Azure Monitor 中的 Azure AD 活动日志Azure AD activity logs in Azure Monitor

可将 Azure Active Directory (Azure AD) 活动日志路由到多个终结点以便长期保留以及获取数据见解。You can route Azure Active Directory (Azure AD) activity logs to several endpoints for long term retention and data insights. 可以使用此功能实现以下操作:This feature allows you to:

  • 将 Azure AD 活动日志存档到 Azure 存储帐户,以便长期保留数据Archive Azure AD activity logs to an Azure storage account, to retain the data for a long time.
  • 使用常用的安全信息和事件管理 (SIEM) 工具(例如 Splunk 和 QRadar)将 Azure AD 活动日志流式传输到 Azure 事件中心进行分析。Stream Azure AD activity logs to an Azure event hub for analytics, using popular Security Information and Event Management (SIEM) tools, such as Splunk and QRadar.
  • 将 Azure AD 活动日志流式传输到事件中心,以便与自定义日志解决方案集成。Integrate Azure AD activity logs with your own custom log solutions by streaming them to an event hub.
  • 将 Azure AD 活动日志发送到 Azure Monitor 日志,以启用丰富的可视化效果以及对连接数据的监视和警报。Send Azure AD activity logs to Azure Monitor logs to enable rich visualizations, monitoring and alerting on the connected data.


本文最近已更新,从使用术语“Log Analytics”改为使用术语“Azure Monitor 日志”。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 日志数据仍然存储在 Log Analytics 工作区中,并仍然由同一 Log Analytics 服务收集并分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我们正在更新术语,以便更好地反映 Azure Monitor 中日志的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 有关详细信息,请参阅 Azure Monitor 术语更改See Azure Monitor terminology changes for details.

支持的报表Supported reports

可以使用此功能将 Azure AD 活动日志和登录日志路由到 Azure 存储帐户、事件中心、Azure Monitor 日志或自定义解决方案。You can route Azure AD audit logs and sign-in logs to your Azure storage account, event hub, Azure Monitor logs or custom solution by using this feature.

  • 审核日志:可以通过审核日志活动报表访问在租户中执行的每个任务的历史记录。Audit logs: The audit logs activity report gives you access to the history of every task that's performed in your tenant.
  • 登录日志:可以通过登录活动报表来确定谁执行了审核日志中报告的任务。Sign-in logs: With the sign-in activity report, you can determine who performed the tasks that are reported in the audit logs.


目前不支持 B2C 相关的审核和登录活动日志。B2C-related audit and sign-in activity logs are not supported at this time.


若要使用此功能,需满足以下条件:To use this feature, you need:

  • Azure 订阅。An Azure subscription. 如果没有 Azure 订阅,可以注册试用版If you don't have an Azure subscription, you can sign up for a trial.
  • 在 Azure 门户中访问 Azure AD 审核日志所需的 Azure AD Free、Basic、Premium 1 或 Premium 2 许可证Azure AD Free, Basic, Premium 1, or Premium 2 license, to access the Azure AD audit logs in the Azure portal.
  • Azure AD 租户。An Azure AD tenant.
  • 一个是 Azure AD 租户的全局管理员或安全管理员的用户。 A user who's a global administrator or security administrator for the Azure AD tenant.
  • 在 Azure 门户中访问 Azure AD 登录日志所需的 Azure AD Premium 1 或 Premium 2 许可证Azure AD Premium 1, or Premium 2 license, to access the Azure AD sign-in logs in the Azure portal.

根据审核日志数据要路由到的位置,需满足以下条件之一:Depending on where you want to route the audit log data, you need either of the following:

  • 你对其拥有 ListKeys 权限的 Azure 存储帐户。An Azure storage account that you have ListKeys permissions for. 建议使用常规存储帐户而非 Blob 存储帐户。We recommend that you use a general storage account and not a Blob storage account. 有关存储定价信息,请参阅 Azure 存储定价计算器For storage pricing information, see the Azure Storage pricing calculator.
  • 用于与第三方解决方案集成的 Azure 事件中心命名空间。An Azure Event Hubs namespace to integrate with third-party solutions.
  • 用于将日志发送到 Azure Monitor 日志的 Azure Log Analytics 工作区。An Azure Log Analytics workspace to send logs to Azure Monitor logs.

成本注意事项Cost considerations

如果已经有 Azure AD 许可证,则还需要一个 Azure 订阅才能设置存储帐户和事件中心。If you already have an Azure AD license, you need an Azure subscription to set up the storage account and event hub. Azure 订阅可以免费获取,但若要使用 Azure 资源(包括用于存档的存储帐户以及用于流式处理的事件中心),则需付费。The Azure subscription comes at no cost, but you have to pay to utilize Azure resources, including the storage account that you use for archival and the event hub that you use for streaming. 数据量以及因此引发的费用可能因租户大小的不同而差异很大。The amount of data and, thus, the cost incurred, can vary significantly depending on the tenant size.

活动日志的存储大小Storage size for activity logs

每个审核日志事件占用大约 2KB 的数据存储。Every audit log event uses about 2 KB of data storage. 登录事件日志约占 4 KB 的数据存储空间。Sign in event logs are about 4 KB of data storage. 如果一个租户有 100,000 个用户,每天会引发大约 150 万个事件,则每天需要大约 3 GB 的数据存储。For a tenant with 100,000 users, which would incur about 1.5 million events per day, you would need about 3 GB of data storage per day. 由于写入时每批需要大约五分钟的时间,则可预计每月大约有 9,000 次写入操作。Because writes occur in approximately five-minute batches, you can anticipate approximately 9,000 write operations per month.

若要针对应用程序的预期数据量进行更准确的估算,请使用 Azure 存储定价计算器To create a more accurate estimate for the data volume that you anticipate for your application, use the Azure storage pricing calculator.

活动日志的事件中心消息Event hub messages for activity logs

事件按大约五分钟的时间间隔进行批处理,并以单条消息的形式发送,每条包含该时间范围内的所有事件。Events are batched into approximately five-minute intervals and sent as a single message that contains all the events within that timeframe. 事件中心的消息的最大大小为 256 KB,如果该时间范围内所有消息的总大小超出该大小,则会发送多条消息。A message in the event hub has a maximum size of 256 KB, and if the total size of all the messages within the timeframe exceeds that volume, multiple messages are sent.

例如,对于用户数超出 100,000 的大型租户来说,通常情况下每秒大约有 18 个事件,该频率相当于每五分钟 5,400 个事件。For example, about 18 events per second ordinarily occur for a large tenant of more than 100,000 users, a rate that equates to 5,400 events every five minutes. 由于审核日志大约每个事件 2 KB,上述事件相当于 10.8 MB 的数据,Because audit logs are about 2 KB per event, this equates to 10.8 MB of data. 因此会在五分钟的时间间隔内向事件中心发送 43 条消息。Therefore, 43 messages are sent to the event hub in that five-minute interval.

若要针对应用程序的预期数据量进行准确的估算,请使用事件中心定价计算器To calculate an accurate estimate of the data volume that you anticipate for your application, use the Event Hubs pricing calculator.

Azure Monitor 日志成本注意事项Azure Monitor logs cost considerations

若要查看与管理 Azure Monitor 日志相关的成本,请参阅通过在 Azure Monitor 日志中控制数据量和保留期管理成本To review costs related to managing the Azure Monitor logs, see Manage cost by controlling data volume and retention in Azure Monitor logs.

常见问题解答Frequently asked questions

此部分回答 Azure Monitor 中 Azure AD 日志的常见问题并讨论其已知问题。This section answers frequently asked questions and discusses known issues with Azure AD logs in Azure Monitor.

问:哪些日志包括在其中?Q: Which logs are included?

:登录活动日志和审核日志均可通过此功能进行路由,虽然与 B2C 相关的审核事件目前未包括在其中。A: The sign-in activity logs and audit logs are both available for routing through this feature, although B2C-related audit events are currently not included. 若要了解目前支持哪些类型的日志和哪些基于功能的日志,请参阅审核日志架构登录日志架构To find out which types of logs and which feature-based logs are currently supported, see Audit log schema and Sign-in log schema.

问:执行某项操作之后,相应的日志多快会显示在事件中心内?Q: How soon after an action will the corresponding logs show up in my event hub?

:日志会在执行操作后两到五分钟内显示在事件中心。A: The logs should show up in your event hub within two to five minutes after the action is performed. 有关事件中心的详细信息,请参阅什么是 Azure 事件中心?For more information about Event Hubs, see What is Azure Event Hubs?.

问:执行某项操作之后,相应的日志多快会显示在存储帐户中?Q: How soon after an action will the corresponding logs show up in my storage account?

: 就 Azure 存储帐户来说,执行操作之后,日志在其中的显示会有一个 5 到 15 分钟的延迟。A: For Azure storage accounts, the latency is anywhere from 5 to 15 minutes after the action is performed.

问:如果管理员更改诊断设置的保持期,会发生什么情况?Q: What happens if an Administrator changes the retention period of a diagnostic setting?

:新的保留策略将应用于更改后收集的日志。A: The new retention policy will be applied to logs collected after the change. 策略更改前收集的日志将不会受到影响。Logs collected before the policy change will be unaffected.

问: 存储数据的费用是多少?Q: How much will it cost to store my data?

:存储费用取决于日志大小以及所选保留期。A: The storage costs depend on both the size of your logs and the retention period you choose. 如需租户估算费用(取决于生成的日志量)的列表,请参阅活动日志的存储大小部分。For a list of the estimated costs for tenants, which depend on the volume of logs generated, see the Storage size for activity logs section.

问: 将数据流式传输到事件中心的费用是多少?Q: How much will it cost to stream my data to an event hub?

: 流式传输费用取决于你每分钟收到的消息数。A: The streaming costs depend on the number of messages you receive per minute. 本文介绍了费用计算方法并列出了根据消息数估算的费用。This article discusses how the costs are calculated and lists cost estimates, which are based on the number of messages.

问: 如何将 Azure AD 活动日志与 SIEM 系统集成?Q: How do I integrate Azure AD activity logs with my SIEM system?

: 可通过两种方式实现此目的:A: You can do this in two ways:

  • 将 Azure Monitor 与事件中心配合使用,以将日志流式传输到 SIEM 系统。Use Azure Monitor with Event Hubs to stream logs to your SIEM system. 首先,将日志流式传输到事件中心,然后使用配置的事件中心设置 SIEM 工具First, stream the logs to an event hub and then set up your SIEM tool with the configured event hub.

  • 使用报告图形 API 访问数据,并使用自己的脚本将其推送到 SIEM 系统。Use the Reporting Graph API to access the data, and push it into the SIEM system using your own scripts.

问: 目前支持哪些 SIEM 工具?Q: What SIEM tools are currently supported?

:目前,Azure Monitor 受 Splunk、IBM QRadar、Sumo LogicArcSight、LogRhythm 和 支持。A: A: Currently, Azure Monitor is supported by Splunk, IBM QRadar, Sumo Logic, ArcSight, LogRhythm, and 若要详细了解连接器的工作方式,请参阅将 Azure 监视数据流式传输到事件中心供外部工具使用For more information about how the connectors work, see Stream Azure monitoring data to an event hub for consumption by an external tool.

问: 如何将 Azure AD 活动日志与 Splunk 实例集成?Q: How do I integrate Azure AD activity logs with my Splunk instance?

:首先,将 Azure AD 活动日志路由到事件中心,然后按照步骤将活动日志与 Splunk 集成A: First, route the Azure AD activity logs to an event hub, then follow the steps to Integrate activity logs with Splunk.

问: 如何将 Azure AD 活动日志与 Sumo Logic 集成?Q: How do I integrate Azure AD activity logs with Sumo Logic?

:首先,将 Azure AD 活动日志路由到事件中心,然后按照步骤安装 Azure AD 应用程序并查看 SumoLogic 中的仪表板A: First, route the Azure AD activity logs to an event hub, then follow the steps to Install the Azure AD application and view the dashboards in SumoLogic.

问: 是否可以在不使用外部 SIEM 工具的情况下,从事件中心访问数据?Q: Can I access the data from an event hub without using an external SIEM tool?

:是的。A: Yes. 若要通过自定义应用程序来访问日志,可以使用事件中心 APITo access the logs from your custom application, you can use the Event Hubs API.

后续步骤Next steps