根据活动日志发出警报Alerts on activity log

概述Overview

活动日志警报是新发生的活动日志事件 与警报中指定的条件匹配时激活的警报。Activity log alerts are alerts that activate when a new activity log event occurs that matches the conditions specified in the alert. 根据 Azure 活动日志中记录的事件的顺序和数量,将触发警报规则。Based on the order and volume of the events recorded in Azure activity log, the alert rule will fire. 活动日志警报规则是 Azure 资源,因此,可使用 Azure 资源管理器模板来创建。Activity log alert rules are Azure resources, so they can be created by using an Azure Resource Manager template. 此外,还可以在 Azure 门户中创建、更新或删除它们。They also can be created, updated, or deleted in the Azure portal. 本文介绍活动日志警报背后的概念。This article introduces the concepts behind activity log alerts. 有关创建或使用活动日志警报规则的详细信息,请参阅创建和管理活动日志警报For more information on creating or usage of activity log alert rules, see Create and manage activity log alerts.

备注

无法为活动日志的“警报”类别中的事件创建警报。Alerts cannot be created for events in Alert category of activity log.

通常,你会在以下情况下创建活动日志警报以接收通知:Typically, you create activity log alerts to receive notifications when:

  • 对 Azure 订阅中的资源进行特定操作时,通常限于特定资源组或资源。Specific operations occur on resources in your Azure subscription, often scoped to particular resource groups or resources. 例如,可能会希望在删除 myProductionResourceGroup 中的任何虚拟机时接收通知。For example, you might want to be notified when any virtual machine in myProductionResourceGroup is deleted. 或者,可能会希望在任何新角色分配到订阅中的用户时接收通知。Or, you might want to be notified if any new roles are assigned to a user in your subscription.
  • 发生服务运行状况事件。A service health event occurs. 服务运行状况事件包括应用于订阅中资源的事件和维护事件的通知。Service health events include notification of incidents and maintenance events that apply to resources in your subscription.

为了理解在活动日志上创建警报规则时可以基于的条件,一个简单的类比是通过 Azure 门户中的活动日志来浏览或筛选事件。A simple analogy for understanding conditions on which alert rules can be created on activity log, is to explore or filter events via Activity log in Azure portal. 在 Azure Monitor - 活动日志中,可以筛选或查找所需的事件,然后使用“添加活动日志警报”按钮创建警报。In Azure Monitor - Activity log, one can filter or find necessary event and then create an alert by using the Add activity log alert button.

在上述任何情况下,活动日志警报只监视在其中创建该警报的订阅中的事件。In either case, an activity log alert monitors only for events in the subscription in which the alert is created.

可以基于活动日志事件的 JSON 对象中的任何顶层属性配置活动日志警报。You can configure an activity log alert based on any top-level property in the JSON object for an activity log event. 有关详细信息,请参阅活动日志中的类别For more information, see Categories in the Activity Log. 若要了解有关服务运行状况事件的详细信息,请参阅接收有关服务通知的活动日志警报To learn more about service health events, see Receive activity log alerts on service notifications.

活动日志警报有几个常见选项:Activity log alerts have a few common options:

  • 类别:管理、服务运行状况、自动缩放、安全性、策略和建议。Category: Administrative, Service Health, Autoscale, Security, Policy, and Recommendation.
  • 范围:为其定义活动日志警报的单个资源或资源集。Scope: The individual resource or set of resource(s) for which the alert on activity log is defined. 可以在各个级别定义活动日志警报的范围:Scope for an activity log alert can be defined at various levels:
    • 资源级别:例如,针对特定虚拟机Resource Level: For example, for a specific virtual machine
    • 资源组级别:例如,特定资源组中的所有虚拟机Resource Group Level: For example, all virtual machines in a specific resource group
    • 订阅级别:例如,某个订阅中的所有虚拟机(或)某个订阅中的所有资源Subscription Level: For example, all virtual machines in a subscription (or) all resources in a subscription
  • 资源组:默认情况下,警报规则保存在“范围”中定义的目标所在的同一资源组中。Resource group: By default, the alert rule is saved in the same resource group as that of the target defined in Scope. 用户也可以定义应存储警报规则的资源组。The user can also define the Resource Group where the alert rule should be stored.
  • 资源类型:资源管理器为警报的目标定义的命名空间。Resource type: Resource Manager defined namespace for the target of the alert.
  • 操作名称:用于基于角色的访问控制的 Azure 资源管理器操作名称。Operation name: The Azure Resource Manager operation name utilized for Role-Based Access Control . 未在 Azure 资源管理器中注册的操作不能在活动日志警报规则中使用。Operations not registered with Azure Resource Manager can not be used in an activity log alert rule.
  • 级别:事件的严重性级别(信息、警告、错误或严重)。Level: The severity level of the event (Informational, Warning, Error, or Critical).
  • 状态:事件的状态,通常为“已启动”、“失败”或“成功”。Status: The status of the event, typically Started, Failed, or Succeeded.
  • 事件发起者:也称为“调用方”。Event initiated by: Also known as the "caller." 电子邮件地址或执行操作的用户的 Azure Active Directory 标识符。The email address or Azure Active Directory identifier of the user who performed the operation.

备注

在一个订阅中最多有 100 条警报规则可以针对以下任一范围活动创建:单个资源、资源组中的所有资源(或)整个订阅级别。In a subscription up to 100 alert rules can be created for an activity of scope at either: a single resource, all resources in resource group (or) entire subscription level.

活动日志警报激活后会使用操作组生成操作或通知。When an activity log alert is activated, it uses an action group to generate actions or notifications. 操作组是一组可重用的通知接收方,例如电子邮件地址、Webhook URL 或短信电话号码。An action group is a reusable set of notification receivers, such as email addresses, webhook URLs, or SMS phone numbers. 可以从多个警报中引用接收方,以集中和分组通知通道。The receivers can be referenced from multiple alerts to centralize and group your notification channels. 在定义活动日志警报时,有两个选项。When you define your activity log alert, you have two options. 方法:You can:

  • 在活动日志警报中使用现有操作组。Use an existing action group in your activity log alert.
  • 创建新的操作组。Create a new action group.

若要了解有关操作组的详细信息,请参阅在 Azure 门户中创建和管理操作组To learn more about action groups, see Create and manage action groups in the Azure portal.

后续步骤Next steps