应用程序网关的后端运行状况和诊断日志Back-end health and diagnostic logs for Application Gateway

可以通过以下方式监视 Azure 应用程序网关资源:You can monitor Azure Application Gateway resources in the following ways:

  • 后端运行状况:应用程序网关提供通过 Azure 门户和 PowerShell 监视后端池中的服务器运行状况的功能。Back-end health: Application Gateway provides the capability to monitor the health of the servers in the back-end pools through the Azure portal and through PowerShell. 还可通过性能诊断日志找到后端池的运行状况。You can also find the health of the back-end pools through the performance diagnostic logs.

  • 日志:通过日志记录,可出于监视目的从资源保存或使用性能、访问及其他数据。Logs: Logs allow for performance, access, and other data to be saved or consumed from a resource for monitoring purposes.

  • 指标:应用程序网关有几个指标可以帮助你验证系统是否按预期运行。Metrics: Application Gateway has several metrics which help you verify that your system is performing as expected.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

后端运行状况Back-end health

应用程序网关提供通过门户、PowerShell 和 命令行接口 (CLI) 监视后端池各个成员的运行状况的功能。Application Gateway provides the capability to monitor the health of individual members of the back-end pools through the portal, PowerShell, and the command-line interface (CLI). 还可通过性能诊断日志找到后端池的聚合运行状况摘要。You can also find an aggregated health summary of back-end pools through the performance diagnostic logs.

后端运行状况报告反映对后端实例的应用程序网关运行状况探测的输出。The back-end health report reflects the output of the Application Gateway health probe to the back-end instances. 如果探测成功且后端能够接收流量,则可认为后端运行状况正常,When probing is successful and the back end can receive traffic, it's considered healthy. 否则不正常。Otherwise, it's considered unhealthy.

Important

如果应用程序网关子网上存在网络安全组 (NSG),请在应用程序网关子网上打开端口范围 65503-65534(适用于 v1 SKU)和 65200-65535(适用于 v2 SKU),以便接收入站流量。If there is a network security group (NSG) on an Application Gateway subnet, open port ranges 65503-65534 for v1 SKUs, and 65200-65535 for v2 SKUs on the Application Gateway subnet for inbound traffic. 此端口范围是进行 Azure 基础结构通信所必需的。This port range is required for Azure infrastructure communication. 它们受 Azure 证书的保护(处于锁定状态)。They are protected (locked down) by Azure certificates. 如果没有适当的证书,外部实体(包括这些网关的客户)将无法对这些终结点做出任何更改。Without proper certificates, external entities, including the customers of those gateways, will not be able to initiate any changes on those endpoints.

通过门户查看后端运行状况View back-end health through the portal

在门户中,后端运行状况是自动提供的。In the portal, back-end health is provided automatically. 在现有的应用程序网关中,选择“监视” > “后端运行状况” 。In an existing application gateway, select Monitoring > Backend health.

后端池中的每个成员都列在此页上(不管其是 NIC、IP 还是 FQDN)。Each member in the back-end pool is listed on this page (whether it's a NIC, IP, or FQDN). 会显示后端池名称、端口、后端 HTTP 设置名称以及运行状况。Back-end pool name, port, back-end HTTP settings name, and health status are shown. 运行状况的有效值为“正常”、“不正常”、“未知”。 Valid values for health status are Healthy, Unhealthy, and Unknown.

Note

如果后端运行状况显示为“未知”,请确保未通过虚拟网络中的 NSG 规则、用户定义路由 (UDR) 或自定义 DNS 阻止对后端的访问。 If you see a back-end health status of Unknown, ensure that access to the back end is not blocked by an NSG rule, a user-defined route (UDR), or a custom DNS in the virtual network.

后端运行状况

通过 PowerShell 查看后端运行状况View back-end health through PowerShell

以下 PowerShell 代码显示了如何通过 Get-AzApplicationGatewayBackendHealth cmdlet 查看后端运行状况:The following PowerShell code shows how to view back-end health by using the Get-AzApplicationGatewayBackendHealth cmdlet:

Get-AzApplicationGatewayBackendHealth -Name ApplicationGateway1 -ResourceGroupName Contoso

通过 Azure CLI 查看后端运行状况View back-end health through Azure CLI

az network application-gateway show-backend-health --resource-group AdatumAppGatewayRG --name AdatumAppGateway

结果Results

以下代码片段显示了响应的示例:The following snippet shows an example of the response:

{
"BackendAddressPool": {
    "Id": "/subscriptions/00000000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/applicationGateways/applicationGateway1/backendAddressPools/appGatewayBackendPool"
},
"BackendHttpSettingsCollection": [
    {
    "BackendHttpSettings": {
        "Id": "/00000000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Network/applicationGateways/applicationGateway1/backendHttpSettingsCollection/appGatewayBackendHttpSettings"
    },
    "Servers": [
        {
        "Address": "hostname.chinanorth.chinacloudapp.cn",
        "Health": "Healthy"
        },
        {
        "Address": "hostname.chinanorth.chinacloudapp.cn",
        "Health": "Healthy"
        }
    ]
    }
]
}

诊断日志Diagnostic logs

可在 Azure 中使用不同类型的日志来对应用程序网关进行管理和故障排除。You can use different types of logs in Azure to manage and troubleshoot application gateways. 可通过门户访问其中部分日志。You can access some of these logs through the portal. 可从 Azure Blob 存储提取所有日志并在 Azure Monitor 日志、Excel 和 Power BI 等各种工具中查看。All logs can be extracted from Azure Blob storage and viewed in different tools, such as Azure Monitor logs, Excel, and Power BI. 可从以下列表了解有关不同类型日志的详细信息:You can learn more about the different types of logs from the following list:

  • 活动日志:可使用 Azure 活动日志(以前称为操作日志和审核日志)查看提交到 Azure 订阅的所有操作及其状态。Activity log: You can use Azure activity logs (formerly known as operational logs and audit logs) to view all operations that are submitted to your Azure subscription, and their status. 默认情况下会收集活动日志条目,可在 Azure 门户中查看这些条目。Activity log entries are collected by default, and you can view them in the Azure portal.
  • 访问日志:可以使用此日志查看应用程序网关访问模式并分析重要信息。Access log: You can use this log to view Application Gateway access patterns and analyze important information. 此日志包括调用方的 IP、请求的 URL、响应延迟、返回代码,以及传入和传出的字节数。每隔 300 秒会收集一次访问日志。This includes the caller's IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 300 seconds. 此日志包含每个应用程序网关实例的一条记录。This log contains one record per instance of Application Gateway. 应用程序网关实例由 instanceId 属性标识。The Application Gateway instance is identified by the instanceId property.
  • 性能日志:可使用此日志查看应用程序网关实例的执行情况。Performance log: You can use this log to view how Application Gateway instances are performing. 此日志会捕获每个实例的性能信息,包括服务的总请求数、吞吐量(以字节为单位)、失败请求计数、正常和不正常的后端实例计数。This log captures performance information for each instance, including total requests served, throughput in bytes, total requests served, failed request count, and healthy and unhealthy back-end instance count. 每隔 60 秒会收集一次性能日志。A performance log is collected every 60 seconds. 性能日志仅适用于 v1 SKU。The Performance log is available only for the v1 SKU. 对于 v2 SKU,请对性能数据使用指标For the v2 SKU, use Metrics for performance data.
  • 防火墙日志:可使用此日志查看通过应用程序网关(配置有 Web 应用程序防火墙)的检测模式或阻止模式记录的请求。Firewall log: You can use this log to view the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall.

Note

日志仅适用于在 Azure 资源管理器部署模型中部署的 Azure 资源。Logs are available only for resources deployed in the Azure Resource Manager deployment model. 不能将日志用于经典部署模型中的资源。You cannot use logs for resources in the classic deployment model. 若要更好地了解两种模型,请参阅了解 Resource Manager 部署和经典部署一文。For a better understanding of the two models, see the Understanding Resource Manager deployment and classic deployment article.

可通过三种方式存储日志:You have three options for storing your logs:

  • 存储帐户:如果日志存储时间较长并且希望能根据需要随时查看,则最好使用存储帐户。Storage account: Storage accounts are best used for logs when logs are stored for a longer duration and reviewed when needed.
  • 事件中心:若要集成其他安全信息和事件管理 (SIEM) 工具以获取资源警报,事件中心是很好的选择。Event hubs: Event hubs are a great option for integrating with other security information and event management (SIEM) tools to get alerts on your resources.
  • Azure Monitor 日志:Azure Monitor 日志最适合用于应用程序常规实时监视或查看趋势。Azure Monitor logs: Azure Monitor logs is best used for general real-time monitoring of your application or looking at trends.

通过 PowerShell 启用日志记录Enable logging through PowerShell

每个 Resource Manager 资源都会自动启用活动日志记录。Activity logging is automatically enabled for every Resource Manager resource. 必须启用访问和性能日志记录才能开始收集通过这些日志提供的数据。You must enable access and performance logging to start collecting the data available through those logs. 若要启用日志记录,请执行以下步骤:To enable logging, use the following steps:

  1. 记下存储帐户的资源 ID,其中存储日志数据。Note your storage account's resource ID, where the log data is stored. 此值的形式为:/subscriptions/<subscriptionId>/resourceGroups/<资源组名称>/providers/Microsoft.Storage/storageAccounts/<存储帐户名称>。This value is of the form: /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name>. 可以使用订阅中的任何存储帐户。You can use any storage account in your subscription. 可以使用 Azure 门户查找以下信息。You can use the Azure portal to find this information.

    存储帐户的门户:资源 ID

  2. 记下为其启用日志记录的应用程序网关的资源 ID。Note your application gateway's resource ID for which logging is enabled. 此值的形式为:/subscriptions/<subscriptionId>/resourceGroups/<资源组名称>/providers/Microsoft.Network/applicationGateways/<应用程序网关名称>。This value is of the form: /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/applicationGateways/<application gateway name>. 可以使用门户查找以下信息。You can use the portal to find this information.

    应用程序网关的门户:资源 ID

  3. 使用以下 PowerShell cmdlet 启用诊断日志记录:Enable diagnostic logging by using the following PowerShell cmdlet:

    Set-AzDiagnosticSetting  -ResourceId /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/applicationGateways/<application gateway name> -StorageAccountId /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name> -Enabled $true     
    

Tip

活动日志不需要单独的存储帐户。Activity logs do not require a separate storage account. 使用存储来记录访问和性能需支付服务费用。The use of storage for access and performance logging incurs service charges.

通过 Azure 门户启用日志记录Enable logging through the Azure portal

  1. 在 Azure 门户中找到资源,然后选择“诊断设置” 。In the Azure portal, find your resource and select Diagnostic settings.

    对于应用程序网关,提供 3 种日志:For Application Gateway, three logs are available:

    • 访问日志Access log
    • 性能日志Performance log
    • 防火墙日志Firewall log
  2. 若要开始收集数据,请选择“启用诊断” 。To start collecting data, select Turn on diagnostics.

    启用诊断

  3. “诊断设置” 页提供用于诊断日志的设置。The Diagnostics settings page provides the settings for the diagnostic logs. 本示例使用 Log Analytics 存储日志。In this example, Log Analytics stores the logs. 也可使用事件中心和存储帐户保存诊断日志。You can also use event hubs and a storage account to save the diagnostic logs.

    启动配置过程

  4. 键入设置的名称,确认设置,然后选择“保存”。 Type a name for the settings, confirm the settings, and select Save.

活动日志Activity log

默认情况下,Azure 生成活动日志。Azure generates the activity log by default. 日志可在 Azure 事件日志存储中保留 90 天。The logs are preserved for 90 days in the Azure event logs store. 了解有关这些日志的详细信息,请参阅查看事件和活动日志一文。Learn more about these logs by reading the View events and activity log article.

访问日志Access log

只有按照上述步骤在每个应用程序网关实例上启用了访问日志,才会生成该日志。The access log is generated only if you've enabled it on each Application Gateway instance, as detailed in the preceding steps. 数据存储在启用日志记录时指定的存储帐户中。The data is stored in the storage account that you specified when you enabled the logging. 应用程序网关的每次访问均以 JSON 格式记录下来,如下面 v1 示例所示:Each access of Application Gateway is logged in JSON format, as shown in the following example for v1:

ValueValue 说明Description
instanceIdinstanceId 处理请求的应用程序网关实例。Application Gateway instance that served the request.
clientIPclientIP 请求的起始 IP。Originating IP for the request.
clientPortclientPort 请求的起始端口。Originating port for the request.
httpMethodhttpMethod 请求所用的 HTTP 方法。HTTP method used by the request.
requestUrirequestUri 所收到请求的 URI。URI of the received request.
RequestQueryRequestQuery Server-Routed:请求已发送至后端池实例。Server-Routed: Back-end pool instance that was sent the request.
X-AzureApplicationGateway-LOG-ID:用于请求的相关 ID。X-AzureApplicationGateway-LOG-ID: Correlation ID used for the request. 可用于排查后端服务器上的流量问题。It can be used to troubleshoot traffic issues on the back-end servers.
SERVER-STATUS:应用程序网关接收从后端的 HTTP 响应代码。SERVER-STATUS: HTTP response code that Application Gateway received from the back end.
UserAgentUserAgent HTTP 请求标头中的用户代理。User agent from the HTTP request header.
httpStatushttpStatus 从应用程序网关返回到客户端的 HTTP 状态代码。HTTP status code returned to the client from Application Gateway.
httpVersionhttpVersion 请求的 HTTP 版本。HTTP version of the request.
receivedBytesreceivedBytes 接收的数据包的大小(以字节为单位)。Size of packet received, in bytes.
sentBytessentBytes 发送的数据包的大小(以字节为单位)。Size of packet sent, in bytes.
timeTakentimeTaken 处理请求并发送响应所需的时长(以毫秒为单位)。Length of time (in milliseconds) that it takes for a request to be processed and its response to be sent. 此时长按特定的时间间隔(从应用程序网关接收第一个 HTTP 请求字节到完成响应发送操作所需的时间)来计算。This is calculated as the interval from the time when Application Gateway receives the first byte of an HTTP request to the time when the response send operation finishes. 必须注意,“所用时间”字段通常包括请求和响应数据包在网络上传输的时间。It's important to note that the Time-Taken field usually includes the time that the request and response packets are traveling over the network.
sslEnabledsslEnabled 与后端池的通信是否使用 SSL。Whether communication to the back-end pools used SSL. 有效值为 on 和 off。Valid values are on and off.
hosthost 向后端服务器发送请求时所用的主机名。The hostname with which the request has been sent to the backend server. 如果正在重写后端主机名,则此名称将反映该主机名。If backend hostname is being overridden, this name will reflect that.
originalHostoriginalHost 应用程序网关从客户端接收请求时所用的主机名。The hostname with which the request was received by the Application Gateway from the client.
{
    "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/PEERINGTEST/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",
    "operationName": "ApplicationGatewayAccess",
    "time": "2017-04-26T19:27:38Z",
    "category": "ApplicationGatewayAccessLog",
    "properties": {
        "instanceId": "ApplicationGatewayRole_IN_0",
        "clientIP": "191.96.249.97",
        "clientPort": 46886,
        "httpMethod": "GET",
        "requestUri": "/phpmyadmin/scripts/setup.php",
        "requestQuery": "X-AzureApplicationGateway-CACHE-HIT=0&SERVER-ROUTED=10.4.0.4&X-AzureApplicationGateway-LOG-ID=874f1f0f-6807-41c9-b7bc-f3cfa74aa0b1&SERVER-STATUS=404",
        "userAgent": "-",
        "httpStatus": 404,
        "httpVersion": "HTTP/1.0",
        "receivedBytes": 65,
        "sentBytes": 553,
        "timeTaken": 205,
        "sslEnabled": "off",
        "host": "www.contoso.com",
        "originalHost": "www.contoso.com"
    }
}

对于应用程序网关和 WAF v2,日志显示了一些详细信息:For Application Gateway and WAF v2, the logs show a little more information:

ValueValue 说明Description
instanceIdinstanceId 处理请求的应用程序网关实例。Application Gateway instance that served the request.
clientIPclientIP 请求的起始 IP。Originating IP for the request.
clientPortclientPort 请求的起始端口。Originating port for the request.
httpMethodhttpMethod 请求所用的 HTTP 方法。HTTP method used by the request.
requestUrirequestUri 所收到请求的 URI。URI of the received request.
UserAgentUserAgent HTTP 请求标头中的用户代理。User agent from the HTTP request header.
httpStatushttpStatus 从应用程序网关返回到客户端的 HTTP 状态代码。HTTP status code returned to the client from Application Gateway.
httpVersionhttpVersion 请求的 HTTP 版本。HTTP version of the request.
receivedBytesreceivedBytes 接收的数据包的大小(以字节为单位)。Size of packet received, in bytes.
sentBytessentBytes 发送的数据包的大小(以字节为单位)。Size of packet sent, in bytes.
timeTakentimeTaken 处理请求并发送其响应所需的时长(以为单位)。Length of time (in seconds) that it takes for a request to be processed and its response to be sent. 此时长按特定的时间间隔(从应用程序网关接收第一个 HTTP 请求字节到完成响应发送操作所需的时间)来计算。This is calculated as the interval from the time when Application Gateway receives the first byte of an HTTP request to the time when the response send operation finishes. 必须注意,“所用时间”字段通常包括请求和响应数据包在网络上传输的时间。It's important to note that the Time-Taken field usually includes the time that the request and response packets are traveling over the network.
sslEnabledsslEnabled 与后端池的通信是否使用 SSL。Whether communication to the back-end pools used SSL. 有效值为 on 和 off。Valid values are on and off.
sslCiphersslCipher 用于 SSL 通信的密码套件(如果已启用 SSL)。Cipher suite being used for SSL communication (if SSL is enabled).
sslProtocolsslProtocol 使用的 SSL/TLS 协议(如果已启用 SSL)。SSL/TLS protocol being used (if SSL is enabled).
serverRoutedserverRouted 应用程序网关将请求路由到的后端服务器。The backend server that application gateway routes the request to.
serverStatusserverStatus 后端服务器的 HTTP 状态代码。HTTP status code of the backend server.
serverResponseLatencyserverResponseLatency 后端服务器的响应延迟。Latency of the response from the backend server.
hosthost 请求的主机标头中列出的地址。Address listed in the host header of the request.
{
    "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/PEERINGTEST/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",
    "operationName": "ApplicationGatewayAccess",
    "time": "2017-04-26T19:27:38Z",
    "category": "ApplicationGatewayAccessLog",
    "properties": {
        "instanceId": "appgw_1",
        "clientIP": "191.96.249.97",
        "clientPort": 46886,
        "httpMethod": "GET",
        "requestUri": "/phpmyadmin/scripts/setup.php",
        "userAgent": "-",
        "httpStatus": 404,
        "httpVersion": "HTTP/1.0",
        "receivedBytes": 65,
        "sentBytes": 553,
        "timeTaken": 205,
        "sslEnabled": "off",
        "sslCipher": "",
        "sslProtocol": "",
        "serverRouted": "104.41.114.59:80",
        "serverStatus": "200",
        "serverResponseLatency": "0.023",
        "host": "www.contoso.com",
    }
}

性能日志Performance log

只有在每个应用程序网关实例上启用了性能日志,才会生成此日志,如上述步骤所示。The performance log is generated only if you have enabled it on each Application Gateway instance, as detailed in the preceding steps. 数据存储在启用日志记录时指定的存储帐户中。The data is stored in the storage account that you specified when you enabled the logging. 每隔 1 分钟生成性能日志数据。The performance log data is generated in 1-minute intervals. 性能日志数据仅适用于 v1 SKU。It is available only for the v1 SKU. 对于 v2 SKU,请对性能数据使用指标For the v2 SKU, use Metrics for performance data. 将记录以下数据:The following data is logged:

ValueValue 说明Description
instanceIdinstanceId 正在为其生成性能数据的应用程序网关实例。Application Gateway instance for which performance data is being generated. 对于多实例应用程序网关,每个实例有一行性能数据。For a multiple-instance application gateway, there is one row per instance.
healthyHostCounthealthyHostCount 后端池中运行正常的主机数。Number of healthy hosts in the back-end pool.
unHealthyHostCountunHealthyHostCount 后端池中运行不正常的主机数。Number of unhealthy hosts in the back-end pool.
requestCountrequestCount 服务的请求数。Number of requests served.
latencylatency 从实例到请求服务后端的请求的平均延迟(以毫秒为单位)。Average latency (in milliseconds) of requests from the instance to the back end that serves the requests.
failedRequestCountfailedRequestCount 失败的请求数。Number of failed requests.
throughputthroughput 自最后一个日志后的平均吞吐量,以每秒字节数为单位。Average throughput since the last log, measured in bytes per second.
{
    "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",
    "operationName": "ApplicationGatewayPerformance",
    "time": "2016-04-09T00:00:00Z",
    "category": "ApplicationGatewayPerformanceLog",
    "properties":
    {
        "instanceId":"ApplicationGatewayRole_IN_1",
        "healthyHostCount":"4",
        "unHealthyHostCount":"0",
        "requestCount":"185",
        "latency":"0",
        "failedRequestCount":"0",
        "throughput":"119427"
    }
}

Note

延迟时间的计算是从接收到 HTTP 请求的第一个字节开始,到发出 HTTP 响应的最后一个字节为止。Latency is calculated from the time when the first byte of the HTTP request is received to the time when the last byte of the HTTP response is sent. 它是应用程序网关处理时间加上后端的网络耗时,再加上后端处理请求所花费的时间之和。It's the sum of the Application Gateway processing time plus the network cost to the back end, plus the time that the back end takes to process the request.

防火墙日志Firewall log

只有按照上述步骤为每个应用程序网关启用了防火墙日志,才会生成该日志。The firewall log is generated only if you have enabled it for each application gateway, as detailed in the preceding steps. 此日志还需要在应用程序网关上配置 Web 应用程序防火墙。This log also requires that the web application firewall is configured on an application gateway. 数据存储在启用日志记录时指定的存储帐户中。The data is stored in the storage account that you specified when you enabled the logging. 将记录以下数据:The following data is logged:

ValueValue 说明Description
instanceIdinstanceId 为其生成了防火墙数据的应用程序网关实例。Application Gateway instance for which firewall data is being generated. 对于多实例应用程序网关,一个实例对应于一行。For a multiple-instance application gateway, there is one row per instance.
clientIpclientIp 请求的起始 IP。Originating IP for the request.
clientPortclientPort 请求的初始端口。Originating port for the request.
requestUrirequestUri 所收到请求的 URI。URL of the received request.
ruleSetTyperuleSetType 规则集类型。Rule set type. 可用值为 OWASP。The available value is OWASP.
ruleSetVersionruleSetVersion 所使用的规则集版本。Rule set version used. 可用值为 2.2.9 和 3.0。Available values are 2.2.9 and 3.0.
ruleIdruleId 触发事件的规则 ID。Rule ID of the triggering event.
messagemessage 触发事件的用户友好消息。User-friendly message for the triggering event. 详细信息部分提供了更多详细信息。More details are provided in the details section.
actionaction 针对请求执行的操作。Action taken on the request. 可用值为 Blocked 和 Allowed。Available values are Blocked and Allowed.
sitesite 为其生成日志的站点。Site for which the log was generated. 目前仅列出 Global,因为规则是全局性的。Currently, only Global is listed because rules are global.
详细信息details 触发事件的详细信息。Details of the triggering event.
details.messagedetails.message 规则的说明。Description of the rule.
details.datadetails.data 在请求中找到的与规则匹配的特定数据。Specific data found in request that matched the rule.
details.filedetails.file 包含规则的配置文件。Configuration file that contained the rule.
details.linedetails.line 配置文件中触发了事件的行号。Line number in the configuration file that triggered the event.
hostnamehostname 应用程序网关的主机名或 IP 地址。Hostname or IP address of the Application Gateway.
transactionIdtransactionId 给定事务的唯一 ID,它有助于对同一请求中发生的多个违反规则的情况进行分组。Unique ID for a given transaction which helps group multiple rule violations that occurred within the same request.
{
  "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",
  "operationName": "ApplicationGatewayFirewall",
  "time": "2017-03-20T15:52:09.1494499Z",
  "category": "ApplicationGatewayFirewallLog",
  "properties": {
    "instanceId": "ApplicationGatewayRole_IN_0",
    "clientIp": "104.210.252.3",
    "clientPort": "4835",
    "requestUri": "/?a=%3Cscript%3Ealert(%22Hello%22);%3C/script%3E",
    "ruleSetType": "OWASP",
    "ruleSetVersion": "3.0",
    "ruleId": "941320",
    "message": "Possible XSS Attack Detected - HTML Tag Handler",
    "action": "Blocked",
    "site": "Global",
    "details": {
      "message": "Warning. Pattern match \"<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ...\" at ARGS:a.",
      "data": "Matched Data: <script> found within ARGS:a: <script>alert(\\x22hello\\x22);</script>",
      "file": "rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf",
      "line": "865"
    }
    "hostname": "40.90.218.100", 
    "transactionId": "AYAcUqAcAcAcAcAcASAcAcAc"
  }
} 

查看和分析活动日志View and analyze the activity log

可使用以下任意方法查看和分析活动日志数据:You can view and analyze activity log data by using any of the following methods:

  • Azure 工具:通过 Azure PowerShell、Azure CLI、Azure REST API 或 Azure 门户检索活动日志中的信息。Azure tools: Retrieve information from the activity log through Azure PowerShell, the Azure CLI, the Azure REST API, or the Azure portal. 使用 Resource Manager 的活动操作一文中详细介绍了每种方法的分步说明。Step-by-step instructions for each method are detailed in the Activity operations with Resource Manager article.
  • Power BI:如果还没有 Power BI 帐户,可以免费试用。Power BI: If you don't already have a Power BI account, you can try it for free. 使用 Power BI 模板应用,可以分析数据。By using the Power BI template apps, you can analyze your data.

查看并分析访问、性能和防火墙日志View and analyze the access, performance, and firewall logs

Azure Monitor 日志可从 Blob 存储帐户收集计数器和事件日志文件。Azure Monitor logs can collect the counter and event log files from your Blob storage account. 它含有可视化和强大的搜索功能,可用于分析日志。It includes visualizations and powerful search capabilities to analyze your logs.

还可以连接到存储帐户并检索访问和性能日志的 JSON 日志条目。You can also connect to your storage account and retrieve the JSON log entries for access and performance logs. 下载 JSON 文件后,可以将它们转换为 CSV 并在 Excel、Power BI 或任何其他数据可视化工具中查看。After you download the JSON files, you can convert them to CSV and view them in Excel, Power BI, or any other data-visualization tool.

Tip

如果熟悉 Visual Studio 和更改 C# 中的常量和变量值的基本概念,则可以使用 GitHub 提供的日志转换器工具If you are familiar with Visual Studio and basic concepts of changing values for constants and variables in C#, you can use the log converter tools available from GitHub.

通过 GoAccess 分析访问日志Analyzing Access logs through GoAccess

我们发布了一个资源管理器模板,用于安装和运行应用程序网关访问日志的常用 GoAccess 日志分析器。We have published a Resource Manager template that installs and runs the popular GoAccess log analyzer for Application Gateway Access Logs. GoAccess 提供了宝贵的 HTTP 流量统计信息,例如唯一访问者、请求的文件、主机、操作系统、浏览器和 HTTP 状态代码等。GoAccess provides valuable HTTP traffic statistics such as Unique Visitors, Requested Files, Hosts, Operating Systems, Browsers, HTTP Status codes and more. 有关更多详细信息,请参阅 GitHub 的资源管理器模板文件夹中的自述文件For more details, please see the Readme file in the Resource Manager template folder in GitHub.

后续步骤Next steps