文档首页> 云日志服务 LTS> 用户指南> 日志应用> CCE日志中心> CCE日志审计中心

更新时间：2024-05-11 GMT+08:00

查看PDF

CCE日志审计中心

CCE日志审计中心仪表盘主要展示总审计记录数、操作用户数、活跃节点数、异常访问次数等。

前提条件

已采集CCE日志，详情请参见云容器引擎CCE应用日志接入LTS。
日志配置结构化，详情请参见结构化配置。

背景信息

云容器引擎（Cloud Container Engine，简称CCE）提供高度可扩展的、高性能的企业级Kubernetes集群。借助云容器引擎，您可以在华为云上轻松部署、管理和扩展容器化应用程序。

分析网站访问情况

登录云日志服务控制台。
在左侧导航栏中选择“仪表盘 ”。
在仪表盘模板下方，选择“CCE日志审计中心”仪表盘，查看图表详情。

CCE日志审计中心仪表盘中的过滤器说明如下所示：

命名空间，所关联的查询分析语句如下所示：
```
select distinct("objectRef.namespace")
```
操作用户，所关联的查询分析语句如下所示：
```
select distinct("user.username")
```
操作类型，所关联的查询分析语句如下所示：
```
select distinct("verb")
```
状态码，所关联的查询分析语句如下所示：
```
select distinct("responseStatus.code")
```
资源对象，所关联的查询分析语句如下所示：
```
select distinct("objectRef.name")
```
资源类型，所关联的查询分析语句如下所示：
```
select distinct("objectRef.resource")
```
请求URL，所关联的查询分析语句如下所示：
```
select distinct("requestURI")
```
UserAgent，所关联的查询分析语句如下所示：
```
select distinct("userAgent")
```

重要图表说明

CCE日志审计中心仪表盘中重要图表说明如下所示：

总审计记录数，所关联的查询分析语句如下所示：

select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log ) )

操作用户数，所关联的查询分析语句如下所示：

select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc"  from (select compare( total , 86400) as diff from( select count(distinct("user.username")) as total from log ) )

活跃节点数，所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(DISTINCT "user.username") as total     from log where "objectRef.resource" = 'nodes' and "objectRef.subresource" = 'status' and "verb" in ('update','put','patch') and "user.username" in ('node','system')) )

异常访问次数，所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where "responseStatus.code" >= 400) )

敏感操作次数，所关联的查询分析语句如下所示：

select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1)  as "total" from log where ("verb" = 'create' AND "objectRef.subresource" = 'exec') OR ("verb" = 'create' AND "objectRef.subresource" = 'attach' AND "objectRef.resource" = 'pods') OR ("objectRef.resource" = 'secrets' AND "verb"= 'get' AND ( "user.username" != 'apiserver') AND ("user.username" not like 'system:node:%')) OR ("verb"= 'delete' AND ( "user.username" not like 'system:node:%') AND ( "user.username" not like 'system:serviceaccount:kube-system:%') AND ( "user.username" != 'system:apiserve') AND ( "user.username" != 'system:apiserve') AND ( "user.username" != 'system:kube-scheduler') AND ("user.username" != 'system:kube-controller-manager'))) )

创建操作次数，所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where verb = 'create') )

更新操作次数，所关联的查询分析语句如下所示：

select diff[1] as "total" , round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc"  from (select compare( total , 86400) as diff from( select count(1) as total from log where verb in ('update','patch')) )

删除操作次数，所关联的查询分析语句如下所示：

select diff[1] as "total", round((diff[1] - diff[2]) / diff[2] * 100 , 2 ) as "inc" from (select compare( total , 86400) as diff from( select count(1) as total from log where verb = 'delete') )

操作用户分布，所关联的查询分析语句如下所示：

select "user.username" as "用户名", count(*) as "count"  group by "用户名" order by "count" desc

命名空间分布，所关联的查询分析语句如下所示：

select "objectRef.namespace" as "命名空间", count(*) as "count"  group by "命名空间"

资源类型分布，所关联的查询分析语句如下所示：

select "objectRef.resource" as "资源类型", count(*) as "count"  group by "资源类型" order by "count" desc limit 20

操作类型分布，所关联的查询分析语句如下所示：

select verb as "操作类型", count(*) as "count" group by "操作类型" order by "count" desc

节点操作分布，所关联的查询分析语句如下所示：

select "verb" as "操作类型", count(*) as "count" where  "objectRef.resource" = 'nodes' AND ("verb" in ('create','delete') ) group by "操作类型" order by "count" desc

状态码分布，所关联的查询分析语句如下所示：

select cast("responseStatus.code" as varchar) as "状态码", count(*) as "count" group by "状态码" order by "count" desc

工作负载操作分布，所关联的查询分析语句如下所示：

select "verb" as "操作类型", count(*) as "count" where "verb" in ('create', 'delete') and "objectRef.resource" in ('deployments','statefulsets','daemonsets','jobs','cronjobs') group by "操作类型" order by "count" desc

Service/Ingress操作分布，所关联的查询分析语句如下所示：

select "verb" as "操作类型", count(*) as "count" where "verb" in ('create', 'delete') and "objectRef.resource" in ('ingressess','services') group by "verb"  order by "count" desc

重要操作趋势，所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT("stageTimestamp", 16),'T',' ') AS "dt", "verb", count(*) as "count" where "verb" in ('create','delete','update','patch') group by "dt", "verb" order by "dt" limit 10000

非系统用户操作趋势，所关联的查询分析语句如下所示：

SELECT REPLACE(LEFT("stageTimestamp", 16),'T',' ') AS "dt", count(*) as "count", "user.username" as "用户名称" where "user.username" not in ('kube-controller-manager','kube-apiserver-kubelet-client','system','apiserver') group by "dt", "用户名称" order by "dt" limit 10000

父主题： CCE日志中心

上一篇：CCE日志账号操作审计

下一篇：CDN日志中心

意见反馈

文档内容是否对您有帮助？

有帮助没帮助

提供反馈

提交成功！非常感谢您的反馈，我们会继续努力做到更好！您可在我的云声建议查看反馈及问题处理状态。

系统繁忙，请稍后重试

在使用文档中是否遇到以下问题

内容与产品页面不一致

内容不易理解

缺失示例代码

步骤不可操作

搜不到想要的内容

缺少最佳实践

意见反馈（选填）

0/500

请至少选择一项反馈信息并填写问题反馈

字符长度不能超过500

直接提交取消

如您有其它疑问，您也可以通过华为云社区问答频道来与我们联系探讨

智能客服提问云社区提问

CCE日志审计中心

前提条件

背景信息

相关文档

相关产品

意见反馈

文档内容是否对您有帮助？

7*24

备案

专业服务

退订

建议反馈

售前咨询热线