故障排除:Azure Active Directory 活动日志中缺少数据Troubleshoot: Missing data in the Azure Active Directory activity logs

在 Azure 门户中找不到针对最近操作的审核日志I can't find audit logs for recent actions in the Azure portal

症状Symptoms

我在 Azure 门户中执行了一些操作,本应在Activity logs > Audit Logs边栏选项卡中看到这些操作的审核日志,但却找不到。I performed some actions in the Azure portal and expected to see the audit logs for those actions in the Activity logs > Audit Logs blade, but I can’t find them.

屏幕截图显示了“审核日志”条目。

原因Cause

操作不会立即显示在活动日志中。Actions don’t appear immediately in the activity logs. 下表枚举了活动日志的延迟数字。The table below enumerates our latency numbers for activity logs.

报表Report 延迟 (P95)Latency (P95) 延迟 (P99)Latency (P99)
目录审核Directory audit 2 分钟2 mins 5 分钟5 mins
登录活动Sign-in activity 2 分钟2 mins 5 分钟5 mins

解决方法Resolution

等待 15 分钟到 2 小时,再看操作是否显示在日志中。Wait for 15 minutes to two hours and see if the actions appear in the log. 如果 2 小时后仍未看到日志,请提交支持票证,我们会进行调查。If you don’t see the logs even after two hours, please file a support ticket and we will look into it.

在 Azure Active Directory 登录活动日志中找不到最近的用户登录活动I can’t find recent user sign-ins in the Azure Active Directory sign-ins activity log

症状Symptoms

我最近登录了 Azure 门户,本应在Activity logs > Sign-ins边栏选项卡中看到这些操作的登录日志,但却找不到。I recently signed into the Azure portal and expected to see the sign-in logs for those actions in the Activity logs > Sign-ins blade, but I can’t find them.

屏幕截图显示了“活动日志”中的“登录”。

原因Cause

操作不会立即显示在活动日志中。Actions don’t appear immediately in the activity logs. 下表枚举了活动日志的延迟数字。The table below enumerates our latency numbers for activity logs.

报表Report 延迟 (P95)Latency (P95) 延迟 (P99)Latency (P99)
目录审核Directory audit 2 分钟2 mins 5 分钟5 mins
登录活动 2 分钟Sign-in activity 2 mins 5 分钟5 mins

解决方法Resolution

等待 15 分钟到 2 小时,再看操作是否显示在日志中。Wait for 15 minutes to two hours and see if the actions appear in the log. 如果 2 小时后仍未看到日志,请提交支持票证,我们会进行调查。If you don’t see the logs even after two hours, please file a support ticket and we will look into it.

无法在 Azure 门户中查看 30 天以上的报表数据I can't view more than 30 days of report data in the Azure portal

症状Symptoms

无法在 Azure 门户中查看 30 天以上的登录和审核数据。I can't view more than 30 days of sign-in and audit data from the Azure portal. 为什么?Why?

屏幕截图显示了“日期”菜单。

原因Cause

根据你持有的许可证,Azure Active Directory 操作会按以下持续时间存储活动报告:Depending on your license, Azure Active Directory Actions stores activity reports for the following durations:

报表Report Azure AD FreeAzure AD Free Azure AD Premium P1Azure AD Premium P1 Azure AD Premium P2Azure AD Premium P2
目录审核Directory Audit 7 天7 days 30 天30 days 30 天30 days
登录活动Sign-in Activity 不可用。Not available. 可以在单个用户配置文件边栏选项卡中访问自己在 7 天内的登录活动You can access your own sign-ins for 7 days from the individual user profile blade 30 天30 days 30 天30 days

有关详细信息,请参阅 Azure Active Directory 报告保留策略For more information, see Azure Active Directory report retention policies.

解决方法Resolution

可将审核日志集成到第三方 SIEM 系统(例如 Splunk 或 SumoLogic)中。You can integrate audit logs into a third party SIEM system like Splunk or SumoLogic.

后续步骤Next steps