什么是 Azure Active Directory 监视?What is Azure Active Directory monitoring?

现在可以使用 Azure Active Directory (Azure AD) 监视将 Azure AD 活动日志路由到不同的终结点。With Azure Active Directory (Azure AD) monitoring, you can now route your Azure AD activity logs to different endpoints. 然后,可以将其保存以供长期使用,或者将其与第三方安全信息和事件管理 (SIEM) 工具集成,以便获取有关环境的见解。You can then either retain it for long-term use or integrate it with third-party Security Information and Event Management (SIEM) tools to gain insights into your environment.

目前可以将日志路由到以下位置:Currently, you can route the logs to:

  • Azure 存储帐户。An Azure storage account.
  • Azure 事件中心,以便与 Splunk 和 Sumologic 实例集成。An Azure event hub, so you can integrate with your Splunk and Sumologic instances.
  • Azure Log Analytics 工作区,以便在其中分析数据、创建仪表板并针对特定事件发出警报Azure Log Analytics workspace, wherein you can analyze the data, create dashboard and alert on specific events

备注

本文最近已更新,从使用术语“Log Analytics”改为使用术语“Azure Monitor 日志”。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 日志数据仍然存储在 Log Analytics 工作区中,并仍然由同一 Log Analytics 服务收集并分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我们正在更新术语,以便更好地反映 Azure Monitor 中日志的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 有关详细信息,请参阅 Azure Monitor 术语更改See Azure Monitor terminology changes for details.

诊断设置配置Diagnostic settings configuration

若要配置 Azure AD 活动日志的监视设置,请先登录到 Azure 门户,然后选择“Azure Active Directory”。To configure monitoring settings for Azure AD activity logs, first sign-in to the Azure portal, then select Azure Active Directory. 在这里,可以通过两种方式访问诊断设置配置页:From here, you can access the diagnostic settings configuration page in two ways:

  • 在“监视”部分选择“诊断设置” 。Select Diagnostic settings from the Monitoring section.

    诊断设置

  • 选择“审核日志”或“登录”,然后选择“导出设置” 。Select Audit Logs or Sign-ins, then select Export settings.

    导出设置

将日志路由到存储帐户Route logs to storage account

将日志路由到 Azure 存储帐户,可以将其保留比保留策略中概述的默认保留期更长的时间。By routing logs to an Azure storage account, you can retain it for longer than the default retention period outlined in our retention policies. 了解如何将数据路由到存储帐户Learn how to route data to your storage account.

将日志流式传输到事件中心Stream logs to event hub

将日志路由到 Azure 事件中心即可将其与第三方 SIEM 工具(例如 Sumologic 和 Splunk)集成。Routing logs to an Azure event hub allows you to integrate with third-party SIEM tools like Sumologic and Splunk. 可以通过此集成将 Azure AD 活动日志数据与其他由 SIEM 托管的数据组合起来,获取更丰富的有关环境的见解。This integration allows you to combine Azure AD activity log data with other data managed by your SIEM, to provide richer insights into your environment. 了解如何将日志流式传输到事件中心Learn how to stream logs to an event hub.

将日志发送到 Azure Monitor 日志Send logs to Azure Monitor logs

Azure Monitor 日志是一项解决方案,可以将不同源的监视数据合并,并提供查询语言和分析引擎,让你深入了解应用程序和资源的操作。Azure Monitor logs is a solution that consolidates monitoring data from different sources and provides a query language and analytics engine that gives you insights into the operation of your applications and resources. 通过将 Azure AD 活动日志发送到 Azure Monitor 日志,可以快速检索和监视收集的数据以及针对其发出警报。By sending Azure AD activity logs to Azure Monitor logs, you can quickly retrieve, monitor and alert on collected data. 了解如何将数据发送到 Azure Monitor 日志Learn how to send data to Azure Monitor logs.

也可安装针对 Azure AD 活动日志预生成的视图,以便监视涉及登录和审核事件的常见场景。You can also install the pre-built views for Azure AD activity logs to monitor common scenarios involving sign-ins and audit events. 了解如何安装和使用用于 Azure AD 活动日志的 Log Analytics 视图Learn how to install and use log analytics views for Azure AD activity logs.

后续步骤Next steps