Azure Monitor 日志的结构Structure of Azure Monitor Logs

使用日志查询快速洞察数据是 Azure Monitor 提供的一项强大功能。The ability to quickly gain insights into your data using a log query is a powerful feature of Azure Monitor. 若要创建高效且有用的查询,应该了解一些基本概念,例如,所需数据的位置及其构建方式。To create efficient and useful queries, you should understand some basic concepts such as where the data you want is located and how it's structured. 本文将会介绍可帮助你入门的基本概念。This article provides the basic concepts you need to get started.

概述Overview

Azure Monitor 日志中的数据存储在 Log Analytics 工作区或 Application Insights 应用程序中。Data in Azure Monitor Logs is stored in either a Log Analytics workspace or an Application Insights application. 两者都由 Azure 数据资源管理器提供支持,这意味着,它们将利用数据资源管理器的强大数据引擎和查询语言。Both are powered by Azure Data Explorer meaning that they leverage its powerful data engine and query language.

工作区和应用程序中的数据组织成表,每个表存储不同类型的数据,并且有自身独特的属性集。Data in both workspaces and applications is organized into tables, each of which stores different kinds of data and has its own unique set of properties. 大多数数据源将数据写入到 Log Analytics 工作区中其自身的表内,而 Application Insights 将数据写入到 Application Insights 应用程序中一组预定义的表内。Most data sources will write to their own tables in a Log Analytics workspace, while Application Insights will write to a predefined set of tables in an Application Insights application. 日志查询非常灵活,可让你轻松组合多个表的数据,甚至使用跨资源查询组合多个工作区中的表的数据,或者编写查询来组合工作区数据和应用程序数据。Log queries are very flexible allowing you to easily combine data from multiple tables and even use a cross-resource query to combine data from tables in multiple workspaces or to write queries that combine workspace and application data.

下图显示了写入到示例查询中使用的不同表的数据源示例。The following image shows examples of data sources that write to different tables that are used in sample queries.

表

Log Analytics 工作区Log Analytics workspace

Azure Monitor 日志收集的所有数据(Application Insights 数据除外)存储在 Log Analytics 工作区中。All data collected by Azure Monitor Logs except for Application Insights is stored in a Log Analytics workspace. 可以根据特定要求创建一个或多个工作区。You can create one or more workspaces depending on your particular requirements. 数据源(例如来自 Azure 资源的活动日志和资源日志、虚拟机上的代理,以及来自见解和监视解决方案的数据)会将数据写入你配置为其载入一部分的一个或多个工作区。Data Sources such as activity logs and resource logs from Azure resources, agents on virtual machines, and data from insights and monitoring solutions will write data to one or more workspaces that you configure as part of their onboarding. 其他服务(例如 Azure 安全中心)会使用 Log Analytics 工作区来存储其数据,以便使用日志查询以及来自其他源的监视数据对其进行分析。Other services such as Azure Security Center also use a Log Analytics workspace to store their data so it can be analyzed using log queries along with monitoring data from other sources.

不同类型的数据存储在工作区中的不同表内,每个表具有独特的属性集。Different kinds of data are stored in different tables in the workspace, and each table has a unique set of properties. 创建工作区后,会将一组标准表添加到其中;加入不同的数据源、解决方案和服务后,将添加其新表。A standard set of tables are added to a workspace when it's created, and new tables are added for different data sources, solutions, and services as they're onboarded. 还可以使用数据收集器 API 创建自定义表。You can also create custom tables using the Data Collector API.

可以在工作区的 Log Analytics 中的“架构”选项卡上浏览工作区中的表及其架构。You can browse the tables in a workspace and their schema in the Schema tab in Log Analytics for the workspace.

工作区架构

使用以下查询列出工作区中的表,以及在前一天收集到每个表中的记录数。Use the following query to list the tables in the workspace and the number of records collected into each over the previous day.

union withsource = table * 
| where TimeGenerated > ago(1d)
| summarize count() by table
| sort by table asc

有关创建的表的详细信息,请参阅每个数据源的文档。See documentation for each data source for details of the tables they create. 例如,参阅有关代理数据源资源日志监视解决方案的文章。Examples include articles for agent data sources, resource logs, and monitoring solutions.

工作区权限Workspace permissions

请参阅设计 Azure Monitor 日志部署,以了解访问控制策略和提供对工作区中数据的访问的建议。See Designing an Azure Monitor Logs deployment to understand the access control strategy and recommendations to provide access to data in a workspace. 除了授予对工作区本身的访问权限外,还可以使用表级 RBAC 限制对单个表的访问。In addition to granting access to the workspace itself, you can limit access to individual tables using Table Level RBAC.

Application Insights 应用程序Application Insights application

在 Application Insights 中创建应用程序时,会自动在 Azure Monitor 日志中创建相应的应用程序。When you create an application in Application Insights, a corresponding application is automatically created in Azure Monitor Logs. 无需进行任何配置即可收集数据,应用程序会自动写入页面查看次数、请求和异常等监视数据。No configuration is required to collect data, and the application will automatically write monitoring data such as page views, requests, and exceptions.

与 Log Analytics 工作区不同,Application Insights 应用程序具有固定的一组表。Unlike a Log Analytics workspace, an Application Insights application has a fixed set of tables. 无法将其他数据源配置为写入到应用程序,因此无法创建其他表。You can't configure other data sources to write to the application so no additional tables can be created.

Table 说明Description
availabilityResultsavailabilityResults 可用性测试中的摘要数据。Summary data from availability tests.
browserTimingsbrowserTimings 有关客户端性能的数据,例如处理传入数据所用的时间。Data about client performance, such as the time taken to process the incoming data.
customEventscustomEvents 应用程序创建的自定义事件。Custom events created by your application.
customMetricscustomMetrics 应用程序创建的自定义指标。Custom metrics created by your application.
dependenciesdependencies 从应用程序到通过 TrackDependency() 记录的其他组件(包括外部组件)的调用 - 例如,对 REST API、数据库或文件系统的调用。Calls from the application to other components (including external components) recorded via TrackDependency() - for example, calls to REST API, database or a file system.
exceptionsexceptions 应用程序运行时引发的异常捕获服务器端和客户端(浏览器)异常。Exceptions thrown by the application runtime, captures both server side and client-side (browsers) exceptions.
pageViewspageViews 每个网站的浏览情况数据,以及浏览器信息。Data about each website view with browser information.
performanceCountersperformanceCounters 支持应用程序的计算资源的性能度量,例如 Windows 性能计数器。Performance measurements from the compute resources supporting the application, for example, Windows performance counters.
请求requests 应用程序收到的请求。Requests received by your application. 例如,为 Web 应用接收到的每个 HTTP 请求记录一条单独的请求记录。For example, a separate request record is logged for each HTTP request that your web app receives.
tracestraces 通过 TrackTrace () 记录的应用程序代码/日志记录框架发出的详细日志(跟踪)。Detailed logs (traces) emitted through application code/logging frameworks recorded via TrackTrace().

可以在应用程序的 Log Analytics 的“架构”选项卡中查看每个表的架构。You can view the schema for each table in the Schema tab in Log Analytics for the application.

应用程序架构

标准属性Standard properties

尽管 Azure Monitor 日志中的每个表具有自身的架构,但所有表共享某些标准属性。While each table in Azure Monitor Logs has its own schema, there are standard properties shared by all tables. 有关详细信息,请参阅 Azure Monitor 日志中的标准属性See Standard properties in Azure Monitor Logs for details of each.

Log Analytics 工作区Log Analytics workspace Application Insights 应用程序Application Insights application 说明Description
TimeGeneratedTimeGenerated timestamptimestamp 创建记录的日期和时间。Date and time the record was created.
类型Type itemTypeitemType 从中检索到该记录的表的名称。Name of the table the record was retrieved from.
_ResourceId_ResourceId 与该记录关联的资源的唯一标识符。Unique identifier for the resource the record is associated with.
_IsBillable_IsBillable 指定是否对引入的数据计费。Specifies whether ingested data is billable.
_BilledSize_BilledSize 指定要计费的数据大小(以字节为单位)。Specifies the size in bytes of data that will be billed.

后续步骤Next steps