Azure 活动日志Azure Activity log

活动日志是 Azure 中的一种平台日志,可用于深入了解订阅级别事件。The Activity log is a platform log in Azure that provides insight into subscription-level events. 这包括何时修改了资源或何时启动了虚拟机等信息。This includes such information as when a resource is modified or when a virtual machine is started. 可以在 Azure 门户中查看活动日志,或在 PowerShell 和 CLI 中检索条目。You can view the Activity log in the Azure portal or retrieve entries with PowerShell and CLI. 若要获得其他功能,应当创建诊断设置,以便将活动日志发送到 Azure Monitor 日志,发送到 Azure 事件中心以转发到 Azure 外部,或发送到 Azure 存储进行存档。For additional functionality, you should create a diagnostic setting to send the Activity log to Azure Monitor Logs, to Azure Event Hubs to forward outside of Azure, or to Azure Storage for archiving. 本文详细介绍了如何查看活动日志,以及如何将其发送到不同的目标。This article provides details on viewing the Activity log and sending it to different destinations.

有关创建诊断设置的详细信息,请参阅创建诊断设置以将平台日志和指标发送到不同的目标See Create diagnostic settings to send platform logs and metrics to different destinations for details on creating a diagnostic setting.


活动日志中的条目是系统生成的,无法更改或删除。Entries in the Activity Log are system generated and cannot be changed or deleted.

查看活动日志View the Activity log

可以从 Azure 门户中的大多数菜单访问活动日志。You can access the Activity log from most menus in the Azure portal. 你从中打开它的菜单确定了它的初始筛选器。The menu that you open it from determines its initial filter. 如果从“监视器”菜单打开它,则唯一的筛选器将基于订阅。If you open it from the Monitor menu, then the only filter will be on the subscription. 如果从某个资源的菜单打开它,则筛选器将设置为该资源。If you open it from a resource's menu, then the filter will be set to that resource. 你始终可以更改筛选器来查看所有其他条目。You can always change the filter though to view all other entries. 单击“添加筛选器”可向筛选器添加其他属性。Click Add Filter to add additional properties to the filter.


有关活动日志类别的说明,请参阅 Azure 活动日志事件架构For a description of Activity log categories see Azure Activity Log event schema.

检索活动日志事件的其他方法Other methods to retrieve Activity log events

你还可以使用以下方法来访问活动日志事件。You can also access Activity log events using the following methods.

发送到 Log Analytics 工作区Send to Log Analytics workspace

将活动日志发送到 Log Analytics 工作区,以启用 Azure Monitor 日志的功能,包括下列项:Send the Activity log to a Log Analytics workspace to enable the features of Azure Monitor Logs which includes the following:

  • 使活动日志数据与 Azure Monitor 收集的其他监视数据产生关联。Correlate Activity log data with other monitoring data collected by Azure Monitor.
  • 将来自多个 Azure 订阅和租户的活动日志合并到同一位置一起进行分析。Consolidate log entries from multiple Azure subscriptions and tenants into one location for analysis together.
  • 使用日志查询来执行复杂分析,并深入了解活动日志条目。Use log queries to perform complex analysis and gain deep insights on Activity Log entries.
  • 将日志警报与活动条目配合使用,从而可以使用更复杂的警报逻辑。Use log alerts with Activity entries allowing for more complex alerting logic.
  • 将活动日志条目存储 90 天以上。Store Activity log entries for longer than 90 days.
  • Log Analytics 工作区中存储的活动日志数据不产生数据引入或数据保留费用。No data ingestion or data retention charge for Activity log data stored in a Log Analytics workspace.

创建诊断设置,以便将活动日志发送到 Log Analytics 工作区。Create a diagnostic setting to send the Activity log to a Log Analytics workspace. 可以将任一订阅中的活动日志发送到最多五个工作区。You can send the Activity log from any single subscription to up to five workspaces.

Log Analytics 工作区中的活动日志数据存储在名为 AzureActivity 的表中,可以在 Log Analytics 中使用日志查询来检索该表。Activity log data in a Log Analytics workspace is stored in a table called AzureActivity that you can retrieve with a log query in Log Analytics. 此表的结构因日志条目类别而异。The structure of this table varies depending on the category of the log entry. 有关表属性的说明,请参阅 Azure Monitor 数据参考For a description of the table properties, see the Azure Monitor data reference.

例如,若要查看每个类别的活动日志记录计数,请使用以下查询。For example, to view a count of Activity log records for each category, use the following query.

| summarize count() by Category

若要检索管理类别中的所有记录,请使用以下查询。To retrieve all records in the administrative category, use the following query.

| where Category == "Administrative"

发送到 Azure 事件中心Send to Azure Event Hubs

将活动日志发送到 Azure 事件中心可将条目发送到 Azure 外部,例如,发送到第三方 SIEM 或其他日志分析解决方案。Send the Activity Log to Azure Event Hubs to send entries outside of Azure, for example to a third-party SIEM or other log analytics solutions. 来自事件中心的活动日志事件以 JSON 格式使用,其中的 records 元素包含每个有效负载中的记录。Activity log events from event hubs are consumed in JSON format with a records element containing the records in each payload. 架构依赖于类别,来自存储帐户和事件中心的架构对其进行了介绍。The schema depends on the category and is described in Schema from storage account and event hubs.

下面是来自事件中心的活动日志输出数据示例:Following is sample output data from Event Hubs for an Activity log:

    "records": [
            "time": "2019-01-21T22:14:26.9792776Z",
            "resourceId": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/",
            "operationName": "",
            "category": "Write",
            "resultType": "Success",
            "resultSignature": "Succeeded.Created",
            "durationMs": 2826,
            "callerIpAddress": "",
            "correlationId": "c776f9f4-36e5-4e0e-809b-c9b3c3fb62a8",
            "identity": {
                "authorization": {
                    "scope": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/",
                    "action": "",
                    "evidence": {
                        "role": "Subscription Admin"
                "claims": {
                    "aud": "",
                    "iss": "",
                    "iat": "1421876371",
                    "nbf": "1421876371",
                    "exp": "1421880271",
                    "ver": "1.0",
                    "": "00000000-0000-0000-0000-000000000000",
                    "": "pwd",
                    "": "2468adf0-8211-44e3-95xq-85137af64708",
                    "": "",
                    "puid": "20030000801A118C",
                    "": "9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM",
                    "": "John",
                    "": "Smith",
                    "name": "John Smith",
                    "groups": "cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c",
                    "": "",
                    "appid": "c44b4083-3bq0-49c1-b47d-974e53cbdf3c",
                    "appidacr": "2",
                    "": "user_impersonation",
                    "": "1"
            "level": "Information",
            "location": "global",
            "properties": {
                "statusCode": "Created",
                "serviceRequestId": "50d5cddb-8ca0-47ad-9b80-6cde2207f97c"

发送到 Azure 存储Send to Azure storage

如果要将日志数据保留 90 天以上以进行审核、静态分析或备份,请将活动日志发送到 Azure 存储帐户。Send the Activity Log to an Azure Storage account if you want to retain your log data longer than 90 days for audit, static analysis, or backup. 如果只需将事件保留 90 天或更短的时间,则无需设置为存档到存储帐户,因为活动日志事件保留在 Azure 平台中的时间是 90 天。If you only need to retain your events for 90 days or less you do not need to set up archival to a storage account, since Activity Log events are retained in the Azure platform for 90 days.

将活动日志发送到 Azure 时,一旦发生事件,就会在存储帐户中创建一个存储容器。When you send the Activity log to Azure, a storage container is created in the storage account as soon as an event occurs. 容器中的 blob 使用以下命名约定:The blobs in the container use the following naming convention:

insights-activity-logs/resourceId=/SUBSCRIPTIONS/{subscription ID}/y={four-digit numeric year}/m={two-digit numeric month}/d={two-digit numeric day}/h={two-digit 24-hour clock hour}/m=00/PT1H.json

例如,特定 blob 的名称可能如下所示:For example, a particular blob might have a name similar to the following:


每个 PT1H.json blob 都包含一个 JSON blob,其中的事件为在 blob URL 中指定的小时(例如 h=12)内发生的。Each PT1H.json blob contains a JSON blob of events that occurred within the hour specified in the blob URL (for example, h=12). 在当前的小时内发生的事件将附加到 PT1H.json 文件。During the present hour, events are appended to the PT1H.json file as they occur. 分钟值始终为 00 (m=00),因为资源日志事件按小时细分成单个 blob。The minute value (m=00) is always 00, since resource log events are broken into individual blobs per hour.

每个事件都采用以下格式存储在 PT1H.json 文件中。该格式使用通用顶级架构,但其他方面对于每个类别来说都是唯一的,如活动日志架构中所述。Each event is stored in the PT1H.json file with the following format that uses a common top level schema but is otherwise unique for each category as described in Activity log schema.

{ "time": "2020-06-12T13:07:46.766Z", "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/MY-RESOURCE-GROUP/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/MV-VM-01", "correlationId": "0f0cb6b4-804b-4129-b893-70aeeb63997e", "operationName": "Microsoft.Resourcehealth/healthevent/Updated/action", "level": "Information", "resultType": "Updated", "category": "ResourceHealth", "properties": {"eventCategory":"ResourceHealth","eventProperties":{"title":"This virtual machine is starting as requested by an authorized user or process. It will be online shortly.","details":"VirtualMachineStartInitiatedByControlPlane","currentHealthStatus":"Unknown","previousHealthStatus":"Unknown","type":"Downtime","cause":"UserInitiated"}}}

旧式收集方法Legacy collection methods

本部分介绍了在诊断设置出现之前用于收集活动日志的旧式方法。This section describes legacy methods for collecting the Activity log that were used prior to diagnostic settings. 如果你使用了这些方法,应考虑转换为诊断设置,以便提供更好的功能以及与资源日志的一致性。If you're using these methods, you should consider transitioning to diagnostic settings which provide better functionality and consistency with resource logs.

日志配置文件Log profiles

日志配置文件是用于将活动日志发送到 Azure 存储或事件中心的旧版方法。Log profiles are the legacy method for sending the Activity log to Azure storage or event hubs. 请使用以下过程,以继续使用日志配置文件或将其禁用(如果准备迁移到诊断设置)。Use the following procedure to continue working with a log profile or to disable it in preparation for migrating to a diagnostic setting.

  1. 从 Azure 门户上的 Azure Monitor 菜单中,选择“活动日志” 。From the Azure Monitor menu in the Azure portal, select Activity log.

  2. 单击“诊断设置”。Click Diagnostic settings.


  3. 单击紫色横幅了解旧版体验。Click the purple banner for the legacy experience.


使用 PowerShell 配置日志配置文件Configure log profile using PowerShell

如果日志配置文件已存在,首先需要删除现有日志配置文件,然后创建新的日志配置文件。If a log profile already exists, you first need to remove the existing log profile and then create a new one.

  1. 使用 Get-AzLogProfile 确定日志配置文件是否存在。Use Get-AzLogProfile to identify if a log profile exists. 如果存在日志配置文件,请记下 name 属性。If a log profile does exist, note the name property.

  2. 使用 Remove-AzLogProfile 通过 name 属性的值删除日志配置文件。Use Remove-AzLogProfile to remove the log profile using the value from the name property.

    # For example, if the log profile name is 'default'
    Remove-AzLogProfile -Name "default"
  3. 使用 Add-AzLogProfile 创建新的日志配置文件:Use Add-AzLogProfile to create a new log profile:

    Add-AzLogProfile -Name my_log_profile -StorageAccountId /subscriptions/s1/resourceGroups/myrg1/providers/Microsoft.Storage/storageAccounts/my_storage -serviceBusRuleId /subscriptions/s1/resourceGroups/Default-ServiceBus-ChinaNorth/providers/Microsoft.ServiceBus/namespaces/mytestSB/authorizationrules/RootManageSharedAccessKey -Location global,chinanorth,chinanorth -RetentionInDays 90 -Category Write,Delete,Action
    属性Property 必须Required 说明Description
    名称Name Yes 日志配置文件的名称。Name of your log profile.
    StorageAccountIdStorageAccountId No 应该将活动日志保存到其中的存储帐户的资源 ID。Resource ID of the Storage Account where the Activity Log should be saved.
    serviceBusRuleIdserviceBusRuleId No 服务总线命名空间(需在其中创建事件中心)的服务总线规则 ID。Service Bus Rule ID for the Service Bus namespace you would like to have event hubs created in. 这是采用以下格式的字符串:{service bus resource ID}/authorizationrules/{key name}This is a string with the format: {service bus resource ID}/authorizationrules/{key name}.
    LocationLocation Yes 要为其收集活动日志事件的逗号分隔区域的列表。Comma-separated list of regions for which you would like to collect Activity Log events.
    RetentionInDaysRetentionInDays Yes 事件应在存储帐户中保留的天数,介于 1 和 365 之间。Number of days for which events should be retained in the storage account, between 1 and 365. 值为零时,将无限期存储日志。A value of zero stores the logs indefinitely.
    CategoryCategory No 应收集的事件类别的逗号分隔列表。Comma-separated list of event categories that should be collected. 可能的值为 WriteDeleteActionPossible values are Write, Delete, and Action.

示例脚本Example script

以下示例 PowerShell 脚本创建一个日志配置文件,用于将活动日志写入到存储帐户和事件中心。Following is a sample PowerShell script to create a log profile that writes the Activity Log to both a storage account and event hub.

# Settings needed for the new log profile
$logProfileName = "default"
$locations = (Get-AzLocation).Location
$locations += "global"
$subscriptionId = "<your Azure subscription Id>"
$resourceGroupName = "<resource group name your event hub belongs to>"
$eventHubNamespace = "<event hub namespace>"

# Build the service bus rule Id from the settings above
$serviceBusRuleId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.EventHub/namespaces/$eventHubNamespace/authorizationrules/RootManageSharedAccessKey"

# Build the storage account Id from the settings above
$storageAccountId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"

Add-AzLogProfile -Name $logProfileName -Location $locations -StorageAccountId  $storageAccountId -ServiceBusRuleId $serviceBusRuleId

使用 Azure CLI 配置日志配置文件Configure log profile using Azure CLI

如果日志配置文件已存在,首先需要删除现有日志配置文件,然后创建新的日志配置文件。If a log profile already exists, you first need to remove the existing log profile and then create a new log profile.

  1. 使用 az monitor log-profiles list 确定日志配置文件是否存在。Use az monitor log-profiles list to identify if a log profile exists.

  2. 使用 az monitor log-profiles delete --name "<log profile name> 通过 name 属性的值删除日志配置文件。Use az monitor log-profiles delete --name "<log profile name> to remove the log profile using the value from the name property.

  3. 使用 az monitor log-profiles create 创建新的日志配置文件:Use az monitor log-profiles create to create a new log profile:

    az monitor log-profiles create --name "default" --location null --locations "global" "chinanorth" "chinanorth" --categories "Delete" "Write" "Action"  --enabled false --days 0 --service-bus-rule-id "/subscriptions/<YOUR SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP NAME>/providers/Microsoft.EventHub/namespaces/<EVENT HUB NAME SPACE>/authorizationrules/RootManageSharedAccessKey"
    属性Property 必须Required 说明Description
    namename Yes 日志配置文件的名称。Name of your log profile.
    storage-account-idstorage-account-id Yes 活动日志应保存到的存储帐户的资源 ID。Resource ID of the Storage Account to which Activity Logs should be saved.
    locationslocations Yes 要为其收集活动日志事件的空格分隔区域列表。Space-separated list of regions for which you would like to collect Activity Log events. 可以使用 az account list-locations --query [].name 查看订阅的所有区域列表。You can view a list of all regions for your subscription using az account list-locations --query [].name.
    daysdays Yes 活动的保留天数,介于 1 到 365 之间。Number of days for which events should be retained, between 1 and 365. 值为零时,将无限期(永久)存储日志。A value of zero will store the logs indefinitely (forever). 如果为零,则启用的参数应设置为 false。If zero, then the enabled parameter should be set to false.
    enabledenabled Yes True 或 False。True or False. 用于启用或禁用保留策略。Used to enable or disable the retention policy. 如果为 True,则 days 参数必须为大于 0 的值。If True, then the days parameter must be a value greater than 0.
    Categoriescategories Yes 应收集的事件类别的空格分隔列表。Space-separated list of event categories that should be collected. 可能值包括:Write、Delete 和 Action。Possible values are Write, Delete, and Action.

Log Analytics 工作区Log Analytics workspace

将活动日志发送到 Log Analytics 工作区中的旧版方法是在工作区配置中连接该日志。The legacy method for sending the Activity log into a Log Analytics workspace is connecting the log in the workspace configuration.

  1. 在 Azure 门户的“Log Analytics 工作区”菜单中,选择要收集活动日志的工作区。From the Log Analytics workspaces menu in the Azure portal, select the workspace to collect the Activity Log.

  2. 在工作区的菜单的“工作区数据源”部分,选择“Azure 活动日志”。 In the Workspace Data Sources section of the workspace's menu, select Azure Activity log.

  3. 单击要连接的订阅。Click the subscription you want to connect.

    屏幕截图显示了 Log Analytics 工作区,其中的一个 Azure 活动日志处于选中状态。

  4. 单击“连接”,将订阅中的活动日志连接到所选工作区。Click Connect to connect the Activity log in the subscription to the selected workspace. 如果订阅已连接到其他工作区,请先单击“断开连接”将其断开连接。If the subscription is already connected to another workspace, click Disconnect first to disconnect it.


若要禁用该设置,请执行相同步骤,然后单击“断开连接”,以从工作区中删除该订阅。To disable the setting, perform the same procedure and click Disconnect to remove the subscription from the workspace.

数据结构更改Data structure changes

诊断设置与用于发送活动日志的旧版方法发送的数据是相同的,但 AzureActivity 表的结构存在一些更改。Diagnostic settings send the same data as the legacy method used to send the Activity log with some changes to the structure of the AzureActivity table.

更新后的架构中已经弃用了下表中的列。The columns in the following table have been deprecated in the updated schema. 这些列仍存在于 AzureActivity 中,但不会包含任何数据。They still exist in AzureActivity but they will have no data. 这些列的替换项并不是新的,而是包含了与已弃用列相同的数据。The replacement for these columns are not new, but they contain the same data as the deprecated column. 它们采用了一种不同的格式,所以你可能需要对使用它们的日志查询进行修改。They are in a different format, so you may need to modify log queries that use them.

已弃用的列Deprecated column 替换列Replacement column
ActivityStatusActivityStatus ActivityStatusValueActivityStatusValue
ActivitySubstatusActivitySubstatus ActivitySubstatusValueActivitySubstatusValue
OperationNameOperationName OperationNameValueOperationNameValue
ResourceProviderResourceProvider ResourceProviderValueResourceProviderValue


在有些情况下,这些列中的值可能全部都是大写。In some cases, the values in these columns may be in all uppercase. 如果你的某个查询包含这些列,应使用 = ~ 运算符来执行不区分大小写的比较。If you have a query that includes these columns, you should use the =~ operator to do a case insensitive comparison.

以下列已添加到更新后架构的 AzureActivity 中:The following column have been added to AzureActivity in the updated schema:

  • Authorization_dAuthorization_d
  • Claims_dClaims_d
  • Properties_dProperties_d

Azure Log Analytics 监视解决方案Activity Log Analytics monitoring solution

Azure Log Analytics 监视解决方案不久就会被弃用,并将替换为一个使用 Log Analytics 工作区中更新后架构的工作簿。The Azure Log Analytics monitoring solution will be deprecated soon and replaced by a workbook using the updated schema in the Log Analytics workspace. 如果已经启用了该解决方案,则仍可继续使用它,但它只能在你使用旧版设置收集活动日志时使用。You can still use the solution if you already have it enabled, but it can only be used if you're collecting the Activity log using legacy settings.

使用解决方案Use the solution

可以在 Azure 门户的“监视器”菜单中访问监视解决方案。Monitoring solutions are accessed from the Monitor menu in the Azure portal. 在“见解”部分选择“更多”,打开包含解决方案磁贴的“概览”页 。Select More in the Insights section to open the Overview page with the solution tiles. “Azure 活动日志”磁贴显示工作区中 AzureActivity 记录的计数。The Azure Activity Logs tile displays a count of the number of AzureActivity records in your workspace.

Azure 活动日志磁贴

单击“Azure 活动日志”磁贴,打开“Azure 活动日志”视图。Click the Azure Activity Logs tile to open the Azure Activity Logs view. 视图包含下表中的可视化部件。The view includes the visualization parts in the following table. 每个部件按照指定时间范围列出了匹配该部件条件的最多 10 个项。Each part lists up to 10 items matching that parts's criteria for the specified time range. 可通过单击部件底部的“查看全部”运行返回所有匹配记录的日志查询。You can run a log query that returns all matching records by clicking See all at the bottom of the part.

Azure 活动日志仪表板

为新订阅启用该解决方案Enable the solution for new subscriptions

不久之后,你将无法再使用 Azure 门户将 Activity Logs Analytics 解决方案添加到你的订阅。You will soon no longer be able to add the Activity Logs Analytics solution to your subscription using the Azure portal. 可通过资源管理器模板使用以下过程添加该解决方案。You can add it using the following procedure with a Resource Manager template.

  1. 将以下 json 复制到名为 ActivityLogTemplate.json 的文件中。Copy the following json into a file called ActivityLogTemplate.json.

    "$schema": "",
    "contentVersion": "",
    "parameters": {
        "workspaceName": {
            "type": "String",
            "defaultValue": "my-workspace",
            "metadata": {
              "description": "Specifies the name of the workspace."
        "location": {
            "type": "String",
            "allowedValues": [
            "defaultValue": "chinaeast2",
            "metadata": {
              "description": "Specifies the location in which to create the workspace."
        "resources": [
            "type": "Microsoft.OperationalInsights/workspaces",
            "name": "[parameters('workspaceName')]",
            "apiVersion": "2015-11-01-preview",
            "location": "[parameters('location')]",
            "properties": {
                "features": {
                    "searchVersion": 2
            "type": "Microsoft.OperationsManagement/solutions",
            "apiVersion": "2015-11-01-preview",
            "name": "[concat('AzureActivity(', parameters('workspaceName'),')')]",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('microsoft.operationalinsights/workspaces', parameters('workspaceName'))]"
            "plan": {
                "name": "[concat('AzureActivity(', parameters('workspaceName'),')')]",
                "promotionCode": "",
                "product": "OMSGallery/AzureActivity",
                "publisher": "Microsoft"
            "properties": {
                "workspaceResourceId": "[resourceId('microsoft.operationalinsights/workspaces', parameters('workspaceName'))]",
                "containedResources": [
                    "[concat(resourceId('microsoft.operationalinsights/workspaces', parameters('workspaceName')), '/views/AzureActivity(',parameters('workspaceName'))]"
          "type": "Microsoft.OperationalInsights/workspaces/datasources",
          "kind": "AzureActivityLog",
          "name": "[concat(parameters('workspaceName'), '/', subscription().subscriptionId)]",
          "apiVersion": "2015-11-01-preview",
          "location": "[parameters('location')]",
          "dependsOn": [
          "properties": {
              "linkedResourceId": "[concat(subscription().Id, '/providers/microsoft.insights/eventTypes/management')]"
  2. 使用以下 PowerShell 命令部署该模板:Deploy the template using the following PowerShell commands:

    Connect-AzAccount -Environment AzureChinaCloud
    Select-AzSubscription <SubscriptionName>
    New-AzResourceGroupDeployment -Name activitysolution -ResourceGroupName <ResourceGroup> -TemplateFile <Path to template file>

后续步骤Next steps