针对特定NSG规则MACD的活动监视器警报 [英] Activity Monitor Alerts for Specific NSG Rules MACD
本文介绍了针对特定NSG规则MACD的活动监视器警报的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个NSG,我需要监控入站或出站规则的任何更改。我已经尝试了预先安装的NSG更新/修改警报类型,但这似乎没有捕获NSG规则更新。从活动日志中,我可以看到我对单个NSG
规则的更改,并为该特定规则创建警报,但这无助于我立即监控所有规则或创建的任何新规则。
我在网上找到了一个ARM模板,可以提醒我任何NSG规则的变化,但我只想提醒一个特定的NSG。我为我创建的警报导出了JSON来监视一个特定的规则,并尝试将两个模板混合在一起制作一些
,它可以满足我的需要,但我没有太多运气。
以下是警告任何NSG规则更改的模板:
{
" $ schema":" https: //schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#" ;,
" contentVersion":" 1.0.0.0",
" parameters" :{
" activityLogAlertName":{
" type":" string",
" metadata":{
" description":" Unique name(在资源组内)用于活动日志警报。
}
},
" activityLogAlertEnabled" ;: {
" type":" bool",
" defaultValue":true,
"元数据":{
" description":"指示警报是否已启用。
}
},
" actionGroupResourceId" ;: {
" type":" string",
" metadata":{
" ; description":"Action Group的Resource Id。"
}
}
},
" resources" ;: [
{
" type":" Microsoft.Insights / activityLogAlerts",
"apiVersion":""2017-04-01",
" name":" [parameters('activityLogAlertName')]",
" location":"全球",
" properties":{
" enabled":" [parameters('activityLogAlertEnabled')]",
" scopes":[
" ; [订阅()的id] QUOT;
],
" condition" ;: {
" allOf":[
{
" field":" category",
" ; equals":" Administrative"
},
{
" field":" operationName",
" equals":" Microsoft.Network/networkSecurityGroups/securityRules/write"
},
{
" field":" resourceType",
" equals":" Microsoft.Network/networkSecurityGroups/securityRules"
}
]
},
" actions":{
" actionGroups":
[
{
" ; actionGroupId":" [parameters('actionGroupResourceId')]"
}
]
}
}
}
]
} 这里是警告一个特定NSG规则的模板:
{
" $ schema":" https: //schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#" ;,
" contentVersion":" 1.0.0.0",
" parameters" :{
" activityLogAlertName":{
" type":" string",
" metadata":{
" description":" Unique name(在资源组内)用于活动日志警报。
}
},
" activityLogAlertEnabled" ;: {
" type":" bool",
" defaultValue":true,
"元数据":{
" description":"指示警报是否已启用。
}
},
" actionGroupResourceId" ;: {
" type":" string",
" metadata":{
" ; description":"Action Group的Resource Id。"
}
}
},
" resources" ;: [
{
" type":" Microsoft.Insights / activityLogAlerts",
"apiVersion":""2017-04-01",
" name":" [parameters('activityLogAlertName')]",
" location":"全球",
" properties":{
" enabled":" [parameters('activityLogAlertEnabled')]",
" scopes":[
" ; [订阅()的id] QUOT;
],
" condition" ;: {
" allOf":[
{
" containsAny":null,
" equals" :"管理","
"字段":"category"和"category"。
},
{
" containsAny":null,
" equals":" / subscriptions /< removed> /resourceGroups/RG_Test/providers/Microsoft.Network / networkSecurityGroups / NSG_TEST / securityRules / NSG_TEST_RULE",
" field":" resourceId"
},
{
" containsAny":null,
" equals":" Microsoft.Network/networkSecurityGroups/securityRules/write",
" field":" operationName"
},
{
" containsAny":null,
" equals":" informational",
" field":" level"
},
{
" containsAny":null,
" equals":" Succeeded",
" field":" status"
}
]
},
" actions":{
" actionGroups":
[
{
" ; actionGroupId":" [parameters('actionGroupResourceId')]"
}
]
}
}
}
]
} 有人可以帮我组建一个ARM模板,它会提醒我某个特定NSG的入站或出站规则更改(新建,修改,删除)吗?
解决方案
尝试下面的脚本:
{
" id":" / subscriptions / Subscription ID / resourceGroups / Name / providers / microsoft.insights / activityLogAlerts / NSGalert",
" type":" Microsoft.Insights / ActivityLogAlerts",
" name":"",
" location":"",
" kind":null,
" tags":{},
" properties":{
"scopes":[
" / subscriptions / ID"
],
" condition" ;: {
" allOf":[
{
" field":" category",
" ; equals":" Administrative",
" containsAny" ;: null
},
{
" field":" resourceId",
" equals":" / subscriptions / subscription ID / resourceGroups / name / providers / Microsoft.Network / networkSecurityGroups / VM-nsg",
" containsAny" ;: null
}
]
},
" actions":{
" actionGroups":[
{
" actionGroupId":" / subscriptions / Subscription id / resourcegroups / name / providers / microsoft.insights / actiongroups / testactiongroup",
" webhookProperties":{}
}
]
},
" enabled":true,
" description":" NSGalert"
},
" identity" ;: null
}
I have an NSG that I need to monitor for any changes to the inbound or outbound rules. I've tried the pre-canned NSG update/modify alert type, but that doesn't seem to capture NSG rules updates. From the activity log, I can see my changes to individual NSG rules and create an alert for that specific rule, but that doesn't help me monitor all of the rules at once, or any new rules that are created.
I found an ARM template online that will alert me on ANY NSG rule changes, but I only want to alert for one specific NSG. I exported the JSON for an alert I created to monitor one specific rule, and tried to blend the two templates together to make something that will work for what I need, but I'm not having much luck.
Here's the template that alerts for ANY NSG rule changes:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"activityLogAlertName": {
"type": "string",
"metadata": {
"description": "Unique name (within the Resource Group) for the Activity log alert."
}
},
"activityLogAlertEnabled": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Indicates whether or not the alert is enabled."
}
},
"actionGroupResourceId": {
"type": "string",
"metadata": {
"description": "Resource Id for the Action group."
}
}
},
"resources": [
{
"type": "Microsoft.Insights/activityLogAlerts",
"apiVersion": "2017-04-01",
"name": "[parameters('activityLogAlertName')]",
"location": "Global",
"properties": {
"enabled": "[parameters('activityLogAlertEnabled')]",
"scopes": [
"[subscription().id]"
],
"condition": {
"allOf": [
{
"field": "category",
"equals": "Administrative"
},
{
"field": "operationName",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules/write"
},
{
"field": "resourceType",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
}
]
},
"actions": {
"actionGroups":
[
{
"actionGroupId": "[parameters('actionGroupResourceId')]"
}
]
}
}
}
]
}And here's the template that alerts for one specific NSG rule:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"activityLogAlertName": {
"type": "string",
"metadata": {
"description": "Unique name (within the Resource Group) for the Activity log alert."
}
},
"activityLogAlertEnabled": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Indicates whether or not the alert is enabled."
}
},
"actionGroupResourceId": {
"type": "string",
"metadata": {
"description": "Resource Id for the Action group."
}
}
},
"resources": [
{
"type": "Microsoft.Insights/activityLogAlerts",
"apiVersion": "2017-04-01",
"name": "[parameters('activityLogAlertName')]",
"location": "Global",
"properties": {
"enabled": "[parameters('activityLogAlertEnabled')]",
"scopes": [
"[subscription().id]"
],
"condition": {
"allOf": [
{
"containsAny": null,
"equals": "Administrative",
"field": "category"
},
{
"containsAny": null,
"equals": "/subscriptions/<removed>/resourceGroups/RG_Test/providers/Microsoft.Network/networkSecurityGroups/NSG_TEST/securityRules/NSG_TEST_RULE",
"field": "resourceId"
},
{
"containsAny": null,
"equals": "Microsoft.Network/networkSecurityGroups/securityRules/write",
"field": "operationName"
},
{
"containsAny": null,
"equals": "informational",
"field": "level"
},
{
"containsAny": null,
"equals": "Succeeded",
"field": "status"
}
]
},
"actions": {
"actionGroups":
[
{
"actionGroupId": "[parameters('actionGroupResourceId')]"
}
]
}
}
}
]
}Could someone help me put together an ARM template that will alert me for any inbound or outbound rule changes (new, modify, delete) for one specific NSG?
解决方案
Try the script below:
{ "id": "/subscriptions/Subscription ID/resourceGroups/Name/providers/microsoft.insights/activityLogAlerts/NSGalert", "type": "Microsoft.Insights/ActivityLogAlerts", "name": "", "location": "", "kind": null, "tags": {}, "properties": { "scopes": [ "/subscriptions/ID" ], "condition": { "allOf": [ { "field": "category", "equals": "Administrative", "containsAny": null }, { "field": "resourceId", "equals": "/subscriptions/subscription ID/resourceGroups/name/providers/Microsoft.Network/networkSecurityGroups/VM-nsg", "containsAny": null } ] }, "actions": { "actionGroups": [ { "actionGroupId": "/subscriptions/Subscription id/resourcegroups/name/providers/microsoft.insights/actiongroups/testactiongroup", "webhookProperties": {} } ] }, "enabled": true, "description": "NSGalert" }, "identity": null }
这篇关于针对特定NSG规则MACD的活动监视器警报的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
