CCE日志账号操作审计
CCE日志账号操作审计仪表盘主要展示资源创建数、资源修改数、资源删除数、操作命名空间分布等。
前提条件
- 已采集CCE日志,详情请参见云容器引擎CCE应用日志接入LTS。
- 日志配置结构化,详情请参见结构化配置。
背景信息
云容器引擎(Cloud Container Engine,简称CCE)提供高度可扩展的、高性能的企业级Kubernetes集群。借助云容器引擎,您可以在华为云上轻松部署、管理和扩展容器化应用程序。
分析网站访问情况
- 登录云日志服务控制台。
- 在左侧导航栏中选择“仪表盘 ”。
- 在仪表盘模板下方,选择“CCE日志账号操作审计”仪表盘,查看图表详情。
CCE日志账号操作审计仪表盘中的过滤器说明如下所示:
- 用户名,所关联的查询分析语句如下所示:
select distinct("user.username")
- 命名空间,所关联的查询分析语句如下所示:
select distinct("objectRef.namespace")
- 状态码,所关联的查询分析语句如下所示:
select distinct("responseStatus.code")
重要图表说明
CCE日志账号操作审计仪表盘中重要图表说明如下所示:
- 资源创建数,所关联的查询分析语句如下所示:
select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where "verb" = 'create') )
- 资源修改数,所关联的查询分析语句如下所示:
select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(*) as "total" from log where "verb" in ('update','patch')) )
- 资源删除数,所关联的查询分析语句如下所示:
select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(*) as "total" from log where "verb" = 'delete') )
- 操作命名空间分布,所关联的查询分析语句如下所示:
select case when "objectRef.namespace" is null then '_all__' else "objectRef.namespace" end as ns, count(1) as total group by ns limit 10000
- 删除资源分布,所关联的查询分析语句如下所示:
SELECT "objectRef.resource" as "resource", count(1) as "count" where "verb" = 'delete' group by "resource"
- 操作轨迹,所关联的查询分析语句如下所示:
select case when "操作" is null then '无' else "操作" end as "操作", "时间", v from (select concat(CASE WHEN "objectRef.subresource" is null then "objectRef.resource" else "objectRef.subresource" end, '[', verb, ']' ) as "操作", time_series(__time, 'PT1H', 'yyyy-MM-dd HH', '0') as "时间", count(1) as v from log where "verb" in ('create', 'patch', 'update', 'delete') group by "操作", "时间" order by "时间" desc limit 10000 )
- 资源操作分布,所关联的查询分析语句如下所示:
select CASE WHEN "objectRef.subresource" is null then "objectRef.resource" else "objectRef.subresource" end as "资源", verb as "操作", count(1) as total where "verb" in ('create','update','patch','delete') group by "资源", "操作" limit 10000
- 创建资源列表,所关联的查询分析语句如下所示:
SELECT "auditID" as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间", "requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", "requestObject" as "详细内容" where "verb" = 'create' order by __time desc limit 1000
- 修改资源列表,所关联的查询分析语句如下所示:
SELECT auditID as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间","requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", requestObject as "详细内容" where "verb" in ('upate','patch') order by __time desc limit 1000
- 资源访问列表,所关联的查询分析语句如下所示:
SELECT auditID as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间", "requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", requestObject as "详细内容" where "verb" in ('get','list') order by __time desc limit 1000
- 资源删除列表,所关联的查询分析语句如下所示:
SELECT auditID as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间", "requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", requestObject as "详细内容" where "verb" = 'delete' order by __time desc limit 1000