更新时间:2024-02-06 GMT+08:00
分享

VPC日志流中心

云日志服务支持日志采集向导一站式采集VPC日志,并为VPC日志配置结构化和仪表盘。该仪表盘主要展示VPC日志的Action总次数,ACCEPT总字节数、ACCEPT总包数、REJECT总字节数、REJECT总包数、源地址的Action次数分布、总分钟Action次数、Action分布、流日志记录状态分布、Action次数的源地址运行商分布、Top5字节数的源地址、Top5字节数的目标地址、Top5包数的目标端口、各协议的每分钟包数、弹性网卡。

前提条件

背景信息

虚拟私有云(Virtual Private Cloud)是用户在华为云上申请的隔离的、私密的虚拟网络环境。用户可以自由配置VPC内的IP地址段、子网、安全组等子服务,也可以申请弹性带宽和弹性公网IP搭建业务系统。 VPC日志流中记录了虚拟私有云中的流量信息,可以帮助您检查和优化安全组和网络ACL控制规则、监控网络流量、进行网络攻击分析等。

分析网站访问情况

  1. 登录云日志服务控制台,在左侧导航栏中选择“日志管理”。
  2. 在“日志应用”模块中,单击“VPC日志流中心”,选择“进入仪表盘”。
  3. 单击左上角下拉框,在仪表盘模板下方,选择“VPC仪表盘模板>VPC流日志”仪表盘,查看图表详情。

VPC流日志仪表盘中的重要图表说明如下所示:

  • Action总次数图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1时候的总数量,所关联的查询分析语句如下所示:
    select CASE WHEN total_actions < 1000 THEN concat(cast( total_actions AS VARCHAR), '次') WHEN total_actions < 1000 * 1000 THEN concat(cast(round(total_actions / 1000.0, 2) AS VARCHAR),'千次') WHEN total_actions < 1000000000 THEN concat(cast(round(total_actions / 1000000.0, 2) AS VARCHAR),'百万次') WHEN total_actions / 1000.0 < 1000000000 THEN concat(cast(round(total_actions / 1000 / 1000000.0, 1) AS VARCHAR),'十亿次') ELSE concat(cast(round(total_actions / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'万亿次') END AS \"total_actions\" from (select count(1) as total_actions where log_status='OK' and version=1)
  • ACCEPT总字节数图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1并且是安全组或网络ACL允许记录的流量时数据包的总大小,所关联的查询分析语句如下所示:
    select CASE WHEN accept_bytes < 1024 THEN concat(cast( accept_bytes AS VARCHAR), 'B') WHEN accept_bytes < 1024 * 1024 THEN concat(cast(round(accept_bytes / 1024, 2) AS VARCHAR),'KB') WHEN accept_bytes < 1000000000 THEN concat(cast(round(accept_bytes /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN accept_bytes / 1000.0 < 1000000000 THEN concat(cast(round(accept_bytes / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(accept_bytes / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS \"accept_bytes\" from (select sum(bytes) as accept_bytes where log_status='OK' and version=1 and action='ACCEPT')
  • ACCEPT总包数图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1并且是安全组或网络ACL允许记录的流量时数据包的总数量,所关联的查询分析语句如下所示:
    select CASE WHEN accept_packets < 1024 THEN concat(cast( accept_packets AS VARCHAR), 'B') WHEN accept_packets < 1024 * 1024 THEN concat(cast(round(accept_packets / 1024, 2) AS VARCHAR),'KB') WHEN accept_packets < 1000000000 THEN concat(cast(round(accept_packets /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN accept_packets / 1000.0 < 1000000000 THEN concat(cast(round(accept_packets / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(accept_packets / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS \"accept_packets\" from (select sum(packets) as accept_packets where log_status='OK' and version=1 and action='ACCEPT')
  • REJECT总字节数图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1并且是安全组或网络ACL拒绝记录的流量时数据包的总大小,所关联的查询分析语句如下所示:
    select CASE WHEN reject_bytes < 1024 THEN concat(cast( reject_bytes AS VARCHAR), 'B') WHEN reject_bytes < 1024 * 1024 THEN concat(cast(round(reject_bytes / 1024, 2) AS VARCHAR),'KB') WHEN reject_bytes < 1000000000 THEN concat(cast(round(reject_bytes /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN reject_bytes / 1000.0 < 1000000000 THEN concat(cast(round(reject_bytes / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(reject_bytes / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS \"reject_bytes\" from (select sum(bytes) as reject_bytes where log_status='OK' and version=1 and action='REJECT')
  • REJECT总包数图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1并且是安全组或网络ACL拒绝记录的流量时数据包的总数量,所关联的查询分析语句如下所示:
    select CASE WHEN reject_packets < 1024 THEN concat(cast( reject_packets AS VARCHAR), 'B') WHEN reject_packets < 1024 * 1024 THEN concat(cast(round(reject_packets / 1024, 2) AS VARCHAR),'KB') WHEN reject_packets < 1000000000 THEN concat(cast(round(reject_packets /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN reject_packets / 1000.0 < 1000000000 THEN concat(cast(round(reject_packets / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(reject_packets / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS \"reject_packets\" from (select sum(packets) as reject_packets where log_status='OK' and version=1 and action='REJECT')
  • 源地址的Action次数分布图展示中国区域内不同源地址的访问次数,所关联的查询分析语句如下所示:
    select IP_TO_PROVINCE(srcaddr) as province, count(1) as total_actions where IP_TO_COUNTRY (srcaddr) = '中国'  group by province HAVING province not in ('','保留地址','*')
  • 每分钟Action次数图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1时不同流量关联的操作的个数,所关联的查询分析语句如下所示:
    select TIME_FORMAT(date_trunc('minute', MILLIS_TO_TIMESTAMP("start" * 1000)),'MM-dd HH:mm') as "t", "action", count(1) as "total_actions" where log_status='OK' and version=1 group by "t", "action" order by t asc limit 1000
  • Action图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1时不同与流量关联操作的分布情况,所关联的查询分析语句如下所示:
    select action, count(1) as total_actions where log_status='OK' and version=1 group by action
  • 流日志记录状态分布图展示VPC流日志版本为1时流日志的日志状态的分布情况,所关联的查询分析语句如下所示:
    select log_status, count(1) as total_actions where version=1 group by log_status
  • Action次数的源地址运营商分布图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1时不同源地址运营商的分布情况,所关联的查询分析语句如下所示:
    select ip_to_provider(srcaddr) as src_addr_provider, count(1) as total_actions where log_status='OK' and version=1 group by src_addr_provider order by total_actions desc limit 5
  • Top5字节数的源地址图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1时不同源地址字节数Top5,所关联的查询分析语句如下所示:
    select srcaddr, sum(bytes) as total_bytes where log_status='OK' and version=1 group by srcaddr order by total_bytes desc limit 5
  • Top5字节数的目标地址图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1时不同目标地址字节数Top5,所关联的查询分析语句如下所示:
    select dstaddr, sum(bytes) as total_bytes where log_status='OK' and version=1 group by dstaddr order by total_bytes desc limit 5
  • Top5包数的目标端口图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1时不同目标端口的包数Top5,所关联的查询分析语句如下所示:
    select dstport, sum(packets) as total_packets where log_status='OK' and version=1 group by dstport order by total_packets desc limit 5
  • 各协议的每分钟包数图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1时不同IANA协议编号在每分钟的包数,所关联的查询分析语句如下所示:
    select TIME_FORMAT(date_trunc('minute', MILLIS_TO_TIMESTAMP("start" * 1000)),'MM-dd HH:mm') as t, protocol, sum(packets) as total_packets where log_status='OK' and version=1 group by t, protocol order by t asc limit 1000
  • 弹性网卡图展示当流日志的日志状态为数据正常记录到选定目标并且VPC流日志版本为1时不同记录流量的网卡的ID的数据包总数量和数据包总大小,所关联的查询分析语句如下所示:
    select interface_id as "ID", sum(packets) as '数据包总数量', sum(bytes) as '数据包总大小' where log_status='OK' and version=1 group by "ID"
分享:

    相关文档

    相关产品