文档首页/ 云日志服务 LTS/ 用户指南/ 日志可视化/ 使用仪表盘将日志可视化/ 日志仪表盘模板/ VPC仪表盘模板
更新时间:2024-08-13 GMT+08:00
查看PDF
分享

VPC仪表盘模板

虚拟私有云(Virtual Private Cloud,VPC)是隔离的、私密的虚拟网络环境。用户可以自由配置VPC内的IP地址段、子网、安全组等子服务,也可以申请弹性带宽和弹性公网IP搭建业务系统。 VPC日志流中记录了虚拟私有云中的流量信息,可以帮助您检查和优化安全组和网络ACL控制规则、监控网络流量、进行网络攻击分析等。

云日志服务支持日志采集向导一站式采集VPC日志,并为VPC日志配置结构化和仪表盘。该仪表盘主要展示VPC日志的Action总次数,ACCEPT总字节数、ACCEPT总包数、REJECT总字节数、REJECT总包数、源地址的Action次数分布、总分钟Action次数、Action分布、流日志记录状态分布、Action次数的源地址运行商分布、Top5字节数的源地址、Top5字节数的目标地址、Top5包数的目标端口、各协议的每分钟包数、弹性网卡。

前提条件

查看VPC流日志

  1. 登录云日志服务控制台,在左侧导航栏中选择“日志管理”。
  2. 在“日志应用”模块中,单击“VPC日志流中心”,选择“进入仪表盘”。
  3. 在仪表盘模板下方,选择“VPC仪表盘模板 > VPC流日志”,查看图表详情。

    • Action总次数图表所关联的查询分析语句如下所示: 
      select CASE WHEN total_actions < 1000 THEN concat(cast( total_actions AS VARCHAR), '次') WHEN total_actions < 1000 * 1000 THEN concat(cast(round(total_actions / 1000.0, 2) AS VARCHAR),'千次') WHEN total_actions < 1000000000 THEN concat(cast(round(total_actions / 1000000.0, 2) AS VARCHAR),'百万次') WHEN total_actions / 1000.0 < 1000000000 THEN concat(cast(round(total_actions / 1000 / 1000000.0, 1) AS VARCHAR),'十亿次') ELSE concat(cast(round(total_actions / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'万亿次') END AS "total_actions" from (select count(1) as total_actions where log_status='OK' and version=1)
    • ACCEPT总字节数图表所关联的查询分析语句如下所示: 
      select CASE WHEN accept_bytes < 1024 THEN concat(cast( accept_bytes AS VARCHAR), 'B') WHEN accept_bytes < 1024 * 1024 THEN concat(cast(round(accept_bytes / 1024, 2) AS VARCHAR),'KB') WHEN accept_bytes < 1000000000 THEN concat(cast(round(accept_bytes /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN accept_bytes / 1000.0 < 1000000000 THEN concat(cast(round(accept_bytes / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(accept_bytes / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS "accept_bytes" from (select sum(bytes) as accept_bytes where log_status='OK' and version=1 and action='ACCEPT')
    • ACCEPT总包数图表所关联的查询分析语句如下所示: 
      select CASE WHEN accept_packets < 1024 THEN concat(cast( accept_packets AS VARCHAR), 'B') WHEN accept_packets < 1024 * 1024 THEN concat(cast(round(accept_packets / 1024, 2) AS VARCHAR),'KB') WHEN accept_packets < 1000000000 THEN concat(cast(round(accept_packets /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN accept_packets / 1000.0 < 1000000000 THEN concat(cast(round(accept_packets / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(accept_packets / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS "accept_packets" from (select sum(packets) as accept_packets where log_status='OK' and version=1 and action='ACCEPT')
    • REJECT总字节数图表所关联的查询分析语句如下所示: 
      select CASE WHEN reject_bytes < 1024 THEN concat(cast( reject_bytes AS VARCHAR), 'B') WHEN reject_bytes < 1024 * 1024 THEN concat(cast(round(reject_bytes / 1024, 2) AS VARCHAR),'KB') WHEN reject_bytes < 1000000000 THEN concat(cast(round(reject_bytes /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN reject_bytes / 1000.0 < 1000000000 THEN concat(cast(round(reject_bytes / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(reject_bytes / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS "reject_bytes" from (select sum(bytes) as reject_bytes where log_status='OK' and version=1 and action='REJECT')
    • REJECT总包数图表所关联的查询分析语句如下所示: 
      select CASE WHEN reject_packets < 1024 THEN concat(cast( reject_packets AS VARCHAR), 'B') WHEN reject_packets < 1024 * 1024 THEN concat(cast(round(reject_packets / 1024, 2) AS VARCHAR),'KB') WHEN reject_packets < 1000000000 THEN concat(cast(round(reject_packets /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN reject_packets / 1000.0 < 1000000000 THEN concat(cast(round(reject_packets / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(reject_packets / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS "reject_packets" from (select sum(packets) as reject_packets where log_status='OK' and version=1 and action='REJECT')
    • 源地址的Action次数分布图表所关联的查询分析语句如下所示: 
      select IP_TO_PROVINCE(srcaddr) as province, count(1) as total_actions where IP_TO_COUNTRY (srcaddr) = '中国'  group by province HAVING province not in ('','保留地址','*')
    • 每分钟Action次数图表所关联的查询分析语句如下所示: 
      select TIME_FORMAT(date_trunc('minute', MILLIS_TO_TIMESTAMP("start" * 1000)),'MM-dd HH:mm') as "t", "action", count(1) as "total_actions" where log_status='OK' and version=1 group by "t", "action" order by t asc limit 1000
    • Action分布图表所关联的查询分析语句如下所示: 
      select action, count(1) as total_actions where log_status='OK' and version=1 group by action
    • 流日志记录状态分布图表所关联的查询分析语句如下所示: 
      select log_status, count(1) as total_actions where version=1 group by log_status
    • Action次数的源地址运营商分布图表所关联的查询分析语句如下所示: 
      select ip_to_provider(srcaddr) as src_addr_provider, count(1) as total_actions where log_status='OK' and version=1 group by src_addr_provider order by total_actions desc limit 5
    • Top5字节数的源地址图表所关联的查询分析语句如下所示: 
      select ip_to_provider(srcaddr) as src_addr_provider, count(1) as total_actions where log_status='OK' and version=1 group by src_addr_provider order by total_actions desc limit 5
    • Top5字节数的目标地址图表所关联的查询分析语句如下所示: 
      select dstaddr, sum(bytes) as total_bytes where log_status='OK' and version=1 group by dstaddr order by total_bytes desc limit 5
    • Top5包数的目标端口图表所关联的查询分析语句如下所示: 
      select dstport, sum(packets) as total_packets where log_status='OK' and version=1 group by dstport order by total_packets desc limit 5
    • 各协议的每分钟包数图表所关联的查询分析语句如下所示: 
      select TIME_FORMAT(date_trunc('minute', MILLIS_TO_TIMESTAMP("start" * 1000)),'MM-dd HH:mm') as t, protocol, sum(packets) as total_packets where log_status='OK' and version=1 group by t, protocol order by t asc limit 1000
    • 弹性网卡图表所关联的查询分析语句如下所示: 
      select interface_id as "ID", sum(packets) as '数据包总数量', sum(bytes) as '数据包总大小' where log_status='OK' and version=1 group by "ID"

父主题: 日志仪表盘模板

相关文档