共用方式為


建立資料收集規則的 JSON 指令碼

此指令碼可協助您建立變更追蹤和清除的資料收集規則。

範例指令碼

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "dataCollectionRuleName": {
            "type": "string",
            "metadata": {
                "description": "Specifies the name of the data collection rule to create."
            },
            "defaultValue": "Microsoft-CT-DCR"
        },
        "workspaceResourceId": {
            "type": "string",
            "metadata": {
                "description": "Specifies the Azure resource ID of the Log Analytics workspace to use to store change tracking data."
            }
        }
    },
    "variables": {
        "subscriptionId": "[substring(parameters('workspaceResourceId'), 15, sub(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 15))]",
        "resourceGroupName": "[substring(parameters('workspaceResourceId'), add(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 16), sub(sub(indexOf(parameters('workspaceResourceId'), '/providers/'), indexOf(parameters('workspaceResourceId'), '/resourceGroups/')),16))]",
        "workspaceName": "[substring(parameters('workspaceResourceId'), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1), sub(length(parameters('workspaceResourceId')), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1)))]"
    },
    "resources": [
        {
            "type": "microsoft.resources/deployments",
            "name": "get-workspace-region",
            "apiVersion": "2020-08-01",
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "resources": [],
                    "outputs": {
                        "workspaceLocation": {
                            "type": "string",
                            "value": "[reference(parameters('workspaceResourceId'), '2020-08-01', 'Full').location]"
                        }
                    }
                }
            }
        },
        {
            "type": "microsoft.resources/deployments",
            "name": "CtDcr-Deployment",
            "apiVersion": "2020-08-01",
            "properties": {
                "mode": "Incremental",
                "parameters": {
                    "workspaceRegion": {
                        "value": "[reference('get-workspace-region').outputs.workspaceLocation.value]"
                    }
                },
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {
                        "workspaceRegion": {
                            "type": "string"
                        }
                    },
                    "resources": [
                        {
                            "type": "Microsoft.Insights/dataCollectionRules",
                            "apiVersion": "2021-04-01",
                            "name": "[parameters('dataCollectionRuleName')]",
                            "location": "[[parameters('workspaceRegion')]",
                            "properties": {
                                "description": "Data collection rule for CT.",
                                "dataSources": {
                                    "extensions": [
                                        {
                                            "streams": [
                                                "Microsoft-ConfigurationChange",
                                                "Microsoft-ConfigurationChangeV2",
                                                "Microsoft-ConfigurationData"
                                            ],
                                            "extensionName": "ChangeTracking-Windows",
                                            "extensionSettings": {
                                                "enableFiles": true,
                                                "enableSoftware": true,
                                                "enableRegistry": true,
                                                "enableServices": true,
                                                "enableInventory": true,
                                                "registrySettings": {
                                                    "registryCollectionFrequency": 3000,
                                                    "registryInfo": [
                                                        {
                                                            "name": "Registry_1",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_2",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_3",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_4",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_5",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_6",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_7",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_8",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_9",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_10",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_11",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_12",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_13",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_14",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_15",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_16",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls",
                                                            "valueName": ""
                                                        },
                                                        {
                                                            "name": "Registry_17",
                                                            "groupTag": "Recommended",
                                                            "enabled": false,
                                                            "recurse": true,
                                                            "description": "",
                                                            "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify",
                                                            "valueName": ""
                                                        }
                                                    ]
                                                },
                                                "fileSettings": {
                                                    "fileCollectionFrequency": 2700
                                                },
                                                "softwareSettings": {
                                                    "softwareCollectionFrequency": 1800
                                                },
                                                "inventorySettings": {
                                                    "inventoryCollectionFrequency": 36000
                                                },
                                                "servicesSettings": {
                                                    "serviceCollectionFrequency": 1800
                                                }
                                            },
                                            "name": "CTDataSource-Windows"
                                        },
                                        {
                                            "streams": [
                                                "Microsoft-ConfigurationChange",
                                                "Microsoft-ConfigurationChangeV2",
                                                "Microsoft-ConfigurationData"
                                            ],
                                            "extensionName": "ChangeTracking-Linux",
                                            "extensionSettings": {
                                                "enableFiles": true,
                                                "enableSoftware": true,
                                                "enableRegistry": false,
                                                "enableServices": true,
                                                "enableInventory": true,
                                                "fileSettings": {
                                                    "fileCollectionFrequency": 900,
                                                    "fileInfo": [
                                                        {
                                                            "name": "ChangeTrackingLinuxPath_default",
                                                            "enabled": true,
                                                            "destinationPath": "/etc/.*.conf",
                                                            "useSudo": true,
                                                            "recurse": true,
                                                            "maxContentsReturnable": 5000000,
                                                            "pathType": "File",
                                                            "type": "File",
                                                            "links": "Follow",
                                                            "maxOutputSize": 500000,
                                                            "groupTag": "Recommended"
                                                        }
                                                    ]
                                                },
                                                "softwareSettings": {
                                                    "softwareCollectionFrequency": 300
                                                },
                                                "inventorySettings": {
                                                    "inventoryCollectionFrequency": 36000
                                                },
                                                "servicesSettings": {
                                                    "serviceCollectionFrequency": 300
                                                }
                                            },
                                            "name": "CTDataSource-Linux"
                                        }
                                    ]
                                },
                                "destinations": {
                                    "logAnalytics": [
                                        {
                                            "workspaceResourceId": "[parameters('workspaceResourceId')]",
                                            "name": "Microsoft-CT-Dest"
                                        }
                                    ]
                                },
                                "dataFlows": [
                                    {
                                        "streams": [
                                            "Microsoft-ConfigurationChange",
                                            "Microsoft-ConfigurationChangeV2",
                                            "Microsoft-ConfigurationData"
                                        ],
                                        "destinations": [
                                            "Microsoft-CT-Dest"
                                        ]
                                    }
                                ]
                            }
                        },
                        {
                            "type": "Microsoft.OperationsManagement/solutions",
                            "name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]",
                            "location": "[[parameters('workspaceRegion')]",
                            "apiVersion": "2015-11-01-preview",
                            "id": "[Concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.OperationsManagement/solutions/ChangeTracking', '(', variables('workspaceName'), ')')]",
                            "properties": {
                                "workspaceResourceId": "[parameters('workspaceResourceId')]"
                            },
                            "plan": {
                                "name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]",
                                "product": "OMSGallery/ChangeTracking",
                                "promotionCode": "",
                                "publisher": "Microsoft"
                            }
                        }
                    ]
                }
            }
        }
    ]
}

執行指令碼

使用 CtDcrCreation.json 名稱,將上述指令碼儲存在您的機器上。 如需詳細資訊,請參閱使用 Azure 監視代理程式啟用變更追蹤和清查

注意

用於設定 Windows 檔案設定的參考 JSON 指令碼:

"fileSettings": {
       "fileCollectionFrequency": 2700,
       "fileinfo": [
           {
              "name": "ChangeTrackingCustomPath_witems1",
              "enabled": true,
               "description": "",
             "path": "D:\\testing\\*",
              "recurse": true,
              "maxContentsReturnable": 5000000,
              "maxOutputSize": 500000,
              "checksum": "sha256",
              "pathType": "File",
             "groupTag": "Custom"
           },
           {
             "name": "ChangeTrackingCustomPath_witems2",
              "enabled": true,
            "description": "",
              "path": "E:\\test1",
             "recurse": false,
             "maxContentsReturnable": 5000000,
              "maxOutputSize": 500000,
             "checksum": "sha256",
              "pathType": "File",
             "groupTag": "Custom"
          }
      ]
  }

下一步

深入了解使用 Azure 監視代理程式 (預覽版) 管理變更追蹤和清查。