- Learn Azure Sentinel
- Richard Diver Gary Bushey Jason S. Rader
- 1600字
- 2021-06-30 15:08:19
Advanced settings for Log Analytics
The advanced settings for Log Analytics allow you to perform actions such as connecting on-premises and other non-Azure Windows and Linux servers, Azure Storage, and System Center Management groups. You can also set what information to import from Windows and Linux servers, import IIS logs and Syslog events, and add custom logs and fields. Finally, you can create groups of computers, or use groups already created in Active Directory, Windows Server Update Service (WSUS), and SCCM, which can be used in your queries.
To get to the Advanced settings page, follow the instructions to get to the Log Analytics Overview page in the previous section and instead of selecting Azure virtual machines (VMs), select Windows, Linux and other sources. This will open a new page, as shown in the following screenshot:
As you can see, there are various menu options that will allow you to connect to various servers, determine what data to ingest, and help with querying the data that these servers provide. Each one will be discussed in the next section.
Connected Sources
This area allows you to attach non-Azure Windows and Linux servers, Azure Storage, and System Center Operations Manager:
- Windows Servers: This section allows you to attach a non-Azure Windows-based VM to the workspace. Click on either Download Windows Agent (64bit) or Download Windows Agent (32bit) to match the Windows version you are using and run the program on the server. Copy the WORKSPACE ID and either the PRIMARY KEY or SECONDARY KEY and fill them in when asked.
- Linux Servers: This works the same as the Windows Servers, except there is also a listing for a wget command that will download and install the application without needing any user interaction.
Note
While this can be used to connect Azure VMs, it is far easier to use the steps in the previous section to do so.
- Azure Storage: This will list the number of Azure Storage accounts connected and provides a link to documentation explaining how to connect to the Storage account. This will need to be performed from the Storage account and cannot be done here.
- System Center: This allows us to connect System Center Operations Manager management groups or the entire deployment to your workspace with a few clicks rather than having to connect each server individually.
The Connected Sources area shows you how to connect to on-premises servers as well as Azure Storage and System Center Manager groups. Next, we will look at the Data menu, which will tell Azure Sentinel what information from those servers to ingest.
The Data option
This area allows you to determine which data from connected servers will be imported. Selecting the Data option will bring you to the following page:
Let's take a look at the different fields under the Data option:
- Windows Event Logs: This allows you to search for all the various logs that show up in the Windows Event viewer, including items such as the Application, Setup, and System logs, to have them included in the Log Analytics workspace. While having all this data can be handy, if there are a lot of Windows servers connected, it can lead to a large amount of data being imported. Note that the Windows Security log is not available since it will always be imported from any connected Windows server.
- Windows Performance Counters: This will show a listing of all the performance counters that will be included by default and the polling interview. From here, you can change the interview or remove the counter completely. You can also add other counters to monitor.
- Linux Performance Counters: This will show a listing of all the Linux performance counters that will be included by default and the polling interval for those counters that use a polling interval. From here, you can change the interview or remove the counter completely. You can also add other counters to monitor.
- IIS Logs: This determines whether the W3C format IIS log files will be ingested from Windows web servers.
- Custom Fields: This shows a listing of all the custom fields that have been added, as well as the logs they belong to and their data types. Clicking on the Go to button will take you to the Log page, where a query will be shown, giving you an overview of the field. You can also remove the custom field from here.
- Custom Logs: This page allows you to add custom logs that you cannot, or do not want to, add using other data sources. An example of this is the web logs from a Linux-based web server. Go to https://docs.microsoft.com/en-us/ azure/azure-monitor/platform/data-sources-custom-logs for more information on adding a custom log.
As you can see, there are a lot of ways in which you can configure the data to import. There will always be a trade-off between what data you need or want and the cost of ingesting and storing the data. In the next section, we will look at Computer Groups, which can help you with your queries.
Computer Groups
This section will show all the custom computer groups that have been created and provide a way to create your own. These groups can then be used in queries. You can use these groups to create queries that reference a specific set of servers that can then be easily changed without having to change the query itself.
Selecting the Computer Groups option will present you with the following screen:
Let's discuss the different fields under Computer Groups:
- Saved Groups: This page will show all the custom groups that have been added. It also provides instructions on creating a computer group from a query. An example of how to do this will be provided at the end of this section.
- Active Directory: Select the Import Active Directory group memberships from computers checkbox to allow groups from Active Directory to be imported. After this is enabled, it may take a few minutes before any groups show up.
- WSUS: Select the Import WSUS group memberships checkbox to allow groups from Windows Server Update Services to be imported. After this is enabled, it may take a few minutes before any groups show up.
- SCCM: Select the Import Configuration Manager collection memberships checkbox to allow groups from SCCM to be imported. After this is enabled, it may take a few minutes before any groups show up.
There are various ways to create computer groups to help you with your queries. Each of these will be discussed in more detail in the following sections.
Adding a computer group from a query
Adding a computer group using a query involves running a query that will return a list of computers and then save that information as a computer group:
- In the Saved Groups section under Computer Groups, click on the Go to Search link to go to the Logs page. Enter any query that will generate a listing of computers. Here's an example:
Heartbeat
| where TimeGenerated > ago(30m)
| distinct Computer
Don't worry about what the query means, it will be explained in Chapter 5, Using the Kusto Query Language (KQL). For now, this will return a listing of all those computers that have sent a heartbeat to the workspace in the last 30 minutes. Note that you will need to have a server connected to Azure (see the Obtaining information from Azure virtual machines and Connected sources sections) to get any information from this query.
- Click on the Run button to get a list of computers. If no computers are returned, change 30 to a larger value until you do.
- Once you have a list, click on the Save button to save this query:
This will bring up a new blade where you can enter the query information.
- Enter a descriptive name.
- Change the Save as dropdown to Function, as shown in the following screenshot:
- Add a function alias, which will be used in the queries later. Make sure to check the Save this query as a computer group option, otherwise it will just save as a query that can be the same as the name.
- Finally, add a category, which is just used to group the computer groups together.
- Click the Save button.
When you go back to the Saved Groups page, you will see your saved group, which will look similar to what is shown in the following screenshot:
- Click on the View Members icon, which looks like a magnifying glass, to view the members of the group. It is worth noting that this group is dynamic, so based on the query in this section, the number and names of the computers that show up in the query can change.
- Click on the Remove icon, which looks like an X, to remove a saved group. You will be prompted to verify that you want to remove the saved group before the action occurs.
To use a saved group, enter a query like this:
Perf
| where Computer in (BookQuery)
Substitute BookQuery for the name of the query you just created. Again, do not worry about what this query means; it is just an example of how to use a saved group. It will make more sense after reading Chapter 5, Using the Kusto Query Language (KQL).