用于日志警报规则的 Webhook 操作Webhook actions for log alert rules

日志警报支持配置 Webhook 操作组Log alert supports configuring webhook action groups. 本文介绍了哪些属性可用和如何配置自定义 JSON Webhook。In this article, we'll describe what properties are available and how to configure a custom JSON webhook.

备注

API 版本 2020-05-01-preview 当前不支持基于 JSON 的自定义 Webhook。Custom JSON-based webhook is not currently supported in the API version 2020-05-01-preview.

备注

建议使用通用警报架构进行 Webhook 集成。It is recommended you use common alert schema for your webhook integrations. 通用警报架构的优点是可以跨 Azure Monitor 中的所有警报服务提供单个可扩展且统一的警报有效负载。The common alert schema provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor. 对于定义了自定义 JSON 有效负载的日志预警规则,启用此通用警报架构会将有效负载架构恢复为此处所述架构。For log alerts rules that have a custom JSON payload defined, enabling the common alert schema reverts the payload schema to the one described here. 这意味着,如果要定义自定义 JSON 有效负载,Webhook 不能使用通用警报架构。This means that if you want to have a custom JSON payload defined, the webhook can't use the common alert schema. 启用通用架构的警报的大小上限为每个警报 256 KB,更大的警报不包含搜索结果。Alerts with the common schema enabled have an upper size limit of 256 KB per alert, bigger alert will not include search results. 在不包括搜索结果时,应使用 LinkToFilteredSearchResultsAPILinkToSearchResultsAPI 通过 Log Analytics API 访问查询结果。When the search results aren't included, you should use the LinkToFilteredSearchResultsAPI or LinkToSearchResultsAPI to access query results via the Log Analytics API.

Webhook 有效负载属性Webhook payload properties

使用 Webhook 操作可调用单个 HTTP POST 请求。Webhook actions allow you to invoke a single HTTP POST request. 被调用的服务应支持 Webhook,并知道将如何使用接收的有效负载。The service that's called should support webhooks and know how to use the payload it receives.

默认 Webhook 操作属性及其自定义 JSON 参数名称:Default webhook action properties and their custom JSON parameter names:

参数Parameter 变量Variable 说明Description
AlertRuleNameAlertRuleName #alertrulename#alertrulename 警报规则的名称。Name of the alert rule.
严重性Severity #severity#severity 为触发的日志警报设置的严重性。Severity set for the fired log alert.
AlertThresholdOperatorAlertThresholdOperator #thresholdoperator#thresholdoperator 警报规则的阈值运算符。Threshold operator for the alert rule.
AlertThresholdValueAlertThresholdValue #thresholdvalue#thresholdvalue 警报规则的阈值。Threshold value for the alert rule.
LinkToSearchResultsLinkToSearchResults #linktosearchresults#linktosearchresults 指向 Analytics 门户的链接,该门户会从创建警报的查询返回记录。Link to the Analytics portal that returns the records from the query that created the alert.
LinkToSearchResultsAPILinkToSearchResultsAPI #linktosearchresultsapi#linktosearchresultsapi 指向 Analytics API 的链接,该 API 会从创建警报的查询返回记录。Link to the Analytics API that returns the records from the query that created the alert.
LinkToFilteredSearchResultsUILinkToFilteredSearchResultsUI #linktofilteredsearchresultsui#linktofilteredsearchresultsui 指向 Analytics 门户的链接,该门户返回按创建警报的维度值组合筛选的查询中的记录。Link to the Analytics portal that returns the records from the query filtered by dimensions value combinations that created the alert.
LinkToFilteredSearchResultsAPILinkToFilteredSearchResultsAPI #linktofilteredsearchresultsapi#linktofilteredsearchresultsapi 指向 Analytics API 的链接,该 API 返回按创建警报的维度值组合筛选的查询中的记录。Link to the Analytics API that returns the records from the query filtered by dimensions value combinations that created the alert.
ResultCountResultCount #searchresultcount#searchresultcount 搜索结果中的记录数。Number of records in the search results.
搜索时间间隔结束时间Search Interval End time #searchintervalendtimeutc#searchintervalendtimeutc 查询结束时间 (UTC),格式为 mm/dd/yyyy HH:mm:ss AM/PM。End time for the query in UTC, with the format mm/dd/yyyy HH:mm:ss AM/PM.
搜索时间间隔Search Interval #searchinterval#searchinterval 警报规则的时间范围,格式为 HH:mm:ss。Time window for the alert rule, with the format HH:mm:ss.
搜索时间间隔开始时间Search Interval StartTime #searchintervalstarttimeutc#searchintervalstarttimeutc 查询开始时间 (UTC),格式为 mm/dd/yyyy HH:mm:ss AM/PM。Start time for the query in UTC, with the format mm/dd/yyyy HH:mm:ss AM/PM.
SearchQuerySearchQuery #searchquery#searchquery 警报规则所使用的日志搜索查询。Log search query used by the alert rule.
SearchResultsSearchResults "IncludeSearchResults": true"IncludeSearchResults": true 查询以 JSON 表形式返回的记录,仅限于前 1,000 条记录。Records returned by the query as a JSON table, limited to the first 1,000 records. 在自定义 JSON Webhook 定义中添加 "IncludeSearchResults": true 作为顶级属性。"IncludeSearchResults": true is added in a custom JSON webhook definition as a top-level property.
DimensionsDimensions "IncludeDimensions": true"IncludeDimensions": true 将该警报作为 JSON 部分触发的维度值组合。Dimensions value combinations that triggered that alert as a JSON section. 在自定义 JSON Webhook 定义中添加 "IncludeDimensions": true 作为顶级属性。"IncludeDimensions": true is added in a custom JSON webhook definition as a top-level property.
警报类型Alert Type #alerttype#alerttype 配置为指标度量 或 结果数的日志警报规则的类型。The type of log alert rule configured as Metric measurement or Number of results.
WorkspaceIDWorkspaceID #workspaceid#workspaceid Log Analytics 工作区的 ID。ID of your Log Analytics workspace.
应用程序 IDApplication ID #applicationid#applicationid Application Insights 应用的 ID。ID of your Application Insights app.
订阅 IDSubscription ID #subscriptionid#subscriptionid 使用的 Azure 订阅的 ID。ID of your Azure subscription used.

自定义 Webhook 有效负载定义Custom webhook payload definition

可以使用“包含 Webhook 的自定义 JSON 有效负载”获取使用以上参数的自定义 JSON 有效负载。You can use the Include custom JSON payload for webhook to get a custom JSON payload using the parameters above. 还可以生成其他属性。You can also generate additional properties. 例如,可以指定以下自定义负载,其中包含名为 text 的单一参数。For example, you might specify the following custom payload that includes a single parameter called text. 此 Webhook 调用的服务需要此参数:The service that this webhook calls expects this parameter:


    {
        "text":"#alertrulename fired with #searchresultcount over threshold of #thresholdvalue."
    }

此示例的有效负载会在发送到 Webhook 时解析如下:This example payload resolves to something like the following when it's sent to the webhook:

    {
        "text":"My Alert Rule fired with 18 records over threshold of 10 ."
    }

必须在 JSON 附件中指定自定义 Webhook 中的变量。Variables in a custom webhook must be specified within a JSON enclosure. 例如,在上述 Webhook 示例中引用“#searchresultcount”将基于警报结果进行输出。For example, referencing "#searchresultcount" in the above webhook example will output based on the alert results.

若要包含搜索结果,在自定义 JSON 中将 IncludeSearchResults 添加为顶级属性。To include search results, add IncludeSearchResults as a top-level property in the custom JSON. 搜索结果以 JSON 结构的形式包含,因此不能在自定义的字段中引用结果。Search results are included as a JSON structure, so results can't be referenced in custom defined fields.

备注

“包含 Webhook 的自定义 JSON 有效负载”选项旁的“查看 Webhook”按钮显示提供的内容的预览 。The View Webhook button next to the Include custom JSON payload for webhook option displays preview of what was provided. 它不包含实际数据,但代表要使用的 JSON 架构。It doesn't contain actual data, but is representative of the JSON schema that will be used.

示例有效负载Sample payloads

本部分显示用于日志警报的 Webhook 的示例有效负载。This section shows sample payloads for webhooks for log alerts. 示例有效负载包括有效负载是标准有效负载时以及是自定义有效负载时的示例。The sample payloads include examples when the payload is standard and when it's custom.

Log Analytics 的日志警报Log alert for Log Analytics

以下示例有效负载适用于基于 Log Analytics 的警报使用的标准 Webhook 操作:The following sample payload is for a standard webhook action that's used for alerts based on Log Analytics:

{
   "schemaId":"Microsoft.Insights/LogAlert",
   "data":{
      "SubscriptionId":"12345a-1234b-123c-123d-12345678e",
      "AlertRuleName":"AcmeRule",
      "SearchQuery":"Perf | where ObjectName == \"Processor\" and CounterName == \"% Processor Time\" | summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 5m), Computer",
      "SearchIntervalStartTimeUtc":"2018-03-26T08:10:40Z",
      "SearchIntervalEndtimeUtc":"2018-03-26T09:10:40Z",
      "AlertThresholdOperator":"Greater Than",
      "AlertThresholdValue":0,
      "ResultCount":2,
      "SearchIntervalInSeconds":3600,
      "LinkToSearchResults":"https://portal.azure.cn/#Analyticsblade/search/index?_timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
      "LinkToFilteredSearchResultsUI":"https://portal.azure.cn/#Analyticsblade/search/index?_timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
      "LinkToSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/workspaceID/query?query=Heartbeat&timespan=2020-05-07T18%3a11%3a51.0000000Z%2f2020-05-07T18%3a16%3a51.0000000Z",
      "LinkToFilteredSearchResultsAPI":"https://api.loganalytics.io/v1/workspaces/workspaceID/query?query=Heartbeat&timespan=2020-05-07T18%3a11%3a51.0000000Z%2f2020-05-07T18%3a16%3a51.0000000Z",
      "Description":"log alert rule",
      "Severity":"Warning",
      "AffectedConfigurationItems":[
         "INC-Gen2Alert"
      ],
      "Dimensions":[
         {
            "name":"Computer",
            "value":"INC-Gen2Alert"
         }
      ],
      "SearchResult":{
         "tables":[
            {
               "name":"PrimaryResult",
               "columns":[
                  {
                     "name":"$table",
                     "type":"string"
                  },
                  {
                     "name":"Computer",
                     "type":"string"
                  },
                  {
                     "name":"TimeGenerated",
                     "type":"datetime"
                  }
               ],
               "rows":[
                  [
                     "Fabrikam",
                     "33446677a",
                     "2018-02-02T15:03:12.18Z"
                  ],
                  [
                     "Contoso",
                     "33445566b",
                     "2018-02-02T15:16:53.932Z"
                  ]
               ]
            }
         ]
      },
      "WorkspaceId":"12345a-1234b-123c-123d-12345678e",
      "AlertType":"Metric measurement"
   }
}

Application Insights 的日志警报Log alert for Application Insights

以下示例有效负载是在标准 Webhook 基于 Application Insights 资源用于日志警报时使用的:The following sample payload is for a standard webhook when it's used for log alerts based on Application Insights resources:

{
    "schemaId": "Microsoft.Insights/LogAlert",
    "data": {
        "SubscriptionId": "12345a-1234b-123c-123d-12345678e",
        "AlertRuleName": "AcmeRule",
        "SearchQuery": "requests | where resultCode == \"500\" | summarize AggregatedValue = Count by bin(Timestamp, 5m), IP",
        "SearchIntervalStartTimeUtc": "2018-03-26T08:10:40Z",
        "SearchIntervalEndtimeUtc": "2018-03-26T09:10:40Z",
        "AlertThresholdOperator": "Greater Than",
        "AlertThresholdValue": 0,
        "ResultCount": 2,
        "SearchIntervalInSeconds": 3600,
        "LinkToSearchResults": "https://portal.azure.cn/AnalyticsBlade/subscriptions/12345a-1234b-123c-123d-12345678e/?query=search+*+&timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
        "LinkToFilteredSearchResultsUI": "https://portal.azure.cn/AnalyticsBlade/subscriptions/12345a-1234b-123c-123d-12345678e/?query=search+*+&timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
        "LinkToSearchResultsAPI": "https://api.applicationinsights.io/v1/apps/0MyAppId0/metrics/requests/count",
        "LinkToFilteredSearchResultsAPI": "https://api.applicationinsights.io/v1/apps/0MyAppId0/metrics/requests/count",
        "Description": null,
        "Severity": "3",
        "Dimensions": [
            {
                "name": "IP",
                "value": "1.1.1.1"
            }
        ],
        "SearchResult": {
            "tables": [
                {
                    "name": "PrimaryResult",
                    "columns": [
                        {
                            "name": "$table",
                            "type": "string"
                        },
                        {
                            "name": "Id",
                            "type": "string"
                        },
                        {
                            "name": "Timestamp",
                            "type": "datetime"
                        }
                    ],
                    "rows": [
                        [
                            "Fabrikam",
                            "33446677a",
                            "2018-02-02T15:03:12.18Z"
                        ],
                        [
                            "Contoso",
                            "33445566b",
                            "2018-02-02T15:16:53.932Z"
                        ]
                    ]
                }
            ]
        },
        "ApplicationId": "123123f0-01d3-12ab-123f-abc1ab01c0a1",
        "AlertType": "Metric measurement"
    }
}

其他资源日志的日志警报(来自 API 版本 2020-05-01-previewLog alert for other resources logs (from API version 2020-05-01-preview)

备注

当前不对 API 版本 2020-05-01-preview 和以资源为中心的日志警报收取额外费用。There are currently no additional charges for the API version 2020-05-01-preview and resource centric log alerts. 未来将公布预览版中的功能的定价以及开始计费之前提供的通知。Pricing for features that are in preview will be announced in the future and a notice provided prior to start of billing. 如果你选择在通知期后继续使用新 API 版本和以资源为中心的日志警报,则将按照适用的费率缴费。Should you choose to continue using new API version and resource centric log alerts after the notice period, you will be billed at the applicable rate.

以下示例有效负载是在标准 Webhook 基于其他资源日志(除了工作区和 Application Insights)用于日志警报时使用的:The following sample payload is for a standard webhook when it's used for log alerts based on other resources logs (excluding workspaces and Application Insights):

{
    "schemaId": "azureMonitorCommonAlertSchema",
    "data": {
        "essentials": {
            "alertId": "/subscriptions/12345a-1234b-123c-123d-12345678e/providers/Microsoft.AlertsManagement/alerts/12345a-1234b-123c-123d-12345678e",
            "alertRule": "AcmeRule",
            "severity": "Sev4",
            "signalType": "Log",
            "monitorCondition": "Fired",
            "monitoringService": "Log Alerts V2",
            "alertTargetIDs": [
                "/subscriptions/12345a-1234b-123c-123d-12345678e/resourcegroups/ai-engineering/providers/microsoft.compute/virtualmachines/testvm"
            ],
            "originAlertId": "123c123d-1a23-1bf3-ba1d-dd1234ff5a67",
            "firedDateTime": "2020-07-09T14:04:49.99645Z",
            "description": "log alert rule V2",
            "essentialsVersion": "1.0",
            "alertContextVersion": "1.0"
        },
        "alertContext": {
            "properties": null,
            "conditionType": "LogQueryCriteria",
            "condition": {
                "windowSize": "PT10M",
                "allOf": [
                    {
                        "searchQuery": "Heartbeat",
                        "metricMeasure": null,
                        "targetResourceTypes": "['Microsoft.Compute/virtualMachines']",
                        "operator": "LowerThan",
                        "threshold": "1",
                        "timeAggregation": "Count",
                        "dimensions": [
                            {
                                "name": "ResourceId",
                                "value": "/subscriptions/12345a-1234b-123c-123d-12345678e/resourceGroups/TEST/providers/Microsoft.Compute/virtualMachines/testvm"
                            }
                        ],
                        "metricValue": 0.0,
                        "failingPeriods": {
                            "numberOfEvaluationPeriods": 1,
                            "minFailingPeriodsToAlert": 1
                        },
                        "linkToSearchResultsUI": "https://portal.azure.cn#@12f345bf-12f3-12af-12ab-1d2cd345db67/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F12345a-1234b-123c-123d-12345678e%2FresourceGroups%2FTEST%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2Ftestvm%22%7D%5D%7D/q/eJzzSE0sKklKTSypUSjPSC1KVQjJzE11T81LLUosSU1RSEotKU9NzdNIAfJKgDIaRgZGBroG5roGliGGxlYmJlbGJnoGEKCpp4dDmSmKMk0A/prettify/1/timespan/2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z",
                        "linkToFilteredSearchResultsUI": "https://portal.azure.cn#@12f345bf-12f3-12af-12ab-1d2cd345db67/blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/source/Alerts.EmailLinks/scope/%7B%22resources%22%3A%5B%7B%22resourceId%22%3A%22%2Fsubscriptions%2F12345a-1234b-123c-123d-12345678e%2FresourceGroups%2FTEST%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2Ftestvm%22%7D%5D%7D/q/eJzzSE0sKklKTSypUSjPSC1KVQjJzE11T81LLUosSU1RSEotKU9NzdNIAfJKgDIaRgZGBroG5roGliGGxlYmJlbGJnoGEKCpp4dDmSmKMk0A/prettify/1/timespan/2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z",
                        "linkToSearchResultsAPI": "https://api.loganalytics.io/v1/subscriptions/12345a-1234b-123c-123d-12345678e/resourceGroups/TEST/providers/Microsoft.Compute/virtualMachines/testvm/query?query=Heartbeat%7C%20where%20TimeGenerated%20between%28datetime%282020-07-09T13%3A44%3A34.0000000%29..datetime%282020-07-09T13%3A54%3A34.0000000%29%29&timespan=2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z",
                        "linkToFilteredSearchResultsAPI": "https://api.loganalytics.io/v1/subscriptions/12345a-1234b-123c-123d-12345678e/resourceGroups/TEST/providers/Microsoft.Compute/virtualMachines/testvm/query?query=Heartbeat%7C%20where%20TimeGenerated%20between%28datetime%282020-07-09T13%3A44%3A34.0000000%29..datetime%282020-07-09T13%3A54%3A34.0000000%29%29&timespan=2020-07-07T13%3a54%3a34.0000000Z%2f2020-07-09T13%3a54%3a34.0000000Z"
                    }
                ],
                "windowStartTime": "2020-07-07T13:54:34Z",
                "windowEndTime": "2020-07-09T13:54:34Z"
            }
        }
    }
}

带自定义 JSON 有效负载的日志警报Log alert with a custom JSON payload

例如,若要创建只包含警报名称和搜索结果的自定义有效负载,请使用以下配置:For example, to create a custom payload that includes just the alert name and the search results, use this configuration:

    {
       "alertname":"#alertrulename",
       "IncludeSearchResults":true
    }

下面是用于任何日志警报的自定义 Webhook 操作的示例有效负载:The following sample payload is for a custom webhook action for any log alert:

    {
    "alertname":"AcmeRule","IncludeSearchResults":true,
    "SearchResults":
        {
        "tables":[
                    {"name":"PrimaryResult","columns":
                        [
                        {"name":"$table","type":"string"},
                        {"name":"Id","type":"string"},
                        {"name":"TimeGenerated","type":"datetime"}
                        ],
                    "rows":
                        [
                            ["Fabrikam","33446677a","2018-02-02T15:03:12.18Z"],
                            ["Contoso","33445566b","2018-02-02T15:16:53.932Z"]
                        ]
                    }
                ]
        }
    }

后续步骤Next steps