Azure Monitor 日志中的审核查询(预览版)Audit queries in Azure Monitor Logs (preview)

日志查询审核日志提供有关在 Azure Monitor 中运行的日志查询的遥测。Log query audit logs provide telemetry about log queries run in Azure Monitor. 其中包括诸如运行查询的时间、运行查询的人、使用的工具、查询文本,以及描述查询执行的性能统计信息等。This includes information such as when a query was run, who ran it, what tool was used, the query text, and performance statistics describing the query's execution.

配置查询审核Configure query auditing

通过 Log Analytics 工作区上的诊断设置启用查询审核。Query auditing is enabled with a diagnostic setting on the Log Analytics workspace. 这样你便可以将审核数据发送到当前工作区或订阅中的任何其他工作区,发送到 Azure 事件中心以在 Azure 外部发送,或发送到 Azure 存储进行存档。This allows you to send audit data to the current workspace or any other workspace in your subscription, to Azure Event Hubs to send outside of Azure, or to Azure Storage for archiving.

Azure 门户Azure portal

在以下任一位置访问 Azure 门户中 Log Analytics 工作区的诊断设置:Access the diagnostic setting for a Log Analytics workspace in the Azure portal in either of the following locations:

  • 从“Azure Monitor”菜单中,选择“诊断设置”,然后找到并选择工作区 。From the Azure Monitor menu, select Diagnostic settings, and then locate and select the workspace.

    Azure Monitor 的的诊断设置 Diagnostic settings Azure Monitor

  • 从“Log Analytics 工作区”菜单中,选择“工作区”,然后选择“诊断设置” 。From the Log Analytics workspaces menu, select the workspace, and then select Diagnostic settings.

    Log Analytics 工作区的诊断设置 Diagnostic settings Log Analytics workspace

资源管理器模板Resource Manager template

可以从 Log Analytics 工作区的诊断设置中获取示例资源管理器模板。You can get an example Resource Manager template from Diagnostic setting for Log Analytics workspace.

审核数据Audit data

每次运行查询时都会创建一个审核记录。An audit record is created each time a query is run. 如果将数据发送到 Log Analytics 工作区,数据将存储在名为“LAQueryLogs”的表中。If you send the data to a Log Analytics workspace, it's stored in a table called LAQueryLogs. 下表介绍了审核数据每条记录中的属性。The following table describes the properties in each record of the audit data.

字段Field 说明Description
TimeGeneratedTimeGenerated 提交查询时的 UTC 时间。UTC time when query was submitted.
CorrelationIdCorrelationId 用于标识查询的唯一 ID。Unique ID to identify the query. 与 Microsoft 联系以寻求帮助时可用于故障排除方案。Can be used in troubleshooting scenarios when contacting Microsoft for assistance.
AADObjectIdAADObjectId 启动查询的用户帐户的 Azure Active Directory ID。Azure Active Directory ID of the user account that started the query.
AADTenantIdAADTenantId 启动查询的用户帐户的租户 ID。ID of the tenant of the user account that started the query.
AADEmailAADEmail 启动查询的用户帐户的租户电子邮件。Email of the tenant of the user account that started the query.
AADClientIdAADClientId 用于启动查询的应用程序的 ID 和已解析名称。ID and resolved name of the application used to start the query.
RequestClientAppRequestClientApp 用于启动查询的应用程序的已解析名称。Resolved name of the application used to start the query.
QueryTimeRangeStartQueryTimeRangeStart 为查询选择的时间范围的开始日期。Start of the time range selected for the query. 在某些情况下,例如从 Log Analytics 启动查询,并且在查询中而不是在时间选取器指定时间范围时,可能不会填充此值。This may not be populated in certain scenarios such as when the query is started from Log Analytics, and time range is specified inside the query rather than the time picker.
QueryTimeRangeEndQueryTimeRangeEnd 为查询选择的时间范围的结束日期。End of the time range selected for the query. 在某些情况下,例如从 Log Analytics 启动查询,并且在查询中而不是在时间选取器指定时间范围时,可能不会填充此值。This may not be populated in certain scenarios such as when the query is started from Log Analytics, and time range is specified inside the query rather than the time picker.
QueryTextQueryText 运行的查询的文本。Text of the query that was run.
RequestTargetRequestTarget API URL 用于提交查询。API URL was used to submit the query.
RequestContextRequestContext 请求对其运行查询的资源列表。List of resources that the query was requested to run against. 最多包含三个字符串数组:工作区、应用程序和资源。Contains up to three string arrays: workspaces, applications, and resources. 以订阅或资源组为目标的查询将显示为“资源”。Subscription or resource group-targeted queries will show as resources. 包括 RequestTarget 暗示的目标。Includes the target implied by RequestTarget.
如果可以解析每个资源的资源 ID,则将包含它们。The resource ID for each resource will be included if it can be resolved. 如果访问资源时返回错误,则可能无法解析。It may not be able to resolved if an error is returned in accessing the resource. 在这种情况下,将使用查询中的特定文本。In this case, the specific text from the query will be used.
如果查询使用不明确的名称,例如多个订阅中存在的工作区名称,则将使用此不明确的名称。If the query uses an ambiguous name, such as a workspace name existing in multiple subscriptions, this ambiguous name will be used.
RequestContextFiltersRequestContextFilters 在查询调用中指定的筛选器组。Set of filters specified as part of the query invocation. 最多包含三个可能的字符串数组:Includes up to three possible string arrays:
- ResourceTypes - 用于限制查询范围的资源类型- ResourceTypes - type of resource to limit the scope of the query
- Workspaces - 用于限制查询的工作区列表- Workspaces - list of workspaces to limit the query to
- WorkspaceRegions - 用于限制查询的工作区区域列表- WorkspaceRegions - list of workspace regions to limit the query
ResponseCodeResponseCode 提交查询时返回的 HTTP 响应代码。HTTP response code returned when the query was submitted.
ResponseDurationMsResponseDurationMs 返回响应的时间。Time for the response to be returned.
ResponseRowCountResponseRowCount 查询返回的总行数。Total number of rows returned by the query.
StatsCPUTimeMsStatsCPUTimeMs 用于计算、解析和数据获取的总计算时间。Total compute time used for computing, parsing and data fetching. 仅当查询返回状态代码 200 时填充。Only populated if query returns with status code 200.
StatsDataProcessedKBStatsDataProcessedKB 为处理查询而访问的数据量。Amount of data that was accessed to process the query. 受目标表大小、所用时间跨度、已应用筛选器和已引用列数影响。Influenced by the size of the target table, time span used, filters applied, and the number of columns referenced. 仅当查询返回状态代码 200 时填充。Only populated if query returns with status code 200.
StatsDataProcessedStartStatsDataProcessedStart 处理查询时访问最旧数据的时间。Time of oldest data that was accessed to process the query. 受查询显式时间跨度和应用的筛选器的影响。Influenced by the query explicit time span and filters applied. 由于数据分区,这可能比显式时间跨度要大。This might be larger than the explicit time span due to data partitioning. 仅当查询返回状态代码 200 时填充。Only populated if query returns with status code 200.
StatsDataProcessedEndStatsDataProcessedEnd 处理查询时访问最新数据的时间。Time of newest data that was accessed to process the query. 受查询显式时间跨度和应用的筛选器的影响。Influenced by the query explicit time span and filters applied. 由于数据分区,这可能比显式时间跨度要大。This might be larger than the explicit time span due to data partitioning. 仅当查询返回状态代码 200 时填充。Only populated if query returns with status code 200.
StatsWorkspaceCountStatsWorkspaceCount 查询访问的工作区数。Number of workspaces accessed by the query. 仅当查询返回状态代码 200 时填充。Only populated if query returns with status code 200.
StatsRegionCountStatsRegionCount 查询访问的区域数。Number of regions accessed by the query. 仅当查询返回状态代码 200 时填充。Only populated if query returns with status code 200.

注意事项Considerations

  • 只有在用户上下文中执行查询时才会记录查询。Queries are only logged when executed in a user context. 不会记录 Azure 中的服务到服务。No Service-to-Service within Azure will be logged. 此排除包含的两个主要查询集是计费计算和自动警报执行。The two primary sets of queries this exclusion encompasses are billing calculations and automated alert executions. 对于警报,只有计划的警报查询本身不会被记录;警报创建屏幕中警报的初始执行是在用户上下文中执行的,并且可以用于审核目的。In the case of alerts, only the scheduled alert query itself will not be logged; the initial execution of the alert in the alert creation screen is executed in a user context, and will be available for audit purposes.
  • 性能统计信息不可用于来自 Azure 数据资源管理器代理的查询。Performance statistics are not available for queries coming from the Azure Data Explorer proxy. 仍将填充这些查询的所有其他数据。All other data for these queries will still be populated.
  • 字符串上的 h 提示模糊字符串字面量将不会影响查询审核日志。The h hint on strings that obfuscates string literals will not have an effect on the query audit logs. 查询将完全按照提交的方式进行捕获,而不会混淆字符串。The queries will be captured exactly as submitted without the string being obfuscated. 应确保只有具有合规性权限的用户才能使用 Log Analytics 工作区中提供的各种 Kubernetes RBAC 或 Azure RBAC 模式来查看此数据。You should ensure that only users who have compliance rights to see this data are able to do so using the various Kubernetes RBAC or Azure RBAC modes available in Log Analytics workspaces.
  • 对于包含来自多个工作区的数据的查询,只能在用户有权访问的工作区中捕获查询。For queries that include data from multiple workspaces, the query will only be captured in those workspaces to which the user has access.

成本Costs

Azure 诊断扩展不会产生费用,但可能会产生数据引入费用。There is no cost for Azure Diagnostic Extension, but you may incur charges for the data ingested. 检查与要将数据收集到其中的目标相对应的 Azure Monitor 定价Check Azure Monitor pricing for the destination where you're collecting data.

后续步骤Next steps