本文介绍 Azure Monitor 中的 Azure Active Directory (Azure AD) 审核日志架构。This article describes the Azure Active Directory (Azure AD) audit log schema in Azure Monitor.每个单独的日志项目都存储为文本,格式为 JSON blob,如以下两个示例所示:Each individual log entry is stored as text and formatted as a JSON blob, as shown in the following two examples:
客户端请求的 REST API 版本。The REST API version that's requested by the client.
categorycategory
目前,“审核”是唯一支持的值 。Currently, Audit is the only supported value.
tenantIdtenantId
与日志关联的租户 GUID。The tenant GUID that's associated with the logs.
resultTyperesultType
操作结果。The result of the operation.结果可以是“成功”或“失败” 。The result can be Success or Failure.
resultSignatureresultSignature
此字段未映射,可以放心地忽略它。This field is unmapped, and you can safely ignore it.
resultDescriptionresultDescription
结果的附加说明(如果有)。An additional description of the result, where available.
durationMsdurationMs
此字段未映射,可以放心地忽略它。This field is unmapped, and you can safely ignore it.
callerIpAddresscallerIpAddress
发出请求的客户端的 IP 地址。The IP address of the client that made the request.
correlationIdcorrelationId
客户端所传递的可选 GUID。An optional GUID that's passed by the client.它可以帮助将客户端操作与服务器端操作相关联,并且在跟踪跨服务的日志时非常有用。It can help correlate client-side operations with server-side operations and it's useful when you're tracking logs that span services.
identityidentity
发出请求时提供的令牌中的标识。The identity from the token that was presented when you made the request.标识可以是用户帐户、系统帐户或服务主体。The identity can be a user account, system account, or service principal.
级别level
消息类型。The message type.对于审核日志,此级别始终为“信息” 。For audit logs, the level is always Informational.
locationlocation
数据中心的位置。The location of the datacenter.
propertiesproperties
列出与审核日志相关的受支持属性。Lists the supported properties that are related to an audit log.有关详细信息,请参阅下一个表格。For more information, see the next table.
属性名称Property name
说明Description
AuditEventCategoryAuditEventCategory
审核事件的类型。The type of audit event.它可以是“用户管理”、“应用程序管理”或其他类型 。It can be User Management, Application Management, or another type.
标识类型Identity Type
类型可以是“应用程序”或“用户” 。The type can be Application or User.
操作类型Operation Type
类型可以是“添加”、“更新”、“删除” 。The type can be Add, Update, Delete.或“其他” 。or Other.
目标资源类型Target Resource Type
指定已对其执行操作的目标资源类型。Specifies the target resource type that the operation was performed on.类型可以是“应用程序”、“用户”、“角色”、“策略” The type can be Application, User, Role, Policy
目标资源名称Target Resource Name
目标资源的名称。The name of the target resource.它可以是应用程序名称、角色名称、用户主体名称或服务主体名称。It can be an application name, a role name, a user principal name, or a service principal name.
additionalTargetsadditionalTargets
列出特定操作的任何其他属性。Lists any additional properties for specific operations.例如,对于更新操作,旧值和新值在 targetUpdatedProperties 下列出 。For example, for an update operation, the old values and the new values are listed under targetUpdatedProperties.