フローログ → コネクタ → メトリック → アラーム → トピック
前提: VCN、コンピュートインスタンス作成済
-- 1. ロググループ作成
oci logging log-group list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
oci logging log-group create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--display-name lg01
oci logging log-group list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table
-- 2. 取得フィルタ作成
oci network capture-filter list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
oci network capture-filter create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--filter-type FLOWLOG \
--display-name cf01 \
--flow-log-capture-filter-rules '[
{
"destination-cidr": "10.0.1.0/24",
"flow-log-type": "ALL",
"icmp-options": null,
"is-enabled": true,
"priority": 0,
"protocol": "all",
"rule-action": "INCLUDE",
"sampling-rate": 1,
"source-cidr": null,
"tcp-options": null,
"udp-options": null
}
]'
oci network capture-filter list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table
-- 3. フロー・ログ有効化
oci logging log list \
--log-group-id ocid1.loggroup.oc1.iad.000000000000000000000000000000000000000000000000000000000000
oci logging log create \
--display-name fl01 \
--log-group-id ocid1.loggroup.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--log-type SERVICE \
--is-enabled true \
--configuration '{
"archiving": {
"is-enabled": false
},
"compartment-id": "ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000",
"source": {
"category": "subnet",
"parameters": {
"capture_filter": "ocid1.capturefilter.oc1.iad.000000000000000000000000000000000000000000000000000000000000",
"enablementPointType": "Subnet"
},
"resource": "ocid1.subnet.oc1.iad.000000000000000000000000000000000000000000000000000000000000",
"service": "flowlogs",
"source-type": "OCISERVICE"
}
}'
oci logging log list \
--log-group-id ocid1.loggroup.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--query 'data.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table
-- 4. サービス・コネクタ作成
oci sch service-connector create --generate-full-command-json-input
cat <<-'EOF' > tasks.json
[
{
"condition": "data.action='REJECT'",
"kind": "logRule"
}
]
EOF
oci sch service-connector create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--display-name sc01 \
--description sc01 \
--source '{
"kind": "logging",
"logSources": [
{
"compartment-id": "ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000",
"log-group-id": "ocid1.loggroup.oc1.iad.000000000000000000000000000000000000000000000000000000000000",
"log-id": "ocid1.log.oc1.iad.000000000000000000000000000000000000000000000000000000000000"
}
]
}' \
--target '{
"compartment-id": "ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000",
"dimensions": null,
"kind": "monitoring",
"metric": "rejectedtraffic",
"metric-namespace": "vcnlogs"
}' \
--tasks file://tasks.json
oci sch service-connector list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--all \
--query 'data.items.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table
oci sch service-connector get \
--service-connector-id ocid1.serviceconnector.oc1.iad.000000000000000000000000000000000000000000000000000000000000
-- 5. ポリシー作成
ルートコンパートメントに作成
cat <<-'EOF' > a.json
[
"allow any-user to use metrics in compartment id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 where all {request.principal.type='serviceconnector', target.metrics.namespace='vcnlogs', request.principal.compartment.id='ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000'}"
]
EOF
oci iam policy create \
--compartment-id ocid1.tenancy.oc1..000000000000000000000000000000000000000000000000000000000000 \
--description policy01 \
--name policy01 \
--statements file://a.json
oci iam policy list \
--compartment-id ocid1.tenancy.oc1..000000000000000000000000000000000000000000000000000000000000
-- 6. トピック作成
oci ons topic create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--name topic02
oci ons topic list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--all
-- 7. サブスクリプション作成
oci ons subscription create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--protocol EMAIL \
--subscription-endpoint hoge@example.com \
--topic-id ocid1.onstopic.oc1.iad.000000000000000000000000000000000000000000000000000000000000
oci ons subscription list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
メールがくるのでsubscribeする
-- 8. アラーム作成
oci monitoring alarm create --generate-full-command-json-input
oci monitoring alarm create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--destinations '[
"ocid1.onstopic.oc1.iad.000000000000000000000000000000000000000000000000000000000000"
]' \
--display-name alarm02 \
--is-enabled true \
--metric-compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--namespace "vcnlogs" \
--query-text "rejectedtraffic[1m].count() > 0" \
--severity INFO \
--is-notifications-per-metric-dimension-enabled true
oci monitoring alarm list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
-- 9. 動作確認
メールが来るまで待つ
-- 10. クリーンアップ
-- アラーム削除
oci monitoring alarm list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
oci monitoring alarm delete \
--alarm-id ocid1.alarm.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force
-- サブスクリプション削除
oci ons subscription list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000
oci ons subscription delete \
--subscription-id ocid1.onssubscription.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force
-- トピック削除
oci ons topic list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--all
oci ons topic delete \
--topic-id ocid1.onstopic.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force
-- サービス・コネクタ削除
oci sch service-connector list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--all \
--query 'data.items.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table
oci sch service-connector delete \
--service-connector-id ocid1.serviceconnector.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force
-- ポリシー削除
oci iam policy list \
--compartment-id ocid1.tenancy.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data.{"name":"name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table
oci iam policy delete \
--policy-id ocid1.policy.oc1..000000000000000000000000000000000000000000000000000000000000 \
--force
-- フロー・ログ削除
oci logging log list \
--log-group-id ocid1.loggroup.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--query 'data.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table
oci logging log delete \
--log-group-id ocid1.loggroup.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--log-id ocid1.log.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force
-- 取得フィルタ削除
oci network capture-filter list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table
oci network capture-filter delete \
--capture-filter-id ocid1.capturefilter.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force
-- ロググループ削除
oci logging log-group list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data[].{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table
oci logging log-group delete \
--log-group-id ocid1.loggroup.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force
