文档首页> 云日志服务 LTS> 用户指南> 日志应用> CCE日志中心> CCE日志账号操作审计
更新时间:2024-05-11 GMT+08:00
查看PDF
分享

CCE日志账号操作审计

CCE日志账号操作审计仪表盘主要展示资源创建数、资源修改数、资源删除数、操作命名空间分布等。

前提条件

背景信息

云容器引擎(Cloud Container Engine,简称CCE)提供高度可扩展的、高性能的企业级Kubernetes集群。借助云容器引擎,您可以在华为云上轻松部署、管理和扩展容器化应用程序。

分析网站访问情况

  1. 登录云日志服务控制台。
  2. 在左侧导航栏中选择“仪表盘 ”。
  3. 在仪表盘模板下方,选择“CCE日志账号操作审计”仪表盘,查看图表详情。

CCE日志账号操作审计仪表盘中的过滤器说明如下所示:

  • 用户名,所关联的查询分析语句如下所示:
    select distinct("user.username")
  • 命名空间,所关联的查询分析语句如下所示:
    select distinct("objectRef.namespace")
  • 状态码,所关联的查询分析语句如下所示:
    select distinct("responseStatus.code")

重要图表说明

CCE日志账号操作审计仪表盘中重要图表说明如下所示:

  • 资源创建数,所关联的查询分析语句如下所示:
    select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where "verb" = 'create') )
  • 资源修改数,所关联的查询分析语句如下所示:
    select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(*)   as "total" from log where "verb" in ('update','patch')) )
  • 资源删除数,所关联的查询分析语句如下所示:
    select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(*)   as "total" from log where "verb" = 'delete') )
  • 操作命名空间分布,所关联的查询分析语句如下所示:
    select case when "objectRef.namespace" is null then '_all__' else "objectRef.namespace" end as ns, count(1) as total group by  ns  limit 10000
  • 删除资源分布,所关联的查询分析语句如下所示:
    SELECT "objectRef.resource" as "resource", count(1) as "count" where  "verb" = 'delete' group by "resource"
  • 操作轨迹,所关联的查询分析语句如下所示:
    select case  when "操作" is null then '无' else "操作" end as "操作", "时间", v from  (select concat(CASE WHEN "objectRef.subresource" is null then "objectRef.resource" else "objectRef.subresource"  end, '[', verb, ']'  ) as "操作", time_series(__time, 'PT1H', 'yyyy-MM-dd HH', '0') as "时间", count(1) as v  from  log where "verb" in ('create', 'patch',  'update', 'delete')  group by "操作", "时间" order by "时间" desc  limit  10000  )
  • 资源操作分布,所关联的查询分析语句如下所示:
    select CASE WHEN "objectRef.subresource" is null then "objectRef.resource" else "objectRef.subresource" end as "资源", verb as "操作", count(1) as total where "verb" in ('create','update','patch','delete') group by "资源", "操作" limit 10000
  • 创建资源列表,所关联的查询分析语句如下所示:
    SELECT "auditID" as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间", "requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", "requestObject" as "详细内容" where "verb" = 'create' order by __time desc limit 1000
  • 修改资源列表,所关联的查询分析语句如下所示:
    SELECT auditID as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间","requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", requestObject as "详细内容" where "verb" in ('upate','patch') order by __time desc limit 1000
  • 资源访问列表,所关联的查询分析语句如下所示:
    SELECT auditID as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间", "requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", requestObject as "详细内容" where "verb" in ('get','list') order by __time desc limit 1000
  • 资源删除列表,所关联的查询分析语句如下所示:
    SELECT auditID as "事件ID", time_format("__time",'yyyy-MM-dd HH:mm:ss') as "操作时间", "requestURI" as "资源", "objectRef.name" as "资源名", "responseStatus.code" as "状态码","sourceIPs" as "源地址", requestObject as "详细内容" where "verb" = 'delete' order by __time desc limit 1000
父主题: CCE日志中心
分享:

    相关文档

    相关产品