在 Azure Monitor 中收集和分析 Azure 活动日志Collect and analyze Azure Activity log in Azure Monitor

Azure 活动日志是一种方便用户深入了解 Azure 中发生的订阅级别事件的平台日志The Azure Activity log is a platform log that provides insight into subscription-level events that have occurred in Azure. 虽然可以在 Azure 门户中查看活动日志,但还是应将其配置为发送到 Log Analytics 工作区,以启用 Azure Monitor 的其他功能。While you can view the Activity log in the Azure portal, you should configure it to send to a Log Analytics workspace to enable additional features of Azure Monitor. 本文介绍如何执行此配置以及如何将活动日志发送到 Azure 存储和事件中心。This article describes how to perform this configuration and how to send the Activity log to Azure storage and event hubs.

在 Log Analytics 工作区中收集活动日志有以下益处:Collecting the Activity Log in a Log Analytics workspace provides the following advantages:

  • Log Analytics 工作区中存储的活动日志数据不产生数据引入或数据保留费用。No data ingestion or data retention charge for Activity log data stored in a Log Analytics workspace.
  • 使活动日志数据与 Azure Monitor 收集的其他监视数据产生关联。Correlate Activity log data with other monitoring data collected by Azure Monitor.
  • 使用日志查询来执行复杂分析,并深入了解活动日志条目。Use log queries to perform complex analysis and gain deep insights on Activity Log entries.
  • 将日志警报与活动条目配合使用,从而可以使用更复杂的警报逻辑。Use log alerts with Activity entries allowing for more complex alerting logic.
  • 将活动日志条目存储 90 天以上。Store Activity log entries for longer than 90 days.
  • 将来自多个 Azure 订阅和租户的活动日志合并到同一位置一起进行分析。Consolidate log entries from multiple Azure subscriptions and tenants into one location for analysis together.

收集活动日志Collecting Activity log

活动日志会自动收集,以供在 Azure 门户中查看The Activity log is collected automatically for viewing in the Azure portal. 若要在 Log Analytics 工作区中收集活动日志,或将其发送到 Azure 存储或事件中心,请创建诊断设置To collect it in a Log Analytics workspace or to send it Azure storage or event hubs, create a diagnostic setting. 此方法与资源日志所用方法相同,这样所有平台日志的收集方式就保持了一致性。This is the same method used by resource logs making it consistent for all platform logs.

若要为活动日志创建诊断设置,请从 Azure Monitor 的“活动日志”菜单中选择“诊断设置” 。To create a diagnostic setting for the Activity log, select Diagnostic settings from the Activity log menu in Azure Monitor. 有关创建该设置的详细信息,请参阅创建诊断设置以收集 Azure 中的平台日志和指标See Create diagnostic setting to collect platform logs and metrics in Azure for details on creating the setting. 有关可筛选类别的说明,请参阅活动日志中的类别See Categories in the Activity log for a description of the categories you can filter. 如果有任何旧版设置,请确保在创建诊断设置之前禁用这些设置。If you have any legacy settings, make sure you disable them before creating a diagnostic setting. 同时启用两者可能会导致数据重复。Having both enabled may result in duplicate data.

诊断设置

备注

目前,只能使用 Azure 门户和资源管理器模板创建订阅级别的诊断设置。Currently, you can only create a subscription level diagnostic setting using the Azure portal and a Resource Manager template.

旧版设置Legacy settings

虽然诊断设置是将活动日志发送到不同目标的首选方法,但如果不选择将旧版方法替换为诊断设置,旧版方法将继续起作用。While diagnostic settings are the preferred method to send the Activity log to different destinations, legacy methods will continue to work if you don't choose to replace with a diagnostic setting. 诊断设置与旧版方法相比具有以下优势,所以建议你更新配置:Diagnostic settings have the following advantages over legacy methods, and it's recommended that you update your configuration:

  • 用于收集所有平台日志的一致方法。Consistent method for collecting all platform logs.
  • 跨多个订阅和租户收集活动日志。Collect Activity log across multiple subscriptions and tenants.
  • 筛选集合,以便仅收集特定类别的日志。Filter collection to only collect logs for particular categories.
  • 收集所有活动日志类别。Collect all Activity log categories. 部分类别不是使用旧版方法收集的。Some categories are not collected using legacy method.
  • 更短的日志引入延迟。Faster latency for log ingestion. 以前的方法的延迟大约为 15 分钟,而诊断设置仅会增加约 1 分钟的延迟。The previous method has about 15 minutes latency while diagnostic settings adds only about 1 minute.

日志配置文件Log profiles

日志配置文件是用于将活动日志发送到 Azure 存储或事件中心的旧版方法。Log profiles are the legacy method for sending the Activity log to Azure storage or event hubs. 请使用以下过程,以继续使用日志配置文件或将其禁用(如果准备迁移到诊断设置)。Use the following procedure to continue working with a log profile or to disable it in preparation for migrating to a diagnostic setting.

  1. 从 Azure 门户上的 Azure Monitor 菜单中,选择“活动日志” 。From the Azure Monitor menu in the Azure portal, select Activity log.

  2. 单击“诊断设置”。Click Diagnostic settings.

    诊断设置

  3. 单击紫色横幅了解旧版体验。Click the purple banner for the legacy experience.

    旧版体验

Log Analytics 工作区Log Analytics workspace

将活动日志收集到 Log Analytics 工作区中的旧版方法是在工作区配置中连接该日志。The legacy method for collecting the Activity log into a Log Analytics workspace is connecting the log in the workspace configuration.

  1. 在 Azure 门户的“Log Analytics 工作区”菜单中,选择要收集活动日志的工作区。From the Log Analytics workspaces menu in the Azure portal, select the workspace to collect the Activity Log.

  2. 在工作区的菜单的“工作区数据源”部分,选择“Azure 活动日志”。 In the Workspace Data Sources section of the workspace's menu, select Azure Activity log.

  3. 单击要连接的订阅。Click the subscription you want to connect.

    工作区

  4. 单击“连接”,将订阅中的活动日志连接到所选工作区。Click Connect to connect the Activity log in the subscription to the selected workspace. 如果订阅已连接到其他工作区,请先单击“断开连接”将其断开连接。If the subscription is already connected to another workspace, click Disconnect first to disconnect it.

    连接工作区

若要禁用该设置,请执行相同步骤,然后单击“断开连接”,以从工作区中删除该订阅。To disable the setting, perform the same procedure and click Disconnect to remove the subscription from the workspace.

在 Log Analytics 工作区中分析活动日志Analyze Activity log in Log Analytics workspace

将活动日志连接到 Log Analytics 工作区时,条目会写入到工作区的名为 AzureActivity 的表中,该表可以使用日志查询进行检索。When you connect an Activity Log to a Log Analytics workspace, entries will be written to the workspace into a table called AzureActivity that you can retrieve with a log query. 此表的结构因日志条目类别而异。The structure of this table varies depending on the category of the log entry. 有关每个类别的说明,请参阅 Azure 活动日志事件架构See Azure Activity Log event schema for a description of each category.

数据结构更改Data structure changes

诊断设置与用于收集活动日志的旧版方法收集的数据是相同的,但 AzureActivity 表的结构存在一些更改。Diagnostic settings collect the same data as the legacy method used to collect the Activity log with some changes to the structure of the AzureActivity table.

更新后的架构中已经弃用了下表中的列。The columns in the following table have been deprecated in the updated schema. 这些列仍存在于 AzureActivity 中,但不会包含任何数据。They still exist in AzureActivity but they will have no data. 这些列的替换项并不是新的,而是包含了与已弃用列相同的数据。The replacement for these columns are not new, but they contain the same data as the deprecated column. 它们采用了一种不同的格式,所以你可能需要对使用它们的日志查询进行修改。They are in a different format, so you may need to modify log queries that use them.

已弃用的列Deprecated column 替换列Replacement column
ActivityStatusActivityStatus ActivityStatusValueActivityStatusValue
ActivitySubstatusActivitySubstatus ActivitySubstatusValueActivitySubstatusValue
OperationNameOperationName OperationNameValueOperationNameValue
ResourceProviderResourceProvider ResourceProviderValueResourceProviderValue

重要

在有些情况下,这些列中的值可能全部都是大写。In some cases, the values in these columns may be in all uppercase. 如果你的某个查询包含这些列,应使用 = ~ 运算符来执行不区分大小写的比较。If you have a query that includes these columns, you should use the =~ operator to do a case insensitive comparison.

以下列已添加到更新后架构的 AzureActivity 中:The following column have been added to AzureActivity in the updated schema:

  • Authorization_dAuthorization_d
  • Claims_dClaims_d
  • Properties_dProperties_d

Activity Logs Analytics 监视解决方案Activity Logs Analytics monitoring solution

Azure Log Analytics 监视解决方案不久就会被弃用,并将替换为一个使用 Log Analytics 工作区中更新后架构的工作簿。The Azure Log Analytics monitoring solution will be deprecated soon and replaced by a workbook using the updated schema in the Log Analytics workspace. 如果已经启用了该解决方案,则仍可继续使用它,但它只能在你使用旧版设置收集活动日志时使用。You can still use the solution if you already have it enabled, but it can only be used if you're collecting the Activity log using legacy settings.

使用解决方案Use the solution

可以在 Azure 门户的“监视器”菜单中访问监视解决方案。Monitoring solutions are accessed from the Monitor menu in the Azure portal. 在“见解”部分选择“更多”,打开包含解决方案磁贴的“概览”页 。Select More in the Insights section to open the Overview page with the solution tiles. “Azure 活动日志”磁贴显示工作区中 AzureActivity 记录的计数。The Azure Activity Logs tile displays a count of the number of AzureActivity records in your workspace.

Azure 活动日志磁贴

单击“Azure 活动日志”磁贴,打开“Azure 活动日志”视图。Click the Azure Activity Logs tile to open the Azure Activity Logs view. 视图包含下表中的可视化部件。The view includes the visualization parts in the following table. 每个部件按照指定时间范围列出了匹配该部件条件的最多 10 个项。Each part lists up to 10 items matching that parts's criteria for the specified time range. 可通过单击部件底部的“查看全部”运行返回所有匹配记录的日志查询。You can run a log query that returns all matching records by clicking See all at the bottom of the part.

Azure 活动日志仪表板

为新订阅启用该解决方案Enable the solution for new subscriptions

不久之后,你将无法再使用 Azure 门户将 Activity Logs Analytics 解决方案添加到你的订阅。You will soon no longer be able to add the Activity Logs Analytics solution to your subscription using the Azure portal. 可通过资源管理器模板使用以下过程添加该解决方案。You can add it using the following procedure with a resource manager template.

  1. 将以下 json 复制到名为 ActivityLogTemplate.json 的文件中。Copy the following json into a file called ActivityLogTemplate.json.

    {
    "$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspaceName": {
            "type": "String",
            "defaultValue": "my-workspace",
            "metadata": {
              "description": "Specifies the name of the workspace."
            }
        },
        "location": {
            "type": "String",
            "allowedValues": [
              "east us",
              "west us",
              "australia central",
              "west europe"
            ],
            "defaultValue": "australia central",
            "metadata": {
              "description": "Specifies the location in which to create the workspace."
            }
        }
      },
        "resources": [
        {
            "type": "Microsoft.OperationalInsights/workspaces",
            "name": "[parameters('workspaceName')]",
            "apiVersion": "2015-11-01-preview",
            "location": "[parameters('location')]",
            "properties": {
                "features": {
                    "searchVersion": 2
                }
            }
        },
        {
            "type": "Microsoft.OperationsManagement/solutions",
            "apiVersion": "2015-11-01-preview",
            "name": "[concat('AzureActivity(', parameters('workspaceName'),')')]",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('microsoft.operationalinsights/workspaces', parameters('workspaceName'))]"
            ],
            "plan": {
                "name": "[concat('AzureActivity(', parameters('workspaceName'),')')]",
                "promotionCode": "",
                "product": "OMSGallery/AzureActivity",
                "publisher": "Microsoft"
            },
            "properties": {
                "workspaceResourceId": "[resourceId('microsoft.operationalinsights/workspaces', parameters('workspaceName'))]",
                "containedResources": [
                    "[concat(resourceId('microsoft.operationalinsights/workspaces', parameters('workspaceName')), '/views/AzureActivity(',parameters('workspaceName'))]"
                ]
            }
        },
        {
          "type": "Microsoft.OperationalInsights/workspaces/datasources",
          "kind": "AzureActivityLog",
          "name": "[concat(parameters('workspaceName'), '/', subscription().subscriptionId)]",
          "apiVersion": "2015-11-01-preview",
          "location": "[parameters('location')]",
          "dependsOn": [
              "[parameters('WorkspaceName')]"
          ],
          "properties": {
              "linkedResourceId": "[concat(subscription().Id, '/providers/microsoft.insights/eventTypes/management')]"
          }
        }
      ]
    }    
    
  2. 使用以下 PowerShell 命令部署该模板:Deploy the template using the following PowerShell commands:

    Connect-AzAccount -Environment AzureChinaCloud
    Select-AzSubscription <SubscriptionName>
    New-AzResourceGroupDeployment -Name activitysolution -ResourceGroupName <ResourceGroup> -TemplateFile <Path to template file>
    

后续步骤Next steps