快速入门:使用 ARM 模板将 Azure 活动日志发送到 Log Analytics 工作区Quickstart: Send Azure Activity log to Log Analytics workspace using an ARM template

活动日志是 Azure 中的一种平台日志,可用于深入了解订阅级事件。The Activity log is a platform log in Azure that provides insight into subscription-level events. 这包括何时修改了资源或何时启动了虚拟机等信息。This includes such information as when a resource is modified or when a virtual machine is started. 可以查看 Azure 门户中的活动日志,或使用 PowerShell 和 CLI 检索条目。You can view the Activity log in the Azure portal or retrieve entries with PowerShell and CLI. 本快速入门介绍如何使用 Azure 资源管理器模板(ARM 模板)创建 Log Analytics 工作区和诊断设置,以将活动日志发送到 Azure Monitor 日志,可在此位置使用日志查询对活动日志进行分析,并启用其他功能,例如日志警报工作簿This quickstart shows how to use Azure Resource Manager templates (ARM templates) to create a Log Analytics workspace and a diagnostic setting to send the Activity log to Azure Monitor Logs where you can analyze it using log queries and enable other features such as log alerts and workbooks.

ARM 模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. 该模板使用声明性语法,使你可以声明要部署的内容,而不需要编写一系列编程命令来进行创建。The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it.

先决条件Prerequisites

创建 Log Analytics 工作区Create a Log Analytics workspace

查看模板Review the template

下面的模板创建一个空的 Log Analytics 工作区。The following template creates an empty Log Analytics workspace. 将此模板保存为 CreateWorkspace.json。Save this template as CreateWorkspace.json.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "type": "string",
        "metadata": {
          "description": "Name of the workspace."
        }
    },
    "sku": {
      "type": "string",
      "allowedValues": [
        "pergb2018",
        "Free",
        "Standalone",
        "PerNode",
        "Standard",
        "Premium"
      ],
      "defaultValue": "pergb2018",
      "metadata": {
        "description": "Pricing tier: PerGB2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers."
      }
    },
    "location": {
      "type": "string",
      "allowedValues": [
        "chinaeast2"
      ],
      "metadata": {
        "description": "Specifies the location for the workspace."
      }
    },
    "retentionInDays": {
      "type": "int",
      "defaultValue": 120,
      "metadata": {
        "description": "Number of days to retain data."
      }
    },
    "resourcePermissions": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "true to use resource or workspace permissions. false to require workspace permissions."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces",
      "apiVersion": "2020-03-01-preview",
      "name": "[parameters('workspaceName')]",
      "location": "[parameters('location')]",
      "properties": {
        "sku": {
          "name": "[parameters('sku')]"
        },
        "retentionInDays": "[parameters('retentionInDays')]",
        "features": {
          "searchVersion": 1,
          "legacy": 0,
          "enableLogAccessUsingOnlyResourcePermissions": "[parameters('resourcePermissions')]"
        }
      }
    }
  ]
}

此模板定义一个资源:This template defines one resource:

部署模板Deploy the template

使用部署 ARM 模板的任何标准方法来部署模板,如以下使用 CLI 和 PowerShell 的示例。Deploy the template using any standard method for deploying an ARM template such as the following examples using CLI and PowerShell. 将“资源组”、“workspaceName”和“位置”的示例值替换为环境的相应值 。Replace the sample values for Resource Group, workspaceName, and location with appropriate values for your environment. 工作区名称在所有 Azure 订阅中必须唯一。The workspace name must be unique among all Azure subscriptions.

az cloud set -n AzureChinaCloud
az login
az deployment group create \
    --name CreateWorkspace \
    --resource-group my-resource-group \
    --template-file CreateWorkspace.json \
    --parameters workspaceName='my-workspace-01' location='chinanorth'

验证部署Validate the deployment

验证是否已使用以下命令之一创建工作区。Verify that the workspace has been created using one of the following commands. 将“资源组”和“workspaceName”的示例值替换为上面使用的值 。Replace the sample values for Resource Group and workspaceName with the values you used above.

az monitor log-analytics workspace show --resource-group my-workspace-01 --workspace-name my-resource-group

创建诊断设置Create diagnostic setting

查看模板Review the template

以下模板创建将活动日志发送到 Log Analytics 工作区的诊断设置。The following template creates a diagnostic setting that sends the Activity log to a Log Analytics workspace. 将此模板保存为 CreateDiagnosticSetting.json。Save this template as CreateDiagnosticSetting.json.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "settingName": {
        "type": "String"
    },
    "workspaceId": {
        "type": "String"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Insights/diagnosticSettings",
      "apiVersion": "2017-05-01-preview",
      "name": "[parameters('settingName')]",
      "dependsOn": [],
      "properties": {
        "workspaceId": "[parameters('workspaceId')]",
        "logs": [
          {
          "category": "Administrative",
          "enabled": true
          },
          {
          "category": "Alert",
          "enabled": true
          },
          {
          "category": "Autoscale",
          "enabled": true
          },
          {
          "category": "Policy",
          "enabled": true
          },
          {
          "category": "Recommendation",
          "enabled": true
          },
          {
          "category": "ResourceHealth",
          "enabled": true
          },
          {
          "category": "Security",
          "enabled": true
          },
          {
          "category": "ServiceHealth",
          "enabled": true
          }
        ]
      }
    }
  ]
}

此模板定义一个资源:This template defines one resource:

部署模板Deploy the template

使用部署 ARM 模板的任何标准方法来部署模板,如以下使用 CLI 和 PowerShell 的示例。Deploy the template using any standard method for deploying an ARM template such as the following examples using CLI and PowerShell. 将“资源组”、“workspaceName”和“位置”的示例值替换为环境的相应值 。Replace the sample values for Resource Group, workspaceName, and location with appropriate values for your environment. 工作区名称在所有 Azure 订阅中必须唯一。The workspace name must be unique among all Azure subscriptions.

az deployment sub create --name CreateDiagnosticSetting --location chinanorth --template-file CreateDiagnosticSetting.json --parameters settingName='Send Activity log to workspace' workspaceId='/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/microsoft.operationalinsights/workspaces/my-workspace-01'

验证部署Validate the deployment

验证是否已使用以下命令之一创建诊断设置。Verify that the diagnostic setting has been created using one of the following commands. 将订阅和设置名称的示例值替换为上面使用的值。Replace the sample values for the subscription and setting name with the values you used above.

备注

当前无法使用 PowerShell 检索订阅级诊断设置。You cannot currently retrieve subscription level diagnostic settings using PowerShell.

az monitor diagnostic-settings show --resource '/subscriptions/00000000-0000-0000-0000-000000000000' --name 'Send Activity log to workspace'

生成日志数据Generate log data

仅将新的活动日志条目发送到 Log Analytics 工作区,因此将记录在订阅中执行的一些操作,例如启动或停止虚拟机,或者创建或修改其他资源。Only new Activity log entries will be sent to the Log Analytics workspace, so perform some actions in your subscription that will be logged such as starting or stopping a virtual machine or creating or modifying another resource. 可能需要等待几分钟,才能创建诊断设置并将数据首次写入工作区。You may need to wait a few minutes for the diagnostic setting to be created and for data to initially be written to the workspace. 此延迟过后,所有写入活动日志的事件将在几秒钟内发送到工作区。After this delay, all events written to the Activity log will be sent to the workspace within a few seconds.

通过日志查询检索数据Retrieve data with a log query

通过 Azure 门户使用 Log Analytics 从工作区检索数据。Use the Azure portal to use Log Analytics to retrieve data from the workspace. 在 Azure 门户中,搜索并选择“监视”。In the Azure portal, search for and then select Monitor.

Azure 门户

在“Azure Monitor”菜单中选择“日志” 。Select Logs in the Azure Monitor menu. 关闭“示例查询”页。Close the Example queries page. 如果范围未设置为所创建的工作区,则单击“选择范围”并进行查找。If the scope isn't set to the workspace you created, then click Select scope and locate it.

Log Analytics 范围

在查询窗口中,键入 AzureActivity,然后单击“运行”。In the query window, type AzureActivity and click Run. 这是一个简单的查询,它返回“AzureActivity”表中的所有记录,该表中包含从活动日志发送的所有记录。This is a simple query that returns all records in the AzureActivity table, which contains all the records sent from the Activity log.

简单查询

展开其中一条记录以查看其详细属性。Expand one of the records to view its detailed properties.

展开属性

尝试使用较为复杂的查询,例如 AzureActivity | summarize count() by CategoryValue,该查询提供按类别汇总的事件计数。Try a more complex query such as AzureActivity | summarize count() by CategoryValue which gives a count of events summarized by category.

复杂查询

清理资源Clean up resources

如果打算继续使用后续的快速入门和教程,则可能需要保留这些资源。If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. 如果不再需要资源组,可以将其删除,这将删除警报规则和相关的资源。When no longer needed, delete the resource group, which deletes the alert rule and the related resources. 使用 Azure CLI 或 Azure PowerShell 删除资源组To delete the resource group by using Azure CLI or Azure PowerShell

az group delete --name my-resource-group

后续步骤Next steps

在本快速入门中,你已将活动日志配置为发送到 Log Analytics 工作区。In this quickstart, you configured the Activity log to be sent to a Log Analytics workspace. 现可配置要收集到工作区中的其他数据,在工作区中可以使用 Azure Monitor 中的日志查询来一起分析它,并利用日志警报工作簿等功能。You can now configure other data to be collected into the workspace where you can analyze it together using log queries in Azure Monitor and leverage features such as log alerts and workbooks. 接下来,应从 Azure 资源中收集资源日志,以补充活动日志中的数据,从而深入了解各资源内执行的操作。You should next gather resource logs from your Azure resources which compliment the data in the Activity log providing insight into the operations that were performed within each resource.