教程:将 Azure AD 日志存档到 Azure 存储帐户Tutorial: Archive Azure AD logs to an Azure storage account

本教程介绍如何设置 Azure Monitor 诊断设置,以便将 Azure Active Directory (Azure AD) 日志路由到 Azure 存储帐户。In this tutorial, you learn how to set up Azure Monitor diagnostics settings to route Azure Active Directory (Azure AD) logs to an Azure storage account.

先决条件Prerequisites

若要使用此功能,需满足以下条件:To use this feature, you need:

  • 一个具有 Azure 存储帐户的 Azure 订阅。An Azure subscription with an Azure storage account. 如果没有 Azure 订阅,可以注册试用版If you don't have an Azure subscription, you can sign up for a trial.
  • Azure AD 租户。An Azure AD tenant.
  • 一个是 Azure AD 租户的全局管理员或安全管理员的用户。 A user who's a global administrator or security administrator for the Azure AD tenant.

将日志存档到 Azure 存储帐户Archive logs to an Azure storage account

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 选择“Azure Active Directory” > “活动” > “审核日志”。 Select Azure Active Directory > Activity > Audit logs.

  3. 选择“导出设置”。Select Export Settings.

  4. 在“诊断设置”窗格中,执行下述操作之一:In the Diagnostics settings pane, do either of the following:

    • 若要更改现有设置,请选择“编辑设置”。To change existing settings, select Edit setting.

    • 若要添加新设置,请选择“添加诊断设置”。To add new settings, select Add diagnostics setting.
      最多可以有三个设置。You can have up to three settings.

      导出设置

  5. 为设置输入一个可以让你记住其用途的友好名称(例如,“发送到 Azure 存储帐户”)。Enter a friendly name for the setting to remind you of its purpose (for example, Send to Azure storage account).

  6. 选中“存档到存储帐户”复选框,然后选择“存储帐户”。Select the Archive to a storage account check box, and then select Storage account.

  7. 选择要将日志路由到的 Azure 订阅和存储帐户。Select the Azure subscription and storage account that you want to route the logs to.

  8. 选择“确定”以退出配置。Select OK to exit the configuration.

  9. 执行下列两项操作或之一:Do either or both of the following:

    • 若要将审核日志发送到存储帐户,请选中“AuditLogs”复选框。To send audit logs to the storage account, select the AuditLogs check box.
    • 若要将登录日志发送到存储帐户,请选中“SignInLogs”复选框。To send sign-in logs to the storage account, select the SignInLogs check box.
  10. 使用滑块来设置日志数据的保留期。Use the slider to set the retention of your log data. 默认情况下,此值为 0,这意味着日志将无限期地保留在存储帐户中。By default, this value is 0, which means that logs are retained in the storage account indefinitely. 如果设置其他值,早于所选天数的事件会自动清除。If you set a different value, events older than the number of days selected are automatically cleaned up.

  11. 选择“保存”,保存设置。Select Save to save the setting.

    诊断设置

  12. 在大约 15 分钟后,验证日志是否已推送到存储帐户。After about 15 minutes, verify that the logs are pushed to your storage account. 转到 Azure 门户,依次选择“存储帐户”、之前使用的存储帐户、“Blob”。 Go to the Azure portal, select Storage accounts, select the storage account that you used earlier, and then select Blobs. 对于“审核日志”,请选择“insights-log-audit”。For Audit logs, select insights-log-audit. 对于“登录日志”,请选择“insights-logs-signin”。For Sign-in logs, select insights-logs-signin.

    存储帐户

后续步骤Next steps