使用 Azure Monitor 创建、查看和管理活动日志警报Create, view, and manage activity log alerts by using Azure Monitor

概述Overview

活动日志警报是新发生的活动日志事件与警报中指定的条件匹配时激活的警报。Activity log alerts are the alerts that get activated when a new activity log event occurs that matches the conditions specified in the alert.

这些警报适用于 Azure 资源,可以使用 Azure 资源管理器模板来创建。These alerts are for Azure resources and can be created by using an Azure Resource Manager template. 此外,还可以在 Azure 门户中创建、更新或删除它们。They also can be created, updated, or deleted in the Azure portal. 通常,你可以创建活动日志警报,以便在 Azure 订阅中的资源发生特定的更改时接收通知。Typically, you create activity log alerts to receive notifications when specific changes occur to resources in your Azure subscription. 警报通常限于特定的资源组或资源。Alerts are often scoped to particular resource groups or resources. 例如,你可能希望在示例资源组 myProductionResourceGroup 中的任何虚拟机被删除时收到通知。For example, you might want to be notified when any virtual machine in the sample resource group myProductionResourceGroup is deleted. 或者,你可能希望在任何新角色分配到订阅中的用户时收到通知。Or, you might want to get notified if any new roles are assigned to a user in your subscription.

重要

有关服务运行状况通知的警报无法通过用于创建活动日志警报的界面来创建。Alerts on service health notification can't be created via the interface for activity log alert creation. 若要详细了解如何创建和使用服务运行状况通知,请参阅接收有关服务运行状况通知的活动日志警报To learn more about how to create and use service health notifications, see Receive activity log alerts on service health notifications.

创建警报规则时,请确保:When you create alert rules, ensure the following:

  • 范围中的订阅并未不同于创建警报的订阅。The subscription in the scope isn't different from the subscription where the alert is created.
  • 条件必须是配置警报时所依据的级别、状态、调用方、资源组、资源 ID 或资源类型事件类别。The criteria must be the level, status, caller, resource group, resource ID, or resource type event category on which the alert is configured.
  • 仅允许一个“allOf”条件。Only one "allOf" condition is allowed.
  • “AnyOf”可用于允许在多个字段上使用多种条件(例如,“status”或“subStatus”字段是否等于某个值)。'AnyOf' can be used to allow multiple conditions over multiple fields (for example, if either the “status” or the “subStatus” fields equal a certain value). 请注意,“AnyOf”的使用目前仅限于通过 ARM 模板部署创建警报规则。Note that the use of 'AnyOf' is currently limited to creating the alert rule using an ARM template deployment.
  • “ContainsAny”可用于允许同一字段的多个值(例如,“operation”是等于“delete”还是等于“modify”)。'ContainsAny' can be used to allow multiple values of the same field (for example, if “operation” equals either ‘delete’ or ‘modify’). 请注意,“ContainsAny”的使用目前仅限于通过 ARM 模板部署创建警报规则。Note that the use of ‘ContainsAny’ is currently limited to creating the alert rule using an ARM template deployment.
  • 当类别是“管理”时,必须在警报中至少指定上述条件之一。When the category is "administrative," you must specify at least one of the preceding criteria in your alert. 不能创建每次在活动日志中创建事件时激活的警报。You may not create an alert that activates every time an event is created in the activity logs.
  • 无法为活动日志的“警报”类别中的事件创建警报。Alerts cannot be created for events in Alert category of activity log.

Azure 门户Azure portal

可以使用 Azure 门户创建和修改活动日志警报规则。You can use the Azure portal to create and modify activity log alert rules. 该体验与 Azure 活动日志相集成,以确保针对所关注的特定事件顺利创建警报。The experience is integrated with an Azure activity log to ensure seamless alert creation for specific events of interest.

使用 Azure 门户创建Create with the Azure portal

使用以下过程。Use the following procedure.

  1. 在 Azure 门户中,选择“监视” > “警报”。 In the Azure portal, select Monitor > Alerts.

  2. 选择“警报”窗口左上角的“新建警报规则”。 Select New alert rule in the upper-left corner of the Alerts window.

    新建警报规则

    此时将显示“创建规则”窗口。The Create rule window appears.

    “新建警报规则”选项

  3. 提供以下信息,并选择“完成”:Provide the following information, and select Done:

    • 作用域:若要查看并选择新警报的目标,请使用“按订阅筛选” / “按资源类型筛选”。 Scope: To view and select the target for the new alert, use Filter by subscription / Filter by resource type. 从显示的列表中选择资源或资源组。Select the resource or resource group from the list displayed.

      备注

      只能为活动日志信号选择 Azure 资源管理器跟踪的资源、资源组或整个订阅。You can select only Azure Resource Manager tracked resource, resource group, or an entire subscription for an activity log signal.

      作用域示例视图Scope sample view

      选择目标

    • 在“条件”下方,选择“选择条件” 。Under Condition, select Select condition. 此时会显示目标的所有可用信号,包括来自各种类别的“活动日志”的信号。All available signals for the target are displayed, which includes those from various categories of Activity Log. 类别名称会追加到“监视服务”名称后面。The category name is appended to the Monitor Service name.

    • 活动日志 类型的各种可能操作的显示列表中选择信号。Select the signal from the list displayed of various operations possible for the type Activity Log.

      可为此目标信号选择日志历史记录时间线和相应的警报逻辑:You can select the log history timeline and the corresponding alert logic for this target signal:

      添加条件屏幕Add criteria screen

      添加条件

      备注

      为了获得优质高效的规则,我们要求在规则中至少再添加一个信号为“所有管理操作”的条件。In order to have a high quality and effective rules, we ask to add at least one more condition to rules with the signal "All Administrative". 作为警报定义的一部分,必须填写一个下拉选项:“事件级别”、“状态”或“发起者”,这会使规则变得更具体。As a part of the definition of the alert you must fill one of the drop downs: "Event level", "Status" or "Initiated by" and by that the rule will be more specific.

      • 图表时间段:可以绘制在过去 6、12、24 小时、过去三天或一周内为所选操作提供的事件。Chart period: Events available for the selected operation can be plotted over the last 6, 12, 24 hours or over the last 3 days or over the last week.

      • 警报逻辑Alert logic:

        • 事件级别:事件的严重级别:“详细”、“信息性”、“警告”、“错误”或“严重”。 Event level: The severity level of the event: Verbose, Informational, Warning, Error, or Critical.
        • 状态:事件的状态:例如,“已启动”、“失败”或“成功”。 Status: The status of the event: Started, Failed, or Succeeded.
        • 事件发起者:也称为“调用方”。Event initiated by: Also known as the caller. 电子邮件地址或执行操作的用户的 Azure Active Directory 标识符。The email address or Azure Active Directory identifier of the user who performed the operation.

        此示例信号图已应用警报逻辑:This sample signal graph has the alert logic applied:

        已选择条件

  4. 在“定义警报详细信息”下提供以下详细信息:Under Define alert details, provide the following details:

    • 警报规则名称:新警报规则的名称。Alert rule name: The name for the new alert rule.
    • 说明:新警报规则的说明。Description: The description for the new alert rule.

  5. 在“操作组”下,从下拉菜单中指定要分配到此新警报规则的操作组。Under Action group, from the drop-down menu, specify the action group that you want to assign to this new alert rule. 或者,创建新的操作组并将其分配到新规则。Or, create a new action group and assign it to the new rule. 若要创建新组,请选择“+ 新建组”。To create a new group, select + New group.

  6. 若要在创建规则后启用规则,请选择“创建后启用规则”选项对应的“是”。 To enable the rules after you create them, select Yes for the Enable rule upon creation option.

  7. 选择“创建警报规则”。Select Create alert rule.

    随即会为活动日志创建新的警报规则,并且窗口的右上角会显示一条确认消息。The new alert rule for the activity log is created, and a confirmation message appears in the upper-right corner of the window.

    可以启用、禁用、编辑或删除规则。You can enable, disable, edit, or delete a rule. 详细了解如何管理活动日志规则。Learn more about how to manage activity log rules.

可以通过一个简单的类比来理解在活动日志上创建警报规则时可以基于的条件,那就是通过 Azure 门户中的活动日志浏览或筛选事件。A simple analogy for understanding conditions on which alert rules can be created in an activity log is to explore or filter events via the activity log in the Azure portal. 在“Azure Monitor - 活动日志”屏幕中,可以筛选或查找所需的事件,然后使用“添加活动日志警报”按钮创建警报。 In the Azure Monitor - Activity log screen, you can filter or find the necessary event and then create an alert by using the Add activity log alert button. 然后遵循上面所示的步骤 4 到 7 操作。Then follow steps 4 through 7 as previously shown.

从活动日志添加警报

在 Azure 门户中查看和管理View and manage in the Azure portal

  1. 在 Azure 门户中,选择“监视” > “警报”。 In the Azure portal, select Monitor > Alerts. 在窗口的左上角选择“管理警报规则”。Select Manage alert rules in the upper-left corner of the window.

    屏幕截图显示了活动日志,其中突出显示了搜索框。

    此时将显示可用规则的列表。The list of available rules appears.

  2. 搜索要修改的活动日志规则。Search for the activity log rule to modify.

    搜索活动日志警报规则

    可以使用可用的筛选器(“订阅”、“资源组”、“资源”、“信号类型”或“状态”)来查找想要编辑的活动规则。 You can use the available filters, Subscription, Resource group, Resource, Signal type, or Status, to find the activity rule that you want to edit.

    备注

    只能编辑“说明”、“目标条件”和“操作组”。 You can edit only Description, Target criteria, and Action groups.

  3. 选择规则并双击以编辑规则选项。Select the rule, and double-click to edit the rule options. 进行所需的更改,然后选择“保存”。Make the required changes, and then select Save.

    管理警报规则

  4. 可以启用、禁用或删除规则。You can enable, disable, or delete a rule. 根据步骤 2 中所述选择规则后,在窗口顶部选择相应的选项。Select the appropriate option at the top of the window after you select the rule as described in step 2.

Azure 资源管理器模板Azure Resource Manager template

若要使用 Azure 资源管理器模板创建活动日志警报规则,请创建 microsoft.insights/activityLogAlerts 类型的资源。To create an activity log alert rule by using an Azure Resource Manager template, you create a resource of the type microsoft.insights/activityLogAlerts. 然后,填充所有相关属性。Then you fill in all related properties. 下面是一个用于创建活动日志警报规则的模板:Here's a template that creates an activity log alert rule:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "activityLogAlertName": {
      "type": "string",
      "metadata": {
        "description": "Unique name (within the Resource Group) for the Activity log alert."
      }
    },
    "activityLogAlertEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Indicates whether or not the alert is enabled."
      }
    },
    "actionGroupResourceId": {
      "type": "string",
      "metadata": {
        "description": "Resource Id for the Action group."
      }
    }
  },
  "resources": [   
    {
      "type": "Microsoft.Insights/activityLogAlerts",
      "apiVersion": "2017-04-01",
      "name": "[parameters('activityLogAlertName')]",      
      "location": "Global",
      "properties": {
        "enabled": "[parameters('activityLogAlertEnabled')]",
        "scopes": [
            "[subscription().id]"
        ],        
        "condition": {
          "allOf": [
            {
              "field": "category",
              "equals": "Administrative"
            },
            {
              "field": "operationName",
              "equals": "Microsoft.Resources/deployments/write"
            },
            {
              "field": "resourceType",
              "equals": "Microsoft.Resources/deployments"
            }
          ]
        },
        "actions": {
          "actionGroups":
          [
            {
              "actionGroupId": "[parameters('actionGroupResourceId')]"
            }
          ]
        }
      }
    }
  ]
}

对于此演练,可将上面的示例 JSON 保存为类似于 sampleActivityLogAlert.json 的文件名,然后可以使用 Azure 门户中的 Azure 资源管理器部署该文件。The previous sample JSON can be saved as, for example, sampleActivityLogAlert.json for the purpose of this walk-through and can be deployed by using Azure Resource Manager in the Azure portal.

备注

请注意,可以定义的最高级别的活动日志警报是订阅。Notice that the highest-level activity log alerts can be defined is subscription. 这意味着没有定义针对几个订阅的警报的选项,因此定义应该是针对每个订阅的警报。Meaning there is no option to define alert on couple of subscriptions, therefore the definition should be alert per subscription.

以下字段是可以在 Azure 资源管理器模板中用于条件字段的选项:请注意,“资源运行状况”、“顾问”和“服务运行状况”有额外的属性字段,这是它们的特殊字段。The following fields are the options that you can use in the Azure Resource Manager template for the conditions fields: Notice that “Resource Health”, “Advisor” and “Service Health” have extra properties fields for their special fields.

  1. resourceId:应该对其生成警报的活动日志事件中受影响资源的资源 ID。resourceId: The resource ID of the impacted resource in the activity log event that the alert should be generated on.
  2. category:活动日志事件的类别。category: The category of in the activity log event. 例如:Administrative、ServiceHealth、ResourceHealth、Autoscale、Security、Recommendation、Policy。For example: Administrative, ServiceHealth, ResourceHealth, Autoscale, Security, Recommendation, Policy.
  3. caller:执行活动日志事件操作的用户的电子邮件地址或 Azure Active Directory 标识符。caller: The email address or Azure Active Directory identifier of the user who performed the operation of the activity log event.
  4. level:应该对其生成警报的活动日志事件中的活动级别。level: Level of the activity in the activity log event that the alert should be generated on. 例如:Critical、Error、Warning、Informational、Verbose。For example: Critical, Error, Warning, Informational, Verbose.
  5. operationName:活动日志事件中的操作名称。operationName: The name of the operation in the activity log event. 例如:Microsoft.Resources/deployments/writeFor example: Microsoft.Resources/deployments/write
  6. resourceGroup:活动日志事件中受影响资源的资源组名称。resourceGroup: Name of the resource group for the impacted resource in the activity log event.
  7. resourceProvider:Azure 资源提供程序和类型解释resourceProvider: Azure resource providers and types explanation. 有关资源提供程序到 Azure 服务的映射列表,请参阅 Azure 服务的资源提供程序For a list that maps resource providers to Azure services, see Resource providers for Azure services.
  8. status:描述活动事件中操作状态的字符串。status: String describing the status of the operation in the activity event. 例如:Started、In Progress、Succeeded、Failed、Active、ResolvedFor example: Started, In Progress, Succeeded, Failed, Active, Resolved
  9. subStatus:通常为响应 REST 调用的 HTTP 状态码,但还可以包含其他用于描述子状态的字符串。subStatus: Usually the HTTP status code of the corresponding REST call, but can also include other strings describing a substatus. 例如:正常(HTTP 状态代码:200)、已创建(HTTP 状态代码:201)、已接受(HTTP 状态代码:202)、没有任何内容(HTTP 状态代码:204)、错误的请求(HTTP 状态代码:400)、找不到(HTTP 状态代码:404)、冲突(HTTP 状态代码:409)、内部服务器错误(HTTP 状态代码:500)、服务不可用(HTTP 状态代码:503)、网关超时(HTTP 状态代码: 504)。For example: OK (HTTP Status Code: 200), Created (HTTP Status Code: 201), Accepted (HTTP Status Code: 202), No Content (HTTP Status Code: 204), Bad Request (HTTP Status Code: 400), Not Found (HTTP Status Code: 404), Conflict (HTTP Status Code: 409), Internal Server Error (HTTP Status Code: 500), Service Unavailable (HTTP Status Code: 503), Gateway Timeout (HTTP Status Code: 504).
  10. resourceType:受事件影响的资源的类型。resourceType: The type of the resource that was affected by the event. 例如:Microsoft.Resources/deploymentsFor example: Microsoft.Resources/deployments

例如:For example:

"condition": {
          "allOf": [
            {
              "field": "category",
              "equals": "Administrative"
            },
            {
              "field": "resourceType",
              "equals": "Microsoft.Resources/deployments"
            }
          ]
        }

此处可以找到有关活动日志字段的更多详细信息。More details on the activity log fields you can find here.

备注

新的活动日志警报规则可能需要 5 分钟才能变为活动状态。It might take up to 5 minutes for the new activity log alert rule to become active.

REST APIREST API

Azure Monitor 活动日志警报 API 是一个 REST API。The Azure Monitor Activity Log Alerts API is a REST API. 它与 Azure 资源管理器 REST API 完全兼容。It's fully compatible with the Azure Resource Manager REST API. 可以使用资源管理器 cmdlet 或 Azure CLI 通过 PowerShell 来使用它。It can be used via PowerShell by using the Resource Manager cmdlet or the Azure CLI.

PowerShellPowerShell

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

使用 PowerShell 部署资源管理器模板Deploy the Resource Manager template with PowerShell

若要使用 PowerShell 部署前面的 Azure 资源管理器模板部分所示的示例资源管理器模板,请使用以下命令:To use PowerShell to deploy the sample Resource Manager template shown in the previous Azure Resource Manager template section, use the following command:

New-AzResourceGroupDeployment -ResourceGroupName "myRG" -TemplateFile sampleActivityLogAlert.json -TemplateParameterFile sampleActivityLogAlert.parameters.json

其中,sampleActivityLogAlert.parameters.json 包含一些值,这些值是为在创建警报规则时所需的参数提供的。where the sampleActivityLogAlert.parameters.json contains the values provided for the parameters needed for alert rule creation.

使用活动日志 PowerShell cmdletUse activity log PowerShell cmdlets

活动日志警报具有专用的 PowerShell cmdlet 可用:Activity log alerts have dedicated PowerShell cmdlets available:

Azure CLIAzure CLI

set az monitor activity-log alert 下的专用 Azure CLI 命令可用于管理活动日志警报规则。Dedicated Azure CLI commands under the set az monitor activity-log alert are available for managing activity log alert rules.

若要创建新的活动日志警报规则,请下面的顺序使用以下命令:To create a new activity log alert rule, use the following commands in this order:

  1. az monitor activity-log alert create:创建新的活动日志警报规则资源。az monitor activity-log alert create: Create a new activity log alert rule resource.
  2. az monitor activity-log alert scope:为已创建的活动日志警报规则添加范围。az monitor activity-log alert scope: Add scope for the created activity log alert rule.
  3. az monitor activity-log alert action-group:将操作组添加到活动日志警报规则。az monitor activity-log alert action-group: Add an action group to the activity log alert rule.

若要检索一个活动日志警报规则资源,请使用 Azure CLI 命令 az monitor activity-log alert showTo retrieve one activity log alert rule resource, use the Azure CLI command az monitor activity-log alert show. 若要查看某个资源组中的所有活动日志警报规则资源,请使用 az monitor activity-log alert listTo view all activity log alert rule resources in a resource group, use az monitor activity-log alert list. 可以使用 Azure CLI 命令 az monitor activity-log alert delete 删除活动日志警报规则资源。Activity log alert rule resources can be removed by using the Azure CLI command az monitor activity-log alert delete.

后续步骤Next steps