教程:从 Azure 资源收集和分析资源日志Tutorial: Collect and analyze resource logs from an Azure resource

资源日志提供有关 Azure 资源详细操作的见解,有助于监控其运行状况和可用性。Resource logs provide insight into the detailed operation of an Azure resource and are useful for monitoring their health and availability. Azure 资源会自动生成资源日志,但必须配置这些日志的收集位置。Azure resources generate resource logs automatically, but you must configure where they should be collected. 本教程将指导你完成创建诊断设置以收集 Azure 订阅中某个资源的资源日志,并使用日志查询对其进行分析。This tutorial takes you through the process of creating a diagnostic setting to collect resource logs for a resource in your Azure subscription and analyzing it with a log query.

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 在 Azure Monitor 中创建 Log Analytics 工作区Create a Log Analytics workspace in Azure Monitor
  • 创建诊断设置以收集资源日志Create a diagnostic setting to collect resource logs
  • 创建简单的日志查询以分析日志Create a simple log query to analyze logs

先决条件Prerequisites

要完成本教程,需要一个要监控的 Azure 资源。To complete this tutorial you need an Azure resource to monitor. 你可以使用 Azure 订阅中支持诊断设置的任何资源。You can use any resource in your Azure subscription that supports diagnostic settings. 要确定资源是否支持诊断设置,请在 Azure 门户中前往其菜单,并验证菜单的“监视”部分是否有“诊断设置”选项 。To determine whether a resource supports diagnostic settings, go to its menu in the Azure portal and verify that there's a Diagnostic settings option in the Monitoring section of the menu.

登录 AzureLog in to Azure

通过 https://portal.azure.cn 登录到 Azure 门户。Log in to the Azure portal at https://portal.azure.cn.

创建工作区Create a workspace

Azure Monitor 中的 Log Analytics 工作区可从各种源收集和索引日志数据,并允许使用功能强大的查询语言进行高级分析。A Log Analytics workspace in Azure Monitor collects and indexes log data from a variety of sources and allows advanced analysis using a powerful query language. 在创建诊断设置之前,需要存在 Log Analytics 工作区,以确保能将数据发送到工作区。The Log Analytics workspace needs to exist before you create a diagnostic setting to send data into it. 你可以使用 Azure 订阅中的现有工作区,也可以按照以下过程创建一个工作区。You can use an existing workspace in your Azure subscription or create one with the following procedure.

备注

在“Azure Monitor”菜单中处理 Log Analytics 工作区中的数据时,可在“Log Analytics 工作区”菜单中创建和管理工作区 。While you can work with data in Log Analytics workspaces in the Azure Monitor menu, you create and manage workspaces in the Log Analytics workspaces menu.

  1. 在“所有服务”中,选择“Log Analytics 工作区” 。From All services, select Log Analytics workspaces.

  2. 单击屏幕顶部的“添加”,并为工作区提供以下详细信息 :Click Add at the top of the screen and provide the following details for the workspace:

    • Log Analytics 工作区:新工作区的名称。Log Analytics workspace: Name for the new workspace. 此名称在所有 Azure Monitor 订阅中必须是全局唯一的。This name must be globally unique across all Azure Monitor subscriptions.
    • 订阅:选择用于存储工作区的订阅。Subscription: Select the subscription to store the workspace. 此订阅无需与要监控资源的订阅相同。This does not need to be the same subscription same as the resource being monitored.
    • 资源组:选择现有资源组,或单击“新建”,创建一个新资源组 。Resource Group: Select an existing resource group or click Create new to create a new one. 此资源组无需与要监控资源的资源组相同。This does not need to be the same resource group same as the resource being monitored.
    • 位置:选择一个 Azure 区域或创建一个新区域。Location: Select an Azure region or create a new one. 此区域无需与要监控资源的位置相同。This does not need to be the same location same as the resource being monitored.
    • 定价层:选择“即用即付” 作为定价层。Pricing tier: Select Pay-as-you-go as the pricing tier. 之后可以更改定价层。You can change this pricing tier later. 单击“Log Analytics 定价”链接以了解有关不同定价层的详细信息 。Click the Log Analytics pricing link to learn more about different pricing tiers.

    新建工作区

  3. 单击“确定”以创建工作区 。Click OK to create the workspace.

创建诊断设置Create a diagnostic setting

诊断设置定义特定资源的日志所发送到的位置。Diagnostic settings define where resource logs should be sent for a particular resource. 单个诊断设置可具有多个目标,但在本教程中,我们将只使用 Log Analytics 工作区。A single diagnostic setting can have multiple destinations, but we'll only use a Log Analytics workspace in this tutorial.

  1. 在资源设置菜单的“监控”部分,选择“诊断设置” 。Under the Monitoring section of your resource's menu, select Diagnostic settings.

  2. 此时应该会显示“未定义任何诊断设置”消息。You should have a message "No diagnostic settings defined". 单击“添加诊断设置” 。Click Add diagnostic setting.

    诊断设置

  3. 每个诊断设置都有三个基本组成部分:Each diagnostic setting has three basic parts:

    • Name:此部分影响不大,只提供描述信息。Name: This has no significant effect and should simply be descriptive to you.
    • 目标:要将日志发送到的一个或多个目标。Destinations: One or more destinations to send the logs. 所有 Azure 服务共享同一组三个可能的目标。All Azure services share the same set of three possible destinations. 每个诊断设置都可以定义一个或多个目标,但不能定义特定类型的多个目标。Each diagnostic setting can define one or more destinations but no more than one destination of a particular type.
    • 类别:要发送到每个目标的日志类别。Categories: Categories of logs to send to each of the destinations. 每个 Azure 服务的类别集将有所不同。The set of categories will vary for each Azure service.
  4. 选择“发送到 Log Analytics 工作区”,然后选择所创建的工作区 。Select Send to Log Analytics workspace and then select the workspace that you created.

  5. 选择要收集的类别。Select the categories that you want to collect. 请参阅每个服务的文档以了解其可用类别的定义。See the documentation for each service for a definition of its available categories.

    诊断设置

  6. 单击“保存”以保存这些设置 。Click Save to save the diagnostic settings.

使用日志查询来检索日志Use a log query to retrieve logs

使用以 Kusto 查询语言 (KQL) 编写的日志查询从 Log Analytics 工作区检索数据。Data is retrieved from a Log Analytics workspace using a log query written in Kusto Query Language (KQL). Azure Monitor 中的见解和解决方案会提供日志查询来检索特定服务的数据,但你可以使用 Log Analytics 直接在 Azure 门户中处理日志查询及其结果。Insights and solutions in Azure Monitor will provide log queries to retrieve data for a particular service, but you can work directly with log queries and their results in the Azure portal with Log Analytics.

  1. 在资源设置菜单的“监控”部分,选择“日志” 。Under the Monitoring section of your resource's menu, select Logs.

  2. Log Analytics 打开时会显示一个空查询窗口,其中范围设置为资源。Log Analytics opens with an empty query window with the scope set to your resource. 所有查询都将只包括来自该资源的记录。Any queries will include only records from that resource.

    备注

    如果从 Azure Monitor 菜单中打开“日志”,则会将范围设置为“Log Analytics 工作区”。If you opened Logs from the Azure Monitor menu, the scope would be set to the Log Analytics workspace. 在这种情况下,所有查询都将包括工作区中的所有记录。In this case, any queries will include all records in the workspace.

    屏幕截图显示逻辑应用的日志,其中显示一个新查询,并突出显示了逻辑应用名称。

  3. 示例中显示的服务将资源日志写入 AzureDiagnostics 表,但其他服务可能会写入其他表 。The service shown in the example writes resource logs to the AzureDiagnostics table, but other services may write to other tables. 请参阅 Azure 资源日志支持的服务、架构和类别,以查看不同 Azure 服务使用的表。See Supported services, schemas, and categories for Azure Resource Logs for tables used by different Azure services.

    备注

    多个服务将资源日志写入 AzureDiagnostics 表。Multiple services write resource logs to the AzureDiagnostics table. 如果从 Azure Monitor 菜单中启动 Log Analytics,则需要添加包含 ResourceProvider 列的 where 语句来指定特定服务。If you start Log Analytics from the Azure Monitor menu, then you would need to add a where statement with the ResourceProvider column to specify your particular service. 从资源菜单启动 Log Analytics 时,范围设置为仅来自此资源的记录,因此不需要此列。When you start Log Analytics from a resource's menu, then the scope is set to only records from this resource so this column isn't required. 请参阅服务文档了解示例查询。See the service's documentation for sample queries.

  4. 键入查询,然后单击“运行”以检查结果 。Type in a query and click Run to inspect results.

  5. 有关编写日志查询的教程,请参阅 Azure Monitor 中的日志查询入门See Get started with log queries in Azure Monitor for a tutorial on writing log queries.

    日志查询

后续步骤Next steps

你已了解如何将资源日志收集到 Log Analytics 工作区中,现在请完成有关编写日志查询的教程以分析此数据。Now that you've learned how to collect resource logs into a Log Analytics workspace, complete a tutorial on writing log queries to analyze this data.