建立資料收集規則的 JSON 指令碼
此指令碼可協助您建立變更追蹤和清除的資料收集規則。
範例指令碼
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"dataCollectionRuleName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the data collection rule to create."
},
"defaultValue": "Microsoft-CT-DCR"
},
"workspaceResourceId": {
"type": "string",
"metadata": {
"description": "Specifies the Azure resource ID of the Log Analytics workspace to use to store change tracking data."
}
}
},
"variables": {
"subscriptionId": "[substring(parameters('workspaceResourceId'), 15, sub(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 15))]",
"resourceGroupName": "[substring(parameters('workspaceResourceId'), add(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 16), sub(sub(indexOf(parameters('workspaceResourceId'), '/providers/'), indexOf(parameters('workspaceResourceId'), '/resourceGroups/')),16))]",
"workspaceName": "[substring(parameters('workspaceResourceId'), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1), sub(length(parameters('workspaceResourceId')), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1)))]"
},
"resources": [
{
"type": "microsoft.resources/deployments",
"name": "get-workspace-region",
"apiVersion": "2020-08-01",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [],
"outputs": {
"workspaceLocation": {
"type": "string",
"value": "[reference(parameters('workspaceResourceId'), '2020-08-01', 'Full').location]"
}
}
}
}
},
{
"type": "microsoft.resources/deployments",
"name": "CtDcr-Deployment",
"apiVersion": "2020-08-01",
"properties": {
"mode": "Incremental",
"parameters": {
"workspaceRegion": {
"value": "[reference('get-workspace-region').outputs.workspaceLocation.value]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceRegion": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-04-01",
"name": "[parameters('dataCollectionRuleName')]",
"location": "[[parameters('workspaceRegion')]",
"properties": {
"description": "Data collection rule for CT.",
"dataSources": {
"extensions": [
{
"streams": [
"Microsoft-ConfigurationChange",
"Microsoft-ConfigurationChangeV2",
"Microsoft-ConfigurationData"
],
"extensionName": "ChangeTracking-Windows",
"extensionSettings": {
"enableFiles": true,
"enableSoftware": true,
"enableRegistry": true,
"enableServices": true,
"enableInventory": true,
"registrySettings": {
"registryCollectionFrequency": 3000,
"registryInfo": [
{
"name": "Registry_1",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup",
"valueName": ""
},
{
"name": "Registry_2",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown",
"valueName": ""
},
{
"name": "Registry_3",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"valueName": ""
},
{
"name": "Registry_4",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components",
"valueName": ""
},
{
"name": "Registry_5",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers",
"valueName": ""
},
{
"name": "Registry_6",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers",
"valueName": ""
},
{
"name": "Registry_7",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers",
"valueName": ""
},
{
"name": "Registry_8",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers",
"valueName": ""
},
{
"name": "Registry_9",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers",
"valueName": ""
},
{
"name": "Registry_10",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",
"valueName": ""
},
{
"name": "Registry_11",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",
"valueName": ""
},
{
"name": "Registry_12",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions",
"valueName": ""
},
{
"name": "Registry_13",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions",
"valueName": ""
},
{
"name": "Registry_14",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
"valueName": ""
},
{
"name": "Registry_15",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
"valueName": ""
},
{
"name": "Registry_16",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls",
"valueName": ""
},
{
"name": "Registry_17",
"groupTag": "Recommended",
"enabled": false,
"recurse": true,
"description": "",
"keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify",
"valueName": ""
}
]
},
"fileSettings": {
"fileCollectionFrequency": 2700
},
"softwareSettings": {
"softwareCollectionFrequency": 1800
},
"inventorySettings": {
"inventoryCollectionFrequency": 36000
},
"servicesSettings": {
"serviceCollectionFrequency": 1800
}
},
"name": "CTDataSource-Windows"
},
{
"streams": [
"Microsoft-ConfigurationChange",
"Microsoft-ConfigurationChangeV2",
"Microsoft-ConfigurationData"
],
"extensionName": "ChangeTracking-Linux",
"extensionSettings": {
"enableFiles": true,
"enableSoftware": true,
"enableRegistry": false,
"enableServices": true,
"enableInventory": true,
"fileSettings": {
"fileCollectionFrequency": 900,
"fileInfo": [
{
"name": "ChangeTrackingLinuxPath_default",
"enabled": true,
"destinationPath": "/etc/.*.conf",
"useSudo": true,
"recurse": true,
"maxContentsReturnable": 5000000,
"pathType": "File",
"type": "File",
"links": "Follow",
"maxOutputSize": 500000,
"groupTag": "Recommended"
}
]
},
"softwareSettings": {
"softwareCollectionFrequency": 300
},
"inventorySettings": {
"inventoryCollectionFrequency": 36000
},
"servicesSettings": {
"serviceCollectionFrequency": 300
}
},
"name": "CTDataSource-Linux"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "Microsoft-CT-Dest"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-ConfigurationChange",
"Microsoft-ConfigurationChangeV2",
"Microsoft-ConfigurationData"
],
"destinations": [
"Microsoft-CT-Dest"
]
}
]
}
},
{
"type": "Microsoft.OperationsManagement/solutions",
"name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]",
"location": "[[parameters('workspaceRegion')]",
"apiVersion": "2015-11-01-preview",
"id": "[Concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.OperationsManagement/solutions/ChangeTracking', '(', variables('workspaceName'), ')')]",
"properties": {
"workspaceResourceId": "[parameters('workspaceResourceId')]"
},
"plan": {
"name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]",
"product": "OMSGallery/ChangeTracking",
"promotionCode": "",
"publisher": "Microsoft"
}
}
]
}
}
}
]
}
執行指令碼
使用 CtDcrCreation.json 名稱,將上述指令碼儲存在您的機器上。 如需詳細資訊,請參閱使用 Azure 監視代理程式啟用變更追蹤和清查。
注意
用於設定 Windows 檔案設定的參考 JSON 指令碼:
"fileSettings": {
"fileCollectionFrequency": 2700,
"fileinfo": [
{
"name": "ChangeTrackingCustomPath_witems1",
"enabled": true,
"description": "",
"path": "D:\\testing\\*",
"recurse": true,
"maxContentsReturnable": 5000000,
"maxOutputSize": 500000,
"checksum": "sha256",
"pathType": "File",
"groupTag": "Custom"
},
{
"name": "ChangeTrackingCustomPath_witems2",
"enabled": true,
"description": "",
"path": "E:\\test1",
"recurse": false,
"maxContentsReturnable": 5000000,
"maxOutputSize": 500000,
"checksum": "sha256",
"pathType": "File",
"groupTag": "Custom"
}
]
}
下一步
深入了解使用 Azure 監視代理程式 (預覽版) 管理變更追蹤和清查。