共用方式為

Syslog 數據表的查詢

  • 發行項

如需在 Azure 入口網站 使用這些查詢的相關信息,請參閱Log Analytics教學課程。 如需 REST API,請參閱 查詢

尋找 Linux 核心事件

尋找 Linux 核心處理序所回報有關已中止處理序的事件。

// To create an alert for this query, click '+ New alert rule'
Syslog
| where ProcessName == "kernel" and SyslogMessage contains "Killed process"

所有 Syslog

最後 100 個 Syslog。

Syslog 
| top 100 by TimeGenerated desc

所有發生錯誤的 Syslog

最後 100 個 Syslog 與 erros。

Syslog 
| where SeverityLevel == "err" or  SeverityLevel == "error"
| top 100 by TimeGenerated desc

依設施的所有 Syslog

依設施的所有 Syslog。

Syslog 
| summarize count() by Facility

依行程名稱的所有 Syslog

所有依行程名稱的 Syslog。

Syslog 
| summarize count() by ProcessName

依電腦新增至Linux群組的使用者

列出已將使用者新增至Linux群組的電腦。

Syslog
| where Facility == 'authpriv' and SyslogMessage has 'to group' and (SyslogMessage has 'add' or SyslogMessage has 'added')
| summarize by Computer

由電腦建立的新 Linux 群組

列出已建立新 Linux 群組的電腦。

Syslog
| where Facility == 'authpriv' and SyslogMessage has 'new group'
| summarize count() by Computer

Linux 使用者密碼變更失敗

列出電腦失敗的 Linux 使用者密碼變更。

Syslog
| where Facility == 'authpriv' and ((SyslogMessage has 'passwd:chauthtok' and SyslogMessage has 'authentication failure') or SyslogMessage has 'password change failed')
| summarize count() by Computer

Ssh 登入失敗的電腦

列出 SSH 登入失敗的電腦。

Syslog
| where (Facility == 'authpriv' and SyslogMessage has 'sshd:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and ((SyslogMessage has 'Failed' and SyslogMessage has 'invalid user' and SyslogMessage has 'ssh2') or SyslogMessage has 'error: PAM: Authentication failure'))
| summarize count() by Computer

Su 登入失敗的電腦

列出失敗的 su 登入電腦。

Syslog
| where (Facility == 'authpriv' and SyslogMessage has 'su:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and SyslogMessage has 'FAILED SU')
| summarize count() by Computer

具有失敗 Sudo 登入的電腦

列出失敗的 sudo 登入電腦。

Syslog
| where (Facility == 'authpriv' and SyslogMessage has 'sudo:auth' and (SyslogMessage has 'authentication failure' or SyslogMessage has 'conversation failed')) or ((Facility == 'auth' or Facility == 'authpriv') and SyslogMessage has 'user NOT in sudoers')
| summarize count() by Computer