注意
建议使用 Azure Az PowerShell 模块与 Azure 交互。 若要开始,请参阅安装 Azure PowerShell。 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 Az。
可以针对 Azure Monitor 日志中预定义的一组日志使用指标警报功能。 受监视的日志(可从 Azure 或本地计算机收集)被转换为指标,然后与任何其他指标一样,通过指标警报规则进行监视。
Log Analytics 工作区支持以下日志类型:
- 适用于 Windows 和 Linux 计算机的性能计数器(对应于受支持的 Log Analytics 工作区指标)
- 更新管理记录
- 事件数据日志
与 Azure 中基于查询的日志搜索警报相比,对日志使用指标警报的好处包括:
- 指标警报提供准实时的监视功能。 它们从日志源创建数据分支以确保实现这种功能。
- 指标警报是有状态的。 发出警报和警报解决后,它们会立即通知你。 日志搜索警报是无状态的,如果满足警报条件,则会在每个间隔持续触发。
- 指标警报提供多个维度。 它们允许筛选特定值(例如计算机和操作系统类型),而无需在 Log Analytics 中定义复杂的查询。
注意
仅当所选期间内存在特定指标或维度的数据时,才会显示该指标或维度。 拥有 Log Analytics 工作区的客户可以使用这些指标。
支持的日志指标和维度
通过指标警报,可以使用维度将指标筛选为适当级别。 日志支持的指标的完整列表等效于 Log Analytics 工作区指标列表。
注意
要通过 Azure Monitor - 指标查看从 Log Analytics 工作区中提取的受支持指标,必须针对该特定指标创建日志的指标警报。 在日志指标警报中选择的维度只能通过 Azure Monitor 指标来显示以供浏览。
针对日志创建指标警报
在 Log Analytics 中处理常用日志中的指标数据之前,会先通过管道将其传送到 Azure Monitor 指标。 然后,除了指标警报之外,还可以利用指标平台的功能,包括以低至一分钟的频率发出警报。
针对日志创建指标警报的过程由两个部分组成:
- 使用计划查询规则 API (
scheduledQueryRules) 针对从支持的日志中提取的指标创建规则。 - 针对从日志中提取的指标(在步骤 1 中)以及从作为目标资源的 Log Analytics 工作区中提取的指标创建指标警报。
先决条件
在针对日志创建指标警报之前,请确保以下项已设置并可用:
- Log Analytics 工作区:必须拥有一个有效且处于活动状态的 Log Analytics 工作区。 有关详细信息,请参阅创建 Log Analytics 工作区。
- 为 Log Analytics 工作区配置的代理:需要为 Azure 虚拟机或本地计算机配置代理,以将数据发送到 Log Analytics 工作区。 有关详细信息,请参阅 Azure Monitor 代理概述。
- 支持的 Log Analytics 解决方案:应配置 Log Analytics 解决方案并将数据发送到 Log Analytics 工作区。 支持的解决方案包括适用于 Windows 和 Linux 的性能计数器、Azure 自动化更新管理和事件数据。
- 为 Log Analytics 解决方案配置的日志:Log Analytics 解决方案应具有与启用的 Log Analytics 工作区支持的指标相对应的所需日志和数据。 例如,必须先在性能计数器解决方案中配置它的“可用内存百分比”计数器。
针对日志创建指标警报的方法
可以使用 Azure 门户、Azure 资源管理器模板、REST API、Azure PowerShell 和 Azure CLI 创建和管理指标警报。
针对指定 Log Analytics 工作区的日志创建指标警报后,它们将具有指标警报的所有特征和功能,包括有效负载架构、适用的配额限制和计费价格。
有关分步详细信息和示例,请参阅创建或编辑指标警报规则。 按照有关管理指标警报的说明操作,并注意以下事项:
指标警报的目标必须是有效的 Log Analytics 工作区。
为选定 Log Analytics 工作区的指标警报选择的信号必须属于“指标”类型。
可以使用维度筛选器来筛选特定条件或资源,因为日志的指标是多维的。
在配置信号逻辑时,可以创建单个警报来跨越多个维度值(例如计算机)。
使用 Azure 门户针对日志创建指标警报时,会自动在后台创建通过
scheduledQueryRules将日志数据转换为指标的相应规则,无需任何用户干预或操作。如果不使用 Azure 门户针对选定的 Log Analytics 工作区创建指标警报,则必须先使用
scheduledQueryRules手动创建将日志数据转换为指标的显式规则。
资源管理器模板
若要针对日志创建指标警报,可以使用以下示例资源管理器模板。
对于通过 Azure 门户以外的方式创建的日志指标警报,可以在创建指标警报之前使用这些示例模板创建基于 scheduledQueryRules 的日志到指标转换规则。 如果不这样做,日志中将不包含指标警报的数据。
具有静态阈值的日志指标警报
在以下示例模板中,根据静态阈值创建指标警报的方式取决于是否成功创建了通过 scheduledQueryRules 从日志中提取指标的规则。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"convertRuleDescription": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Description for the log converted to a metric."
}
},
"convertRuleRegion": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the region used by the workspace."
}
},
"convertRuleStatus": {
"type": "string",
"defaultValue": "true",
"metadata": {
"description": "Specifies whether the log conversion rule is enabled."
}
},
"convertRuleMetric": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the metric after extraction is done from logs."
}
},
"alertName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the alert."
}
},
"alertDescription": {
"type": "string",
"defaultValue": "This is a metric alert",
"metadata": {
"description": "Description of the alert."
}
},
"alertSeverity": {
"type": "int",
"defaultValue": 3,
"allowedValues": [
0,
1,
2,
3,
4
],
"metadata": {
"description": "Severity of the alert {0,1,2,3,4}."
}
},
"isEnabled": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Specifies whether the alert is enabled."
}
},
"resourceId": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Full resource ID of the resource emitting the metric that will be used for the comparison. For example: /subscriptions/00000000-0000-0000-0000-0000-00000000/resourceGroups/ResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/workspaceName"
}
},
"metricName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the metric used in the comparison to activate the alert."
}
},
"operator": {
"type": "string",
"defaultValue": "GreaterThan",
"allowedValues": [
"Equals",
"NotEquals",
"GreaterThan",
"GreaterThanOrEqual",
"LessThan",
"LessThanOrEqual"
],
"metadata": {
"description": "Operator comparing the current value with the threshold value."
}
},
"threshold": {
"type": "string",
"defaultValue": "0",
"metadata": {
"description": "The threshold value at which the alert is activated."
}
},
"timeAggregation": {
"type": "string",
"defaultValue": "Average",
"allowedValues": [
"Average",
"Minimum",
"Maximum",
"Total"
],
"metadata": {
"description": "How the data that's collected should be combined over time."
}
},
"windowSize": {
"type": "string",
"defaultValue": "PT5M",
"metadata": {
"description": "Period of time used to monitor alert activity based on the threshold. Must be between five minutes and one day. ISO 8601 duration format."
}
},
"evaluationFrequency": {
"type": "string",
"defaultValue": "PT1M",
"metadata": {
"description": "How often the metric alert is evaluated, represented in ISO 8601 duration format."
}
},
"actionGroupId": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The ID of the action group that's triggered when the alert is activated or deactivated."
}
}
},
"variables": {
"convertRuleSourceWorkspace": {
"SourceId": "/subscriptions/1234-56789-1234-567a/resourceGroups/resourceGroupName/providers/Microsoft.OperationalInsights/workspaces/workspaceName"
}
},
"resources": [
{
"name": "[parameters('alertName')]",
"type": "Microsoft.Insights/scheduledQueryRules",
"apiVersion": "2018-04-16",
"location": "[parameters('convertRuleRegion')]",
"properties": {
"description": "[parameters('convertRuleDescription')]",
"enabled": "[parameters('convertRuleStatus')]",
"source": {
"dataSourceId": "[variables('convertRuleSourceWorkspace').SourceId]"
},
"action": {
"odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.LogToMetricAction",
"criteria": [{
"metricName": "[parameters('convertRuleMetric')]",
"dimensions": []
}
]
}
}
},
{
"name": "[parameters('alertName')]",
"type": "Microsoft.Insights/metricAlerts",
"location": "global",
"apiVersion": "2018-03-01",
"tags": {},
"dependsOn":["[resourceId('Microsoft.Insights/scheduledQueryRules',parameters('alertName'))]"],
"properties": {
"description": "[parameters('alertDescription')]",
"severity": "[parameters('alertSeverity')]",
"enabled": "[parameters('isEnabled')]",
"scopes": ["[parameters('resourceId')]"],
"evaluationFrequency":"[parameters('evaluationFrequency')]",
"windowSize": "[parameters('windowSize')]",
"criteria": {
"odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria",
"allOf": [
{
"name" : "1st criterion",
"metricName": "[parameters('metricName')]",
"dimensions":[],
"operator": "[parameters('operator')]",
"threshold" : "[parameters('threshold')]",
"timeAggregation": "[parameters('timeAggregation')]"
}
]
},
"actions": [
{
"actionGroupId": "[parameters('actionGroupId')]"
}
]
}
}
]
}
如果将上述 JSON 另存为 metricfromLogsAlertStatic.json,则可以将其与参数 JSON 文件配合使用,以便基于资源管理器模板进行创建。 下面是示例参数 JSON 文件:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"convertRuleDescription": {
"value": "Test rule to extract metrics from logs via template"
},
"convertRuleRegion": {
"value": "China East"
},
"convertRuleStatus": {
"value": "true"
},
"convertRuleMetric": {
"value": "Average_% Idle Time"
},
"alertName": {
"value": "TestMetricAlertonLog"
},
"alertDescription": {
"value": "New multidimensional metric alert created via template"
},
"alertSeverity": {
"value":3
},
"isEnabled": {
"value": true
},
"resourceId": {
"value": "/subscriptions/1234-56789-1234-567a/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/workspaceName"
},
"metricName":{
"value": "Average_% Idle Time"
},
"operator": {
"value": "GreaterThan"
},
"threshold":{
"value": "1"
},
"timeAggregation":{
"value": "Average"
},
"actionGroupId": {
"value": "/subscriptions/1234-56789-1234-567a/resourceGroups/myRG/providers/microsoft.insights/actionGroups/actionGroupName"
}
}
}
假设将上述参数文件保存为 metricfromLogsAlertStatic.parameters.json,则你可以根据在 Azure 门户中使用资源管理器模板进行创建中所述针对日志创建指标警报。
或者,可以使用以下 Azure PowerShell 命令:
New-AzResourceGroupDeployment -ResourceGroupName "myRG" -TemplateFile metricfromLogsAlertStatic.json TemplateParameterFile metricfromLogsAlertStatic.parameters.json
或者,可以使用 Azure CLI 部署资源管理器模板:
az deployment group create --resource-group myRG --template-file metricfromLogsAlertStatic.json --parameters @metricfromLogsAlertStatic.parameters.json
具有动态阈值的日志指标警报
在以下示例模板中,根据动态阈值创建指标警报的方式取决于是否成功创建了通过 scheduledQueryRules 从日志中提取指标的规则。
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"convertRuleDescription": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Description for the log converted to a metric."
}
},
"convertRuleRegion": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the region used by the workspace."
}
},
"convertRuleStatus": {
"type": "string",
"defaultValue": "true",
"metadata": {
"description": "Specifies whether the log conversion rule is enabled."
}
},
"convertRuleMetric": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the metric after extraction is done from logs."
}
},
"alertName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the alert."
}
},
"alertDescription": {
"type": "string",
"defaultValue": "This is a metric alert",
"metadata": {
"description": "Description of the alert."
}
},
"alertSeverity": {
"type": "int",
"defaultValue": 3,
"allowedValues": [
0,
1,
2,
3,
4
],
"metadata": {
"description": "Severity of the alert {0,1,2,3,4}."
}
},
"isEnabled": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Specifies whether the alert is enabled."
}
},
"resourceId": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Full resource ID of the resource emitting the metric that will be used for the comparison. For example: /subscriptions/00000000-0000-0000-0000-0000-00000000/resourceGroups/ResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/workspaceName"
}
},
"metricName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Name of the metric used in the comparison to activate the alert."
}
},
"operator": {
"type": "string",
"defaultValue": "GreaterOrLessThan",
"allowedValues": [
"GreaterThan",
"LessThan",
"GreaterOrLessThan"
],
"metadata": {
"description": "Operator comparing the current value with the threshold value."
}
},
"alertSensitivity": {
"type": "string",
"defaultValue": "Medium",
"allowedValues": [
"High",
"Medium",
"Low"
],
"metadata": {
"description": "Tunes how 'noisy' the alerts for dynamic thresholds will be. 'High' will result in more alerts. 'Low' will result in fewer alerts."
}
},
"numberOfEvaluationPeriods": {
"type": "string",
"defaultValue": "4",
"metadata": {
"description": "The number of periods to check in the alert evaluation."
}
},
"minFailingPeriodsToAlert": {
"type": "string",
"defaultValue": "3",
"metadata": {
"description": "The number of unhealthy periods to alert on (must be lower or equal to numberOfEvaluationPeriods)."
}
},
"timeAggregation": {
"type": "string",
"defaultValue": "Average",
"allowedValues": [
"Average",
"Minimum",
"Maximum",
"Total"
],
"metadata": {
"description": "How the data that's collected should be combined over time."
}
},
"windowSize": {
"type": "string",
"defaultValue": "PT5M",
"metadata": {
"description": "Period of time used to monitor alert activity based on the threshold. Must be between five minutes and one day. ISO 8601 duration format."
}
},
"evaluationFrequency": {
"type": "string",
"defaultValue": "PT1M",
"metadata": {
"description": "How often the metric alert is evaluated, represented in ISO 8601 duration format."
}
},
"actionGroupId": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The ID of the action group that's triggered when the alert is activated or deactivated."
}
}
},
"variables": {
"convertRuleSourceWorkspace": {
"SourceId": "/subscriptions/1234-56789-1234-567a/resourceGroups/resourceGroupName/providers/Microsoft.OperationalInsights/workspaces/workspaceName"
}
},
"resources": [
{
"name": "[parameters('alertName')]",
"type": "Microsoft.Insights/scheduledQueryRules",
"apiVersion": "2018-04-16",
"location": "[parameters('convertRuleRegion')]",
"properties": {
"description": "[parameters('convertRuleDescription')]",
"enabled": "[parameters('convertRuleStatus')]",
"source": {
"dataSourceId": "[variables('convertRuleSourceWorkspace').SourceId]"
},
"action": {
"odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.LogToMetricAction",
"criteria": [{
"metricName": "[parameters('convertRuleMetric')]",
"dimensions": []
}
]
}
}
},
{
"name": "[parameters('alertName')]",
"type": "Microsoft.Insights/metricAlerts",
"location": "global",
"apiVersion": "2018-03-01",
"tags": {},
"dependsOn":["[resourceId('Microsoft.Insights/scheduledQueryRules',parameters('alertName'))]"],
"properties": {
"description": "[parameters('alertDescription')]",
"severity": "[parameters('alertSeverity')]",
"enabled": "[parameters('isEnabled')]",
"scopes": ["[parameters('resourceId')]"],
"evaluationFrequency":"[parameters('evaluationFrequency')]",
"windowSize": "[parameters('windowSize')]",
"criteria": {
"odata.type": "Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria",
"allOf": [
{
"criterionType": "DynamicThresholdCriterion",
"name" : "1st criterion",
"metricName": "[parameters('metricName')]",
"dimensions":[],
"operator": "[parameters('operator')]",
"alertSensitivity": "[parameters('alertSensitivity')]",
"failingPeriods": {
"numberOfEvaluationPeriods": "[parameters('numberOfEvaluationPeriods')]",
"minFailingPeriodsToAlert": "[parameters('minFailingPeriodsToAlert')]"
},
"timeAggregation": "[parameters('timeAggregation')]"
}
]
},
"actions": [
{
"actionGroupId": "[parameters('actionGroupId')]"
}
]
}
}
]
}
如果将上述 JSON 另存为 metricfromLogsAlertDynamic.json,则可以将其与参数 JSON 文件配合使用,以便基于资源管理器模板进行创建。 下面是示例参数 JSON 文件:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"convertRuleDescription": {
"value": "Test rule to extract metrics from logs via template"
},
"convertRuleRegion": {
"value": "China East"
},
"convertRuleStatus": {
"value": "true"
},
"convertRuleMetric": {
"value": "Average_% Idle Time"
},
"alertName": {
"value": "TestMetricAlertonLog"
},
"alertDescription": {
"value": "New multidimensional metric alert created via template"
},
"alertSeverity": {
"value":3
},
"isEnabled": {
"value": true
},
"resourceId": {
"value": "/subscriptions/1234-56789-1234-567a/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/workspaceName"
},
"metricName":{
"value": "Average_% Idle Time"
},
"operator": {
"value": "GreaterOrLessThan"
},
"alertSensitivity": {
"value": "Medium"
},
"numberOfEvaluationPeriods": {
"value": "4"
},
"minFailingPeriodsToAlert": {
"value": "3"
},
"timeAggregation":{
"value": "Average"
},
"actionGroupId": {
"value": "/subscriptions/1234-56789-1234-567a/resourceGroups/myRG/providers/microsoft.insights/actionGroups/actionGroupName"
}
}
}
假设将上述参数文件保存为 metricfromLogsAlertDynamic.parameters.json,则你可以根据在 Azure 门户中使用资源管理器模板进行创建中所述针对日志创建指标警报。
或者,可以使用以下 Azure PowerShell 命令:
New-AzResourceGroupDeployment -ResourceGroupName "myRG" -TemplateFile metricfromLogsAlertDynamic.json TemplateParameterFile metricfromLogsAlertDynamic.parameters.json
或者,可以使用 Azure CLI 部署资源管理器模板:
az deployment group create --resource-group myRG --template-file metricfromLogsAlertDynamic.json --parameters @metricfromLogsAlertDynamic.parameters.json
相关内容
- 详细了解指标警报。
- 了解 Azure 中的日志搜索警报。
- 了解 Azure 中的警报。