Merge pull request #6 from Microsoft/springstone

Some queries added and additional documentation
This commit is contained in:
Sacha Narinx 2017-05-29 20:21:40 +04:00 коммит произвёл GitHub
Родитель 3fd3aa6ab4 abcf676a6d
Коммит 1bb7a16656
5 изменённых файлов: 61 добавлений и 25 удалений

Просмотреть файл

@ -13,3 +13,13 @@
-ReportName "criticalupdatesrequired" `
-dynamicQuery "Type=Update UpdateState=Needed Optional=false (Classification=""Security Updates"" OR Classification=""Critical Updates"")"
#All VMs with more than 2GB RAM available on average
.\RB-ProcessLogs.ps1 `
-ReportName "vmswithover2gbramavailable" `
-dynamicQuery "Type=Perf ObjectName=Memory CounterName=""Available MBytes"" | measure avg(CounterValue) by Computer | where AggregatedValue>2048"
#All computers with their most recent data
.\RB-ProcessLogs.ps1 `
-ReportName "allvmsmostrecentdata" `
-dynamicQuery "NOT(ObjectName=""Advisor Metrics"" OR ObjectName=ManagedSpace) TimeGenerated>NOW-5MINUTES"

Просмотреть файл

@ -1,14 +1,19 @@
#Average CPU usage calculated over 10 minutes for the last 1 hours.
#Average CPU usage calculated over 10 minutes for the last 1 hours
.\RB-ProcessLogs.ps1 `
-ReportName "perfavgcpu" `
-dynamicQuery "Type=Perf CounterName=""% Processor Time"" TimeGenerated>=NOW-1HOURS | measure avg(CounterValue) by Computer interval 30MINUTE"
#All detected threats based on threat status rank.
#All detected threats based on threat status rank
.\RB-ProcessLogs.ps1 `
-ReportName "securitydetectedthreats" `
-dynamicQuery "Type=ProtectionStatus ThreatStatusRank > 199 ThreatStatusRank != 470 | measure max(ThreatStatusRank) as Rank by Computer | Top 5000"
#All Windows security login failures in the past 1 hours.
#All Windows security login failures in the past 1 hour
.\RB-ProcessLogs.ps1 `
-ReportName "acctloginfailurepasthour" `
-dynamicQuery "Type=SecurityEvent EventID=4625 TimeGenerated>=NOW-1HOURS"
#All Linux Syslog errors in the past 1 hour
.\RB-ProcessLogs.ps1 `
-ReportName "linuxsyslogerrors" `
-dynamicQuery "Type=Syslog SeverityLevel=error TimeGenerated>NOW-1HOUR"

Просмотреть файл

@ -9,9 +9,12 @@ The queries included in this sample solution are designed to be flexible and hig
* Alerts generated in the past 24 hours that are still open
* All Windows VMs that require updates
* All VMs that are missing critical updates
* All VMs with more than 2GB RAM available on average
* All computers with their most recent data
### Hourly Reports
* Average CPU usage calculated over 10 minutes for the last 1 hours
* All detected threats based on threat status rank
* All Windows security login failures in the past 1 hours
* All Linux Syslog errors in the past 1 hour

Просмотреть файл

@ -0,0 +1,18 @@
# zMonitor
## Writing Queries
Some tips for gettings started with writing Log Analytics queries and generating reports.
A great place to start is the default "Saved Searches" in Log Analytics. Once you start exploring writing your own queries, a good place to start digging is:
```LogAnalytics
* | Measure count() by Type
```
## References
Some excellent resources to get up and running quickly:
* [Find data using log searches](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-log-searches)
* [Log Analytics search reference](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-search-reference)

Просмотреть файл

@ -4,7 +4,7 @@
An Azure platform native monitoring solution that enables monitoring across multiple tenants or subscriptions.
The primary goal is to utilize Azure native components, and deliver an as simple as possible, highly configurable and scalable, cost-effective monitoring solution. The driving force behind this solution was the need to be able to monitor Azure resources across tenants (for service providers), using Azure native tools. While there are many metrics and logs generated in Azure, surfacing this information across subscriptions/tenants proved challenging.
The primary goal is to utilize Azure native components, and deliver an as simple as possible, highly configurable and scalable, cost-effective monitoring solution. The driving force behind this solution was the need to be able to monitor Azure resources across tenants (for service providers), using Azure native tools. While there are many metrics and logs generated in Azure, surfacing this information across subscriptions/tenants and effectively monitoring proved challenging.
## Solution
@ -29,35 +29,35 @@ The components that make up the solution:
* Azure Automation
* [Optional] Power BI
## Azure Resource Documentation
For additional info on what is currently enabled through this solution (work in progress):
* Log Analytics
<!--![Log Analytics](Documentation/images/loganalytics.png)-->
[Documentation: Log Analytics][1]
* Azure Automation
[Documentation: Azure Automation][2]
* Stream Analytics
[Documentation: Stream Analytics][3]
* Azure Cosmos DB
[Documentation: Azure Cosmos DB][4]
* Power BI
[Documentation: Power BI][5]
* [Reports/Queries](Documentation/Log-Reports.md)
* [Resources for writing Log Analytics queries](Documentation/Writing-Reports.md)
## Deployment
The detailed deployment instructions for the solution:
[Deploying monitoring for Tenant/ Subscription][6]
[Deploying the central repository (e.g. Service Provider)][7]
## Azure Resource Documentation
For more information on the individual components, please refer to the official documentation:
* [Log Analytics][1]
<!--![Log Analytics](Documentation/images/loganalytics.png)-->
* [Azure Automation][2]
* [Stream Analytics][3]
* [Azure Cosmos DB][4]
* [Power BI][5]
## Contributions
Please refer to [CONTRIBUTING](Documentation/Contributing.md)