Azure 安全日志记录和审核Azure security logging and auditing

Azure 提供多种不同的可配置安全审核和日志记录选项,帮助你识别安全策略和机制方面的差距。Azure provides a wide array of configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms. 本文介绍如何生成、收集和分析 Azure 上托管的服务的安全日志。This article discusses generating, collecting, and analyzing security logs from services hosted on Azure.


本文中的某些建议可能会导致数据、网络或计算资源使用量增加,还可能导致许可或订阅成本增加。Certain recommendations in this article might result in increased data, network, or compute resource usage, and increase your license or subscription costs.

Azure 中的日志类型Types of logs in Azure

云应用程序很复杂,包含很多移动部件。Cloud applications are complex with many moving parts. 日志记录数据可以提供有关应用程序的见解,并帮助你:Logging data can provide insights about your applications and help you:

  • 排查过去的问题,或避免潜在的问题Troubleshoot past problems or prevent potential ones
  • 提高应用程序性能或可维护性Improve application performance or maintainability
  • 自动执行本来需要手动干预的操作Automate actions that would otherwise require manual intervention

Azure 日志划分为以下类型:Azure logs are categorized into the following types:

  • 控制/管理日志 提供有关 Azure 资源管理器 CREATE、UPDATE 和 DELETE 操作的信息。Control/management logs provide information about Azure Resource Manager CREATE, UPDATE, and DELETE operations. 有关详细信息,请参阅 Azure 活动日志For more information, see Azure activity logs.

  • 数据平面日志 提供作为 Azure 资源使用情况的一部分引发的事件的相关信息。Data plane logs provide information about events raised as part of Azure resource usage. 此类日志的示例是虚拟机 (VM) 中的 Windows 事件系统、安全性、应用程序日志以及通过 Azure Monitor 配置的诊断日志Examples of this type of log are the Windows event system, security, and application logs in a virtual machine (VM) and the diagnostics logs that are configured through Azure Monitor.

  • 已处理的事件 提供已以用户名义处理的分析事件/警报的相关信息。Processed events provide information about analyzed events/alerts that have been processed on your behalf. 此类日志的示例是 Azure 安全中心警报Azure 安全中心已处理和分析了订阅,并提供简明的安全警报。Examples of this type are Azure Security Center alerts where Azure Security Center has processed and analyzed your subscription and provides concise security alerts.

下表列出了 Azure 中最重要的日志类型:The following table lists the most important types of logs available in Azure:

日志类别Log category 日志类型Log type 使用情况Usage 集成Integration
活动日志Activity logs Azure 资源管理器资源上的控制平面事件Control-plane events on Azure Resource Manager resources 提供见解,方便用户了解对订阅中的资源执行的操作。Provides insight into the operations that were performed on resources in your subscription. Rest API、Azure MonitorRest API, Azure Monitor
Azure 资源日志Azure Resource logs 关于订阅中 Azure 资源管理器资源操作频繁生成的数据Frequent data about the operation of Azure Resource Manager resources in subscription 提供见解,以便深入了解资源本身执行的操作。Provides insight into operations that your resource itself performed. Azure MonitorAzure Monitor
Azure Active Directory 报告Azure Active Directory reporting 日志和报告Logs and reports 报告有关用户和组管理的用户登录活动和系统活动信息。Reports user sign-in activities and system activity information about users and group management. 图形 APIGraph API
虚拟机和云服务Virtual machines and cloud services Windows 事件日志服务和 Linux SyslogWindows Event Log service and Linux Syslog 在虚拟机上捕获系统数据和日志记录数据,并将这些数据传输到所选的存储帐户中。Captures system data and logging data on the virtual machines and transfers that data into a storage account of your choice. Azure Monitor 中的 Windows(使用 Azure 诊断 [WAD] 存储)和 LinuxWindows (using Azure Diagnostics [WAD] storage) and Linux in Azure Monitor
Azure 存储分析Azure Storage Analytics 存储执行日志记录并为存储帐户提供指标数据Storage logging, provides metrics data for a storage account 提供相关信息,以便深入了解如何跟踪请求、分析使用情况趋势以及诊断存储帐户的问题。Provides insight into trace requests, analyzes usage trends, and diagnoses issues with your storage account. REST API 或客户端库REST API or the client library
网络安全组 (NSG) 流日志Network security group (NSG) flow logs 采用 JSON 格式,并根据规则显示出站和入站流JSON format, shows outbound and inbound flows on a per-rule basis 显示有关通过网络安全组的入口和出口 IP 流量的信息。Displays information about ingress and egress IP traffic through a Network Security Group. Azure 网络观察程序Azure Network Watcher
Application InsightsApplication insight 日志、异常和自定义诊断Logs, exceptions, and custom diagnostics 提供多个平台上面向 Web 开发人员的应用程序性能监视 (APM) 服务。Provides an application performance monitoring (APM) service for web developers on multiple platforms. REST API,Power BIREST API, Power BI
处理数据/安全警报Process data / security alerts Azure 安全中心警报、Azure Monitor 日志警报Azure Security Center alerts, Azure Monitor logs alerts 提供安全信息和警报。Provides security information and alerts. REST API,JSONREST APIs, JSON

与本地 SIEM 系统进行日志集成Log integration with on-premises SIEM systems

集成安全中心警报介绍如何将安全中心警报以及 Azure 诊断日志和 Azure 审核日志收集的虚拟机安全事件与 Azure Monitor 日志或 SIEM 解决方案同步。Integrating Security Center alerts discusses how to sync Security Center alerts, virtual machine security events collected by Azure diagnostics logs, and Azure audit logs with your Azure Monitor logs or SIEM solution.

后续步骤Next steps