0
点赞
收藏
分享

微信扫一扫

使用Policy自动将log打到LAW

概述

接下来再来谈第二个问题的处理方法,第二个问题的描述可以参考上一篇文章总结查看Backup情况的几种方法

简单来说就是在用于备份的recovery service vault数量并不固定的情况下,如何将log打到log analytics workspace,从而实现通过Kusto Query设置alert rule的目的,这在规模较大的场景里是很有必要考虑的,类似的场景还有像是其他服务的log,如何统一发送到SIEM里,不管SIEM用的是Sentinel, Splunk还是别的服务,这都是需要考虑的问题

解决方案

而为了解决这个问题,我们需要用到Azure Policy,本质上将log打到log analytics workspace的操作就是通过部署diagnostic setting实现的,而Policy就可以帮我们自动实现这个效果,通过Policy设置一定的检测条件,如果不符合条件,则自动部署diagnostic setting,这样后续不管创建了多少recovery service vault,只要在policy覆盖的范围内,就都可以自动实现将log打到workspace的目的了

配置过程说简单也简单,说复杂也复杂,主要看要实现的需求,微软提供了一些sample的policy,可以基于这个来进行修改,下边来看下具体过程

环境介绍

实验的环境非常简单,配置了两个vault用来测试policy,其中一个会按照policy里的判断条件提前将diagnostic setting部署好,来测试policy是否还会重复部署,另外一个就是空白的vault,用来测试policy的部署

创建policy definition

在Azure Policy里找到一条内置的policy Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. duplicate出来一条一样的

使用Policy自动将log打到LAW_Backup


在这条duplicate的policy基础上,我们根据自己的需求来做一些修改,这条built in的policy会做这么几个事

  1. 判断是否有特定的tag,如果有的话policy不会进行审核
  2. 判断是否已经部署了diagnostic setting,这里会包含几个判断条件
  1. log的category需要和policy里定义的一致
  2. log是否是打到workspace
  3. DestinationType需要是Dedicated
  1. 不满足上述条件,则会通过ARM Template部署diagnostic settings

我们的需求会比内置的要复杂一些,我们会部署两个diagnostic settings,将不同category的log打到不同的workspace,对于判断是否已存在的条件,可以根据需求自行调整,这里保持默认即可

policy的内容如下:

{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Recovery Services Vault test sub",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created.",
    "metadata": {
      "category": "Test",
      "createdBy": "77a7d862-7b8c-4e84-bd2e-203e06a79d3f",
      "createdOn": "2024-03-11T04:42:57.7851371Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "version": "1.0.0",
    "parameters": {
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "profileName_report": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name for report",
          "description": "The diagnostic settings profile name for report"
        },
        "defaultValue": "setbypolicy_logAnalytics"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "logAnalytics_report": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace for report",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Exclusion Tag Name",
          "description": "Name of the tag to use for excluding vaults from this policy. This should be used along with the Exclusion Tag Value parameter."
        },
        "defaultValue": ""
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Exclusion Tag Value",
          "description": "Value of the tag to use for excluding vaults from this policy. This should be used along with the Exclusion Tag Name parameter."
        },
        "defaultValue": ""
      }
    },
    "policyRule": {
      "if": {
        "allof": [
          {
            "field": "type",
            "equals": "Microsoft.RecoveryServices/vaults"
          },
          {
            "not": {
              "field": "[concat('tags[',parameters('tagName'), ']')]",
              "equals": "[parameters('tagValue')]"
            }
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "allof": [
              {
                "count": {
                  "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
                  "where": {
                    "allof": [
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].Category",
                        "in": [
                          "CoreAzureBackup",
                          "AddonAzureBackupJobs",
                          "AddonAzureBackupAlerts",
                          "AddonAzureBackupPolicy",
                          "AddonAzureBackupStorage",
                          "AddonAzureBackupProtectedInstance"
                        ]
                      },
                      {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].Enabled",
                        "equals": "True"
                      }
                    ]
                  }
                },
                "Equals": 6
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "notEquals": ""
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType",
                "equals": "Dedicated"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vaultName": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "logAnalytics_report": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  },
                  "profileName_report": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.RecoveryServices/vaults/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('vaultName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "logAnalyticsDestinationType": "AzureDiagnostics",
                      "metrics": [],
                      "logs": [
                        {
                          "category": "CoreAzureBackup",
                          "enabled": "true"
                        },
                        {
                          "category": "AzureBackupReport",
                          "enabled": "true"
                        }
                      ]
                    }
                  },
                  {
                    "type": "Microsoft.RecoveryServices/vaults/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                    "name": "[concat(parameters('vaultName'), '/', 'Microsoft.Insights/', parameters('profileName_report'))]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics_report')]",
                      "logAnalyticsDestinationType": "Dedicated",
                      "metrics": [],
                      "logs": [
                        {
                          "category": "CoreAzureBackup",
                          "enabled": "true"
                        },
                        {
                          "category": "AddonAzureBackupAlerts",
                          "enabled": "true"
                        },
                        {
                          "category": "AddonAzureBackupJobs",
                          "enabled": "true"
                        },
                        {
                          "category": "AddonAzureBackupPolicy",
                          "enabled": "true"
                        },
                        {
                          "category": "AddonAzureBackupProtectedInstance",
                          "enabled": "true"
                        },
                        {
                          "category": "AddonAzureBackupStorage",
                          "enabled": "true"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat(parameters('logAnalytics'), 'configured for resource logs for ', ': ', parameters('vaultName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
                  }
                }
              },
              "parameters": {
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "logAnalytics_report": {
                  "value": "[parameters('logAnalytics_report')]"
                },
                "vaultName": {
                  "value": "[field('name')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                },
                "profileName_report": {
                  "value": "[parameters('profileName_report')]"
                }
              }
            }
          }
        }
      }
    },
    "versions": [
      "1.0.0"
    ]
  },
  "id": "/subscriptions/xxxx/providers/Microsoft.Authorization/policyDefinitions/ed38ab51-fee7-4954-a7f5-8bab52131cd6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ed38ab51-fee7-4954-a7f5-8bab52131cd6",
  "systemData": {

  }
}

创建policy assignment

将policy definiton弄好之后,接下来就可以assign policy了,这里的scope决定了policy在哪个范围内生效

使用Policy自动将log打到LAW_Cloud_02

在assign policy时,最重要的是这个parameter,他决定了我们要把log打到哪些workspace,diagnostic settings的名字等等

使用Policy自动将log打到LAW_Azure_03

另外一个重要的设置是remediation,默认情况下policy只针对新建的资源生效,也就是说在assign policy的时候如果vault已经存在了,那么默认情况下policy是不会生效的,只会提示not compliant, 这时候就需要remediation了,remediation会检查已有的资源,如果不符合policy,则会进行补救

使用Policy自动将log打到LAW_Cloud_04

查看结果

policy assign好之后,依次查看下,可以看到如果在policy部署之前就已经按照policy里的定义设置好了diagnostic setting,那么policy会认为这个vault是compliant的,不会重复部署

使用Policy自动将log打到LAW_Azure_05

之后再尝试创建个新的vault,等待一段时间后,可以看到policy针对新的vault已经生效

az backup vault create --location eastasia `
					   --name newvault `
					   --resource-group vaultnew

使用Policy自动将log打到LAW_云计算_06


而如果是没有设置diagnostic setting的,可以看到policy会自动部署diagnostic setting,在remediation task里可以看到对应的结果,而有了log之后,接下来设置alert rule就简单了,这里就不再讲alert如何设置了

使用Policy自动将log打到LAW_Backup_07

总结

以上基本就是之前提到的两个问题的解决方法了

举报

相关推荐

0 条评论