支持的操作系统列表以确保操作系统受支持。If you have an environment where the Log Analytics agent is installed on client workstations and reporting to an existing Log Analytics workspace, review the list of operating systems supported by Azure Security Center to make sure your operating system is supported. 有关详细信息,请参阅现有 Log Analytics 客户For more information, see Existing log analytics customers.

关闭自动预配 Turn off automatic provisioning

随时可以关闭资源的自动预配,在安全策略中关闭此设置即可。You can turn off automatic provisioning from resources at any time by turning off this setting in the security policy.

  1. 返回到“安全中心”主菜单,选择“安全策略”。Return to the Security Center main menu and select the Security policy.

  2. 单击要禁用其自动预配的订阅行中的“编辑设置”。Click Edit settings in the row of the subscription for which you want to disable automatic provisioning.

  3. 在“安全策略 - 数据收集”页面的“自动预配”下,选择“关闭” 。On the Security policy – Data Collection page, under Auto provisioning select Off.

  4. 选择“保存” 。Select Save.

    禁用自动预配

自动预配处于禁用状态(关闭)时,不会显示默认的工作区配置部分。When auto provisioning is disabled (turned off), the default workspace configuration section is not displayed.

如果关闭以前启用的自动预配,则不会在新 VM 上预配代理。If you switch off auto provision after it was previously on agents will not be provisioned on new VMs.

备注

禁用自动预配不会从已预配 Log Analytics 代理的 Azure VM 中删除该代理。Disabling automatic provisioning does not remove the Log Analytics agent from Azure VMs where the agent was provisioned. 有关删除 OMS 扩展的信息,请参阅如何删除安全中心安装的 OMS 扩展For information on removing the OMS extension, see How do I remove OMS extensions installed by Security Center.

手动代理预配 Manual agent provisioning

可通过多种方法手动安装 Log Analytics 代理。There are several ways to install the Log Analytics agent manually. 手动安装时,请务必禁用自动预配。When installing manually, make sure you disable auto provisioning.

Operations Management Suite VM 扩展部署Operations Management Suite VM extension deployment

可以手动安装 Log Analytics 代理,使安全中心能够从 VM 收集安全数据并提供建议和警报。You can manually install the Log Analytics agent, so Security Center can collect security data from your VMs and provide recommendations and alerts.

  1. 选择自动预配 - 关闭。Select Auto provision – OFF.

  2. 创建工作区,并指定要在其中设置 Log Analytics 代理的工作区的定价层:Create a workspace and set the pricing tier for the workspace you intend to set the Log Analytics agent:

    a.a. 在安全中心主菜单中,选择“安全策略”。In the Security Center main menu, select Security policy.

    b.b. 选择要在其中连接代理的工作区。Select the Workspace in which you intend to connect the agent. 确保该工作区位于安全中心内所用的同一个订阅中,并且你对该工作区拥有读/写权限。Make sure the workspace is in the same subscription you use in Security Center and that you have read/write permissions on the workspace. 选择工作区Select workspace

  3. 设置定价层。Set the pricing tier. 选择定价层Select pricing tier

    备注

    如果工作区中已启用 SecuritySecurityCenterFree 解决方案,则会自动设置定价层。If the workspace already has a Security or SecurityCenterFree solution enabled, the pricing will be set automatically.

  4. 若要使用资源管理器模板在新 VM 上部署代理,请安装 OMS 虚拟机扩展:If you want to deploy the agents on new VMs using a Resource Manager template, install the OMS virtual machine extension:

    a.a. 安装适用于 Windows 的 OMS 虚拟机扩展Install the OMS virtual machine extension for Windows

    b.b. 安装适用于 Linux 的 OMS 虚拟机扩展Install the OMS virtual machine extension for Linux

  5. 若要在现有 VM 上部署扩展,请遵照收集有关 Azure 虚拟机的数据中的说明。To deploy the extensions on existing VMs, follow the instructions in Collect data about Azure Virtual Machines.

    备注

    “收集事件和性能数据”部分是可选的。The section Collect event and performance data is optional.

  6. 若要使用 PowerShell 部署扩展,请使用以下 PowerShell 示例:To use PowerShell to deploy the extension, use the following PowerShell example:

    备注

    本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

    1. 转到“Log Analytics”并单击“高级设置”。 Go to Log Analytics and click on Advanced settings.

      设置 Log Analytics

    2. 复制“工作区 ID”和“主密钥”的值。 Copy the values out of WorkspaceID and Primary key.

      复制值

    3. 在公共配置和专用配置中填充以下值:Populate the public config and the private config with these values:

       $PublicConf = @{
           "workspaceId"= "<WorkspaceID value>"
       }
      
       $PrivateConf = @{
           "workspaceKey"= "<Primary key value>"
       }
      
      • 在 Windows VM 上安装时:When installing on a Windows VM:

        Set-AzVMExtension -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name -Name "MicrosoftMonitoringAgent" -Publisher "Microsoft.EnterpriseCloud.Monitoring" -ExtensionType "MicrosoftMonitoringAgent" -TypeHandlerVersion '1.0' -Location $vm.Location -settings $PublicConf -ProtectedSettingString $PrivateConf -ForceRerun True 
        
      • 在 Linux VM 上安装时:When installing on a Linux VM:

        Set-AzVMExtension -ResourceGroupName $vm1.ResourceGroupName -VMName $vm1.Name -Name "OmsAgentForLinux" -Publisher "Microsoft.EnterpriseCloud.Monitoring" -ExtensionType "OmsAgentForLinux" -TypeHandlerVersion '1.0' -Location $vm.Location -Settingstring $PublicConf -ProtectedSettingString $PrivateConf -ForceRerun True`
        

备注

有关如何使用 PowerShell 加入安全中心的说明,请参阅使用PowerShell 自动加入 Azure 安全中心For instructions on how to onboard Security Center using PowerShell, see Automate onboarding of Azure Security Center using PowerShell.

故障排除Troubleshooting

  • 若要识别自动预配安装问题,请参阅监视代理运行状况问题To identify automatic provision installation issues, see Monitoring agent health issues.

  • 若要确定监视代理网络要求,请参阅监视代理网络要求故障排除To identify monitoring agent network requirements, see Troubleshooting monitoring agent network requirements.

  • 若要识别手动加入问题,请参阅如何排查 Operations Management Suite 加入问题To identify manual onboarding issues, see How to troubleshoot Operations Management Suite onboarding issues.

  • 确定不受监视的 VM 和计算机问题:To identify Unmonitored VMs and computers issues:

    如果计算机未运行 Log Analytics 代理扩展,则 VM 或计算机不受安全中心监视。A VM or computer is unmonitored by Security Center if the machine is not running the Log Analytics agent extension. 计算机上可能已安装了本地代理,例如 OMS 直接代理或 System Center Operations Manager 代理。A machine may have a local agent already installed, for example the OMS direct agent or the System Center Operations Manager agent. 装有这些代理的计算机被标识为未受监视,因为安全中心不完全支持这些代理。Machines with these agents are identified as unmonitored because these agents are not fully supported in Security Center. 要充分利用安全中心的所有功能,需要使用 Log Analytics 代理扩展。To fully benefit from all of Security Center’s capabilities, the Log Analytics agent extension is required.

    请参阅监视代理运行状况问题,详细了解安全中心无法成功监视那些已针对自动预配初始化的 VM 和计算机的原因。For more information about the reasons Security Center is unable to successfully monitor VMs and computers initialized for automatic provisioning, see Monitoring agent health issues.

后续步骤Next steps

本文介绍了数据收集和自动设置在安全中心中的工作方式。This article showed you how data collection and automatic provisioning in Security Center works. 若要了解有关安全中心的详细信息,请参阅以下页面:To learn more about Security Center, see the following pages: