从 Azure 安全中心为代理和扩展配置自动预配Configure auto provisioning for agents and extensions from Azure Security Center

Azure 安全中心使用资源的相关代理或扩展以及已启用的数据收集类型从资源中收集数据。Azure Security Center collects data from your resources using the relevant agent or extensions for that resource and the type of data collection you've enabled. 使用以下过程来确保资源具有安全中心所需的代理和扩展。Use the procedures below to ensure your resources have the necessary agents and extensions used by Security Center.

先决条件Prerequisites

若要开始使用安全中心,必须订阅 Azure。To get started with Security Center, you must have a subscription to Azure. 如果没有订阅,可以注册试用版If you don't have a subscription, you can sign up for a Trial.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 功能:自动预配功能已正式发布 (GA)Feature: Auto provisioning is generally available (GA)
代理和扩展:适用于 Azure VM 的 Log Analytics 代理已正式发布,Microsoft Dependency Agent 为预览版,适用于 Kubernetes 的策略加载项已正式发布Agent and extensions: Log Analytics agent for Azure VMs is GA, Microsoft Dependency agent is in preview, Policy Add-on for Kubernetes is GA
定价:Pricing: 免费Free
支持的目标:Supported destinations: 是 Azure 计算机Azure machines
否 Kubernetes 节点Kubernetes nodes
否 虚拟机规模集Virtual Machine Scale Sets
云:Clouds: 是 中国云China cloud

安全中心如何收集数据?How does Security Center collect data?

安全中心从 Azure 虚拟机 (VM)、虚拟机规模集、IaaS 容器和非 Azure 计算机(包括本地计算机)收集数据,以监视安全漏洞和威胁。Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats.

必须收集数据才能深入了解缺少的更新、配置不当的 OS 安全设置、终结点保护状态,以及运行状况和威胁防护结果。Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection. 只需对计算资源(例如 VM、虚拟机规模集、IaaS 容器和非 Azure 计算机)启用数据收集。Data collection is only needed for compute resources such as VMs, virtual machine scale sets, IaaS containers, and non-Azure computers.

即使未预配代理,也可以从 Azure 安全中心受益。You can benefit from Azure Security Center even if you don’t provision agents. 但是,你的安全性有限,并且不支持上面列出的功能。However, you'll have limited security and the capabilities listed above aren't supported.

使用以下工具收集数据:Data is collected using:

  • Log Analytics 代理,该代理从计算机中读取各种与安全相关的配置和事件日志,然后将数据复制到工作区进行分析。The Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. 此类数据的示例包括:操作系统类型和版本、操作系统日志(Windows 事件日志)、正在运行的进程、计算机名称、IP 地址和已登录的用户。Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user.
  • 安全扩展插件,它还可以向安全中心提供有关专用资源类型的数据。Security extensions, which can also provide data to Security Center regarding specialized resource types.

提示

随着安全中心的发展,可以监视的资源类型也在增加。As Security Center has grown, the types of resources that can be monitored has also grown. 扩展的数量也有所增加。The number of extensions has also grown. 自动预配工具已扩展,可通过利用 Azure Policy 的功能来支持更多资源类型。Auto provisioning has expanded to support additional resource types by leveraging the capabilities of Azure Policy.

为什么要使用自动预配?Why use auto provisioning?

此页所述的任何代理和扩展都可以手动安装(请参阅手动安装 Log Analytics 代理)。Any of the agents and extensions described on this page can be installed manually (see Manual installation of the Log Analytics agent). 但是,自动预配通过在现有和新计算机上安装所有必需的代理和扩展来确保所有受支持的资源能够更快地获得安全保障,从而减少管理开销。However, auto provisioning reduces management overhead by installing all required agents and extensions on existing - and new - machines to ensure faster security coverage for all supported resources.

建议启用自动预配,但默认情况下它是禁用的。We recommend enabling auto provisioning, but it's disabled by default.

自动预配的工作原理How does auto provisioning work?

对于每种支持的扩展类型,安全中心的自动预配设置都有相应的切换开关。Security Center's auto provisioning settings have a toggle for each type of supported extension. 启用扩展的自动配置后,可以分配适当的“如果不存在则部署”策略。When you enable auto provisioning of an extension, you assign the appropriate Deploy if not exists policy. 此策略类型可确保在该类型的所有现有和将来的资源上预配扩展。This policy type ensures the extension is provisioned on all existing and future resources of that type.

提示

可参阅了解 Azure Policy 效果,了解有关 Azure Policy 效果的详细信息,包括“如果不存在则部署”。Learn more about Azure Policy effects including deploy if not exists in Understand Azure Policy effects.

启用 Log Analytics 代理和扩展 的自动预配Enable auto provisioning of the Log Analytics agent and extensions

为 Log Analytics 代理启用自动预配后,安全中心可在所有受支持的 Azure VM 以及创建的所有新 Azure VM 上部署代理。When automatic provisioning is on for the Log Analytics agent, Security Center deploys the agent on all supported Azure VMs and any new ones created. 有关支持的平台列表,请参阅 Azure 安全中心支持的平台For the list of supported platforms, see Supported platforms in Azure Security Center.

若要启用 Log Analytics 代理的自动预配:To enable auto provisioning of the Log Analytics agent:

  1. 从安全中心的菜单中,选择“定价和设置”。From Security Center's menu, select Pricing & settings.

  2. 选择相关订阅。Select the relevant subscription.

  3. 在“自动预配”页中,将 Log Analytics 代理的状态设置为“打开” 。In the Auto provisioning page, set the Log Analytics agent's status to On.

    启用 Log Analytics 代理的自动预配

  4. 在配置选项窗格中,定义要使用的工作区。From the configuration options pane, define the workspace to use.

    用于将 Log Analytics 代理自动预配到 VM 的配置选项

    • 将 Azure VM 连接到安全中心创建的默认工作区 - 安全中心在同一地理位置创建新的资源组和默认工作区,并将代理连接到该工作区。Connect Azure VMs to the default workspace(s) created by Security Center - Security Center creates a new resource group and default workspace in the same geolocation, and connects the agent to that workspace. 如果订阅包含多个地理位置中的 VM,安全中心会创建多个工作区,以确保符合数据隐私要求。If a subscription contains VMs from multiple geolocations, Security Center creates multiple workspaces to ensure compliance with data privacy requirements.

      工作区和资源组的命名约定是:The naming convention for the workspace and resource group is:

      • 工作区:DefaultWorkspace-[subscription-ID]-[geo]Workspace: DefaultWorkspace-[subscription-ID]-[geo]
      • 资源组:DefaultResourceGroup-[geo]Resource Group: DefaultResourceGroup-[geo]

      安全中心会根据针对订阅设置的定价层,在工作区中自动启用安全中心解决方案。Security Center automatically enables a Security Center solution on the workspace per the pricing tier set for the subscription.

    • 将 Azure VM 连接到不同的工作区 - 从下拉列表中,选择用于存储收集的数据的工作区。Connect Azure VMs to a different workspace - From the dropdown list, select the workspace to store collected data. 下拉列表包含所有订阅中的所有工作区。The dropdown list includes all workspaces across all of your subscriptions. 你可以使用此选项从在不同订阅中运行的虚拟机收集数据,并将其全部存储在所选工作区中。You can use this option to collect data from virtual machines running in different subscriptions and store it all in your selected workspace.

      如果已有一个 Log Analytics 工作区,可以使用该工作区(需要工作区上的读取和写入权限)。If you already have an existing Log Analytics workspace, you might want to use the same workspace (requires read and write permissions on the workspace). 如果在组织中使用集中式工作区,并想要使用该工作区来收集安全数据,则此选项非常有用。This option is useful if you're using a centralized workspace in your organization and want to use it for security data collection. 在 Azure Monitor 中管理对日志数据和工作区的访问中了解详细信息。Learn more in Manage access to log data and workspaces in Azure Monitor.

      如果所选的工作区中已启用“Security”或“SecurityCenterFree”解决方案,则会自动设置定价。If your selected workspace already has a "Security" or "SecurityCenterFree" solution enabled, the pricing will be set automatically. 如果没有,请在工作区中安装安全中心解决方案:If not, install a Security Center solution on the workspace:

      1. 从安全中心的菜单中,打开“定价和设置”。From Security Center's menu, open Pricing & settings.
      2. 选择要将代理连接到的工作区。Select the workspace to which you'll be connecting the agents.
      3. 选择“启用 Azure Defender”或“关闭 Azure Defender”。Select Azure Defender on or Azure Defender off.
  5. 从“Windows 安全事件”配置中,选择要存储的原始事件数据量:From the Windows security events configuration, select the amount of raw event data to store:

    • - 禁用安全事件存储。None - Disable security event storage. 这是默认设置。This is the default setting.
    • 最小 - 一个小事件集,适合在希望最大程度地减小事件量时使用。Minimal - A small set of events for when you want to minimize the event volume.
    • 通用 - 一个事件集,可满足大多数客户的需求,并提供完整的审核线索。Common - A set of events that satisfies most customers and provides a full audit trail.
    • 所有事件 - 适用于想要确保存储所有事件的客户。All events - For customers who want to make sure all events are stored.

    提示

    若要在工作区级别设置这些选项,请参阅在工作区级别设置安全事件选项To set these options at the workspace level, see Setting the security event option at the workspace level.

    有关这些选项的详细信息,请参阅 Log Analytics 代理的 Windows 安全事件选项For more information of these options, see Windows security event options for the Log Analytics agent.

  6. 选择“配置”窗格中的“应用”。Select Apply in the configuration pane.

  7. 若要启用除 Log Analytics 代理之外的扩展的自动预配,请执行以下操作:To enable automatic provisioning of an extension other than the Log Analytics agent:

    1. 如果要为 Microsoft Dependency Agent 启用自动预配,请确保将 Log Analytics 代理设置为自动部署。If you're enabling auto provisioning for the Microsoft Dependency agent, ensure the Log Analytics agent is set to auto deploy.

    2. 将相关扩展的状态切换为“打开”。Toggle the status to On for the relevant extension.

      切换以启用 K8 策略加载项的自动预配

    3. 选择“保存”。Select Save. 分配 Azure Policy 并创建修正任务。The Azure policy is assigned and a remediation task is created.

      分机Extension 策略Policy
      适用于 Kubernetes 的策略加载项Policy Add-on for Kubernetes 将 Azure Policy 加载项部署到 Azure Kubernetes 服务群集Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
      Microsoft Dependency Agent(预览)(Windows VM)Microsoft Dependency agent (preview) (Windows VMs) 为 Windows 虚拟机部署 Dependency AgentDeploy Dependency agent for Windows virtual machines
      Microsoft Dependency Agent(预览)(Linux VM)Microsoft Dependency agent (preview) (Linux VMs) 为 Linux 虚拟机部署 Dependency AgentDeploy Dependency agent for Linux virtual machines
  8. 选择“保存”。Select Save. 如果需要设置工作区,那么代理安装过程可能需要最多 25 分钟的时间。If a workspace needs to be provisioned, agent installation might take up to 25 minutes.

  9. 系统会询问你是否要重新配置之前已连接到默认工作区的受监视 VM:You'll be asked if you want to reconfigure monitored VMs that were previously connected to a default workspace:

    查看用于重新配置受监视的 VM 的选项

    • - 新的工作区设置将仅应用于未安装 Log Analytics 代理的新发现的 VM。No - your new workspace settings will only be applied to newly discovered VMs that don't have the Log Analytics agent installed.
    • - 新的工作区设置将应用于所有 VM,当前连接到安全中心创建的工作区的每个 VM 都将重新连接到新的目标工作区。Yes - your new workspace settings will apply to all VMs and every VM currently connected to a Security Center created workspace will be reconnected to the new target workspace.

    备注

    如果选择“是”,请不要删除安全中心创建的工作区,除非所有 VM 都已重新连接到新的目标工作区。If you select Yes, don't delete the workspace(s) created by Security Center until all VMs have been reconnected to the new target workspace. 如果过早删除工作区,此操作将会失败。This operation fails if a workspace is deleted too early.

Log Analytics 代理的 Windows 安全事件选项 Windows security event options for the Log Analytics agent

在 Azure 安全中心选择数据收集层只会影响 Log Analytics 工作区中安全事件的存储。Selecting a data collection tier in Azure Security Center only affects the storage of security events in your Log Analytics workspace. 无论你选择在工作区中存储哪一级别的安全事件,Log Analytics 代理仍将收集和分析安全中心威胁防护所需的安全事件。The Log Analytics agent will still collect and analyze the security events required for Security Center’s threat protection, regardless of the level of security events you choose to store in your workspace. 选择存储安全事件可以在工作区中调查、搜索和审核这些事件。Choosing to store security events enables investigation, search, and auditing of those events in your workspace.

要求Requirements

需要 Azure Defender 才能存储 Windows 安全事件数据。Azure Defender is required for storing Windows security event data. 详细了解 Azure DefenderLearn more about Azure Defender.

在 Log Analytics 中存储数据可能会产生额外的数据存储费用。Storing data in Log Analytics might incur additional charges for data storage. 有关详细信息,请参阅定价页For more information, see the pricing page.

哪些类型的事件存储为“通用”和“最小”?What event types are stored for "Common" and "Minimal"?

这些集合专门用于典型应用场景。These sets were designed to address typical scenarios. 请务必先评估哪个事件集适合你的需求,再进行实现。Make sure to evaluate which one fits your needs before implementing it.

为了确定“通用”和“最小”选项的事件,我们与客户进行协作,参照行业标准,了解了每个事件及其使用情况的未筛选频率 。To determine the events for the Common and Minimal options, we worked with customers and industry standards to learn about the unfiltered frequency of each event and their usage. 我们在此过程中使用了以下准则:We used the following guidelines in this process:

  • 最小 - 确保此集只涵盖可能指示成功违反的事件以及数量很少的重要事件。Minimal - Make sure that this set covers only events that might indicate a successful breach and important events that have a very low volume. 例如,此集包含用户成功和失败的登录(事件 ID 4624 和 4625),但不包含对审核很重要但对检测毫无意义且数量相对较多的注销。For example, this set contains user successful and failed login (event IDs 4624, 4625), but it doesn’t contain sign out which is important for auditing but not meaningful for detection and has relatively high volume. 此集的大多数数据量是登录事件和进程创建事件(事件 ID 4688)。Most of the data volume of this set is the login events and process creation event (event ID 4688).
  • 通用 - 提供此集中的完整用户审核跟踪。Common - Provide a full user audit trail in this set. 例如,此集包含用户登录和用户注销(事件 ID 4634)。For example, this set contains both user logins and user sign outs (event ID 4634). 我们加入审核操作,如安全组更改、关键域控制器 Kerberos 操作以及行业组织建议的其他事件。We include auditing actions like security group changes, key domain controller Kerberos operations, and other events that are recommended by industry organizations.

数量非常少的事件包含在通用集中,因为在所有事件中选择该集的主要动机是为了减少数量,而不是筛选出特定事件。Events that have very low volume were included in the common set as the main motivation to choose it over all the events is to reduce the volume and not to filter out specific events.

下面是对每个集的安全和 App Locker 事件 ID 的完整分类:Here is a complete breakdown of the Security and App Locker event IDs for each set:

数据层Data tier 收集的事件指示器Collected event indicators
最少Minimal 1102,4624,4625,4657,4663,4688,4700,4702,4719,4720,4722,4723,4724,4727,4728,4732,4735,4737,4739,4740,4754,4755,1102,4624,4625,4657,4663,4688,4700,4702,4719,4720,4722,4723,4724,4727,4728,4732,4735,4737,4739,4740,4754,4755,
4756,4767,4799,4825,4946,4948,4956,5024,5033,8001,8002,8003,8004,8005,8006,8007,82224756,4767,4799,4825,4946,4948,4956,5024,5033,8001,8002,8003,8004,8005,8006,8007,8222
通用Common 1,299,300,324,340,403,404,410,411,412,413,431,500,501,1100,1102,1107,1108,4608,4610,4611,4614,4622,1,299,300,324,340,403,404,410,411,412,413,431,500,501,1100,1102,1107,1108,4608,4610,4611,4614,4622,
4624,4625,4634,4647,4648,4649,4657,4661,4662,4663,4665,4666,4667,4688,4670,4672,4673,4674,4675,4689,4697,4624,4625,4634,4647,4648,4649,4657,4661,4662,4663,4665,4666,4667,4688,4670,4672,4673,4674,4675,4689,4697,
4700,4702,4704,4705,4716,4717,4718,4719,4720,4722,4723,4724,4725,4726,4727,4728,4729,4733,4732,4735,4737,4700,4702,4704,4705,4716,4717,4718,4719,4720,4722,4723,4724,4725,4726,4727,4728,4729,4733,4732,4735,4737,
4738,4739,4740,4742,4744,4745,4746,4750,4751,4752,4754,4755,4756,4757,4760,4761,4762,4764,4767,4768,4771,4738,4739,4740,4742,4744,4745,4746,4750,4751,4752,4754,4755,4756,4757,4760,4761,4762,4764,4767,4768,4771,
4774,4778,4779,4781,4793,4797,4798,4799,4800,4801,4802,4803,4825,4826,4870,4886,4887,4888,4893,4898,4902,4774,4778,4779,4781,4793,4797,4798,4799,4800,4801,4802,4803,4825,4826,4870,4886,4887,4888,4893,4898,4902,
4904,4905,4907,4931,4932,4933,4946,4948,4956,4985,5024,5033,5059,5136,5137,5140,5145,5632,6144,6145,6272,4904,4905,4907,4931,4932,4933,4946,4948,4956,4985,5024,5033,5059,5136,5137,5140,5145,5632,6144,6145,6272,
6273,6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,300046273,6278,6416,6423,6424,8001,8002,8003,8004,8005,8006,8007,8222,26401,30004

备注

  • 如果使用组策略对象 (GPO),建议启用审核策略过程创建事件 4688 以及事件 4688 内的 CommandLine 字段。If you are using Group Policy Object (GPO), it is recommended that you enable audit policies Process Creation Event 4688 and the CommandLine field inside event 4688. 有关过程创建事件 4688 的详细信息,请参阅安全中心的常见问题解答For more information about Process Creation Event 4688, see Security Center's FAQ. 有关这些审核策略的详细信息,请参阅审核策略建议For more information about these audit policies, see Audit Policy Recommendations.
  • 若要为自适应应用程序控件启用数据收集,安全中心会在审核模式下配置本地 AppLocker 策略以允许所有应用程序。To enable data collection for Adaptive Application Controls, Security Center configures a local AppLocker policy in Audit mode to allow all applications. 这将导致 AppLocker 生成事件,然后由安全中心收集和利用这些事件。This will cause AppLocker to generate events which are then collected and leveraged by Security Center. 请务必注意,不会在已配置 AppLocker 策略的任何计算机上配置此策略。It is important to note that this policy will not be configured on any machines on which there is already a configured AppLocker policy.
  • 若要收集 Windows 筛选平台事件 ID 5156,需要启用审核筛选平台连接 (Auditpol /set /subcategory:"Filtering Platform Connection" /Success:Enable)To collect Windows Filtering Platform Event ID 5156, you need to enable Audit Filtering Platform Connection (Auditpol /set /subcategory:"Filtering Platform Connection" /Success:Enable)

在工作区级别设置安全事件选项Setting the security event option at the workspace level

可以将安全事件数据的存储级别定义为工作区级别。You can define the level of security event data to store at the workspace level.

  1. 在 Azure 门户的“安全中心”菜单中,选择“定价和设置”。From Security Center's menu in the Azure portal, select Pricing & settings.

  2. 选择相关工作区。Select the relevant workspace. 工作区的唯一数据收集事件是此页上描述的 Windows 安全事件。The only data collection events for a workspace are the Windows security events described on this page.

    设置要存储在工作区中的安全事件数据

  3. 选择要存储的原始事件数据量,然后选择“保存”。Select the amount of raw event data to store and select Save.

手动代理预配 Manual agent provisioning

若要手动安装 Log Analytics 代理:To manually install the Log Analytics agent:

  1. 禁用自动预配。Disable auto provisioning.

  2. (可选)创建工作区。Optionally, create a workspace.

  3. 在要安装 Log Analytics 代理的工作区上启用 Azure Defender:Enable Azure Defender on the workspace on which you're installing the Log Analytics agent:

    1. 在安全中心的菜单中,选择“定价和设置”。From Security Center's menu, select Pricing & settings.

    2. 设置要安装代理的工作区。Set the workspace on which you're installing the agent. 确保该工作区位于安全中心内所用的同一个订阅中,并且你具有该工作区的读/写权限。Make sure the workspace is in the same subscription you use in Security Center and that you have read/write permissions for the workspace.

    3. 选择“启用 Azure Defender”,然后“保存” 。Select Azure Defender on, and Save.

      备注

      如果工作区中已启用 SecuritySecurityCenterFree 解决方案,则会自动设置定价层。If the workspace already has a Security or SecurityCenterFree solution enabled, the pricing will be set automatically.

  4. 若要使用资源管理器模板在新的 VM 上部署代理,请安装 Log Analytics 代理:To deploy agents on new VMs using a Resource Manager template, install the Log Analytics agent:

  5. 若要在现有 VM 上部署代理,请按照收集有关 Azure 虚拟机的数据(“收集事件和性能数据”部分为可选)中的说明进行操作。To deploy agents on your existing VMs, follow the instructions in Collect data about Azure Virtual Machines (the section Collect event and performance data is optional).

  6. 若要使用 PowerShell 部署代理,请按照虚拟机文档中的说明进行操作:To use PowerShell to deploy the agents, use the instructions from the virtual machines documentation:

提示

有关如何使用 PowerShell 加入安全中心的说明,请参阅使用PowerShell 自动加入 Azure 安全中心For instructions on how to onboard Security Center using PowerShell, see Automate onboarding of Azure Security Center using PowerShell.

在预先安装了代理的情况下进行自动预配 Automatic provisioning in cases of a pre-existing agent installation

以下用例指定在已安装代理或扩展的情况下如何进行自动预配。The following use cases specify how automatic provision works in cases when there is already an agent or extension installed.

  • Log Analytics 代理已安装在计算机上,但不是作为扩展(直接代理)安装的 - 如果 Log Analytics 代理直接安装在 VM 上(而不是作为 Azure 扩展安装),安全中心将安装 Log Analytics 代理扩展,可能还会将 Log Analytics 代理升级到最新版本。Log Analytics agent is installed on the machine, but not as an extension (Direct agent) - If the Log Analytics agent is installed directly on the VM (not as an Azure extension), Security Center will install the Log Analytics agent extension, and might upgrade the Log Analytics agent to the latest version. 安装的代理将继续向其已配置的工作区报告,此外,它还会向安全中心上配置的工作区报告(Windows 计算机支持多主页)。The agent installed will continue to report to its already configured workspace(s), and additionally will report to the workspace configured in Security Center (Multi-homing is supported on Windows machines). 如果配置的工作区是用户工作区(而不是安全中心的默认工作区),则需要在该工作区上安装“Security”或“SecurityCenterFree”解决方案,以便安全中心开始处理向该工作区报告的 VM 和计算机中的事件。If the configured workspace is a user workspace (not Security Center's default workspace), then you will need to install the "Security" or "SecurityCenterFree" solution on it for Security Center to start processing events from VMs and computers reporting to that workspace.

    对于 Linux 计算机,尚不支持代理多主页,因此,如果检测到现有的代理安装,则不会进行自动预配,并且不会更改计算机的配置。For Linux machines, Agent multi-homing is not yet supported - hence, if an existing agent installation is detected, automatic provisioning will not occur and the machine's configuration will not be altered.

    对于在 2019 年 3 月 17 日之前载入到安全中心的订阅上的现有计算机,检测到现有代理时,将不会安装 Log Analytics 代理扩展,并且计算机将不会受到影响。For existing machines on subscriptions onboarded to Security Center before 17 March 2019, when an existing agent will be detected, the Log Analytics agent extension will not be installed and the machine will not be affected. 对于这些计算机,请参阅“解决计算机上的监视代理运行状况问题”建议,以解决这些计算机上的代理安装问题。For these machines, see to the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines.

  • 已在计算机上安装 System Center Operations Manager 代理 - 安全中心会将 Log Analytics 代理扩展并行安装到现有 Operations Manager。System Center Operations Manager agent is installed on the machine - Security center will install the Log Analytics agent extension side by side to the existing Operations Manager. 现有 Operations Manager 代理将继续正常向 Operations Manager 服务器报告。The existing Operations Manager agent will continue to report to the Operations Manager server normally. Operations Manager 代理和 Log Analytics 代理共享公共运行时库,在此过程中这些库将更新为最新版本。The Operations Manager agent and Log Analytics agent share common run-time libraries, which will be updated to the latest version during this process. 如果已安装 Operations Manager 代理版本 2012,则 请勿 启用自动预配。If Operations Manager agent version 2012 is installed, do not enable automatic provisioning.

  • 存在预先存在的 VM 扩展A pre-existing VM extension is present:

    • 当将监视代理作为扩展安装时,扩展配置仅允许向单个工作区进行报告。When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. 安全中心不会覆盖用户工作区的现有连接。Security Center does not override existing connections to user workspaces. 如果已连接的工作区中安装了“Security”或“SecurityCenterFree”解决方案,安全中心会将来自 VM 的安全性数据存储在该工作区中。Security Center will store security data from the VM in the workspace already connected, provided that the "Security" or "SecurityCenterFree" solution has been installed on it. 在此过程中,安全中心可以将扩展版本升级到最新版本。Security Center may upgrade the extension version to the latest version in this process.
    • 若要查看现有扩展将数据发送到哪个工作区,请运行测试来验证与 Azure 安全中心的连接To see to which workspace the existing extension is sending data to, run the test to Validate connectivity with Azure Security Center. 或者,可以打开 Log Analytics 工作区,选择一个工作区,选择 VM,然后查看 Log Analytics 代理连接。Alternatively, you can open Log Analytics workspaces, select a workspace, select the VM, and look at the Log Analytics agent connection.
    • 如果环境中的 Log Analytics 代理安装在客户端工作站上并向现有的 Log Analytics 工作区报告,请查看 Azure 安全中心支持的操作系统列表以确保操作系统受支持。If you have an environment where the Log Analytics agent is installed on client workstations and reporting to an existing Log Analytics workspace, review the list of operating systems supported by Azure Security Center to make sure your operating system is supported. 有关详细信息,请参阅现有 Log Analytics 客户For more information, see Existing log analytics customers.

禁用自动预配 Disable auto provisioning

禁用自动预配后,将不会在新 VM 上预配代理。When you disable auto provisioning, agents will not be provisioned on new VMs.

若要关闭代理的自动预配:To turn off automatic provisioning of an agent:

  1. 在门户的“安全中心”菜单中,选择“定价和设置”。From Security Center's menu in the portal, select Pricing & settings.

  2. 选择相关订阅。Select the relevant subscription.

  3. 选择“自动预配”。Select Auto provisioning.

  4. 将相关代理的状态切换为“关闭”。Toggle the status to Off for the relevant agent.

    切换以禁用按代理类型的自动预配

  5. 选择“保存”。Select Save. 自动预配处于禁用状态时,不会显示默认的工作区配置部分:When auto provisioning is disabled, the default workspace configuration section is not displayed:

    禁用自动预配后,配置单元为空

备注

禁用自动预配不会从曾预配了 Log Analytics 代理的 Azure VM 中删除该代理。Disabling automatic provisioning does not remove the Log Analytics agent from Azure VMs where the agent was provisioned. 有关删除 OMS 扩展的信息,请参阅如何删除安全中心安装的 OMS 扩展For information on removing the OMS extension, see How do I remove OMS extensions installed by Security Center.

疑难解答Troubleshooting

后续步骤Next steps

此页说明了如何为 Log Analytics 代理和其他安全中心扩展启用自动预配。This page explained how to enable auto provisioning for the Log Analytics agent and other Security Center extensions. 还介绍了如何定义用于存储所收集数据的 Log Analytics 工作区。It also described how to define a Log Analytics workspace in which to store the collected data. 这两项操作都需要启用数据收集。Both operations are required to enable data collection. 如果将数据存储在 Log Analytics 中,无论是使用新工作区还是现有工作区,都可能会产生更多的数据存储费用。Storing data in Log Analytics, whether you use a new or existing workspace, might incur more charges for data storage. 有关所选货币以及你所在区域的定价详细信息,请参阅安全中心定价For pricing details in your currency of choice and according to your region, see Security Center pricing.