使用 Azure 门户将 Azure 活动日志发送到 Log Analytics 工作区Send Azure Activity log to Log Analytics workspace using Azure portal

活动日志是 Azure 中的一种平台日志,可用于深入了解订阅级别事件。The Activity log is a platform log in Azure that provides insight into subscription-level events. 这包括何时修改了资源或何时启动了虚拟机等信息。This includes such information as when a resource is modified or when a virtual machine is started. 可以在 Azure 门户中查看活动日志,或在 PowerShell 和 CLI 中检索条目。You can view the Activity log in the Azure portal or retrieve entries with PowerShell and CLI. 本快速入门演示如何使用 Azure 门户创建 Log Analytics 工作区和诊断设置,从而将活动日志发送到 Azure Monitor 日志,从中可以使用日志查询对活动日志进行分析,并启用其他功能,例如日志警报工作簿This quickstart shows how to use the Azure portal to create a Log Analytics workspace and a diagnostic setting to send the Activity log to Azure Monitor Logs where you can analyze it using log queries and enable other features such as log alerts and workbooks.

登录到 Azure 门户Sign in to Azure portal

https://portal.azure.cn 中登录 Azure 门户。Sign in to the Azure portal at https://portal.azure.cn.

创建 Log Analytics 工作区Create a Log Analytics workspace

在 Azure 门户中,搜索并选择“Log Analytics 工作区”。In the Azure portal, search for and then select Log Analytics workspaces.

Azure 门户

单击“添加”,然后为“资源组”、工作区“名称”和“位置”提供值 。Click Add, and then provide values for the Resource group, workspace Name, and Location. 工作区名称在所有 Azure 订阅中必须是唯一的。The workspace name must be unique across all Azure subscriptions.

创建工作区

单击“查看 + 创建”以查看设置,然后单击“创建”以创建工作区 。Click Review + create to review the settings and then Create to create the workspace. 这将选择“即用即付”的默认定价层,在你开始收集到足够量的数据之前,将不会产生任何更改。This will select a default pricing tier of Pay-as-you-go which will not incur any changes until you start collecting a sufficient amount of data. 收集活动日志是免费的。There is no charge for collecting the Activity log.

创建诊断设置Create diagnostic setting

在 Azure 门户中,搜索并选择“监视”。In the Azure portal, search for and then select Monitor.

Azure 门户

选择“活动日志”。Select Activity log. 你应该会看到当前订阅最近的事件。You should see recent events for the current subscription. 单击“诊断设置”以查看此订阅的诊断设置。Click Diagnostic settings to view diagnostic settings for the subscription.

活动日志

单击“添加诊断设置”以创建新设置。Click Add diagnostic setting to create a new setting.

创建诊断设置

键入名称,例如“将活动日志发送到工作区”。Type in a name such as Send Activity log to workspace. 选择各个类别。Select each of the categories. 选择“发送到 Log Analytics”作为唯一的目标,然后指定创建的工作区。Select Send to Log Analytics as the only destination and then specify the workspace that you created. 单击“保存”以创建诊断设置,然后关闭页面。Click Save to create the diagnostic setting and then close the page.

新的诊断设置

生成日志数据Generate log data

仅将新的活动日志条目发送到 Log Analytics 工作区,因此将记录在订阅中执行的一些操作,例如启动或停止虚拟机,或者创建或修改其他资源。Only new Activity log entries will be sent to the Log Analytics workspace, so perform some actions in your subscription that will be logged such as starting or stopping a virtual machine or creating or modifying another resource. 可能需要等待几分钟,才能创建诊断设置并将数据首次写入工作区。You may need to wait a few minutes for the diagnostic setting to be created and for data to initially be written to the workspace. 此延迟过后,所有写入活动日志的事件将在几秒钟内发送到工作区。After this delay, all events written to the Activity log will be sent to the workspace within a few seconds.

通过日志查询检索数据Retrieve data with a log query

在“Azure Monitor”菜单中选择“日志” 。Select Logs in the Azure Monitor menu. 关闭“示例查询”页面。Close the Example queries page. 如果范围未设置为所创建的工作区,则单击“选择范围”并进行查找。If the scope isn't set to the workspace you created, then click Select scope and locate it.

Log Analytics 范围

在查询窗口中,键入 AzureActivity 然后单击“运行”。In the query window, type AzureActivity and click Run. 这是一个简单的查询,它返回“AzureActivity”表中的所有记录,该表中包含从活动日志发送的所有记录。This is a simple query that returns all records in the AzureActivity table, which contains all the records sent from the Activity log.

简单查询

展开其中一条记录以查看其详细属性。Expand one of the records to view its detailed properties.

展开属性

尝试使用更为复杂的查询,例如 AzureActivity | summarize count() by CategoryValue,该查询提供按类别汇总的事件计数。Try a more complex query such as AzureActivity | summarize count() by CategoryValue which gives a count of events summarized by category.

复杂查询

后续步骤Next steps

在本快速入门中,已将活动日志配置为发送到 Log Analytics 工作区。In this quickstart, you configured the Activity log to be sent to a Log Analytics workspace. 现可配置要收集到工作区中的其他数据,在工作区中可以使用 Azure Monitor 中的日志查询来分析这些数据,并利用日志警报工作簿等功能。You can now configure other data to be collected into the workspace where you can analyze it together using log queries in Azure Monitor and leverage features such as log alerts and workbooks. 接下来,应从 Azure 资源中收集资源日志,以补充活动日志中的数据,从而深入了解各资源内执行的操作。You should next gather resource logs from your Azure resources which compliment the data in the Activity log providing insight into the operations that were performed within each resource.