将 Azure 活动日志导出到存储或 Azure 事件中心Export Azure Activity log to storage or Azure Event Hubs

重要

将 Azure 活动日志发送到 Azure 存储和 Azure 事件中心的方法已更改为诊断设置The method for sending the Azure Activity log to Azure Storage and Azure Event Hubs has changed to diagnostic settings. 本文介绍正处于弃用过程中的旧方法。This article describes the legacy method which is in the process of being deprecated. 有关比较,请参阅 Azure 活动日志收集和导出的更新。See Update to Azure Activity log collection and export for a comparison.

Azure 活动日志提供 Azure 订阅中发生的订阅级事件的见解。The Azure Activity Log provides insight into subscription-level events that have occurred in your Azure subscription. 除了在 Azure 门户中查看活动日志或者将其复制到 Log Analytics 工作区(在其中可以结合 Azure Monitor 收集的其他数据一起分析这些日志)以外,还可以创建一个日志配置文件,以将活动日志存档到 Azure 存储帐户或流式传输到事件中心。In addition to viewing the Activity log in the Azure portal or copying it to a Log Analytics workspace where it can be analyzed with other data collected by Azure Monitor, you can create a log profile to archive the Activity log to an Azure storage account or stream it to an Event Hub.

存档活动日志Archive Activity Log

若要将日志数据保留 90 天以上(可以全面控制保留策略)以进行审核、静态分析或备份,则将活动日志存档到存储帐户的做法非常有效。Archiving the Activity Log to a storage account is useful if you would like to retain your log data longer than 90 days (with full control over the retention policy) for audit, static analysis, or backup. 如果只需将事件保留 90 天或更短的时间,则无需设置为存档到存储帐户,因为活动日志事件保留在 Azure 平台中的时间是 90 天。If you only need to retain your events for 90 days or less you do not need to set up archival to a storage account, since Activity Log events are retained in the Azure platform for 90 days.

将活动日志流式传输到事件中心Stream Activity Log to Event Hub

Azure 事件中心是一个数据流平台和事件引入服务,每秒能够接收和处理数百万个事件。Azure Event Hubs is a data streaming platform and event ingestion service that can receive and process millions of events per second. 可以使用任何实时分析提供程序或批处理/存储适配器转换和存储发送到事件中心的数据。Data sent to an event hub can be transformed and stored by using any real-time analytics provider or batching/storage adapters. 可通过下述两种方式将流式传输功能用于活动日志:Two ways you might use the streaming capability for the Activity Log are:

  • 流式传输到第三方日志记录和遥测系统:一段时间后,Azure 事件中心的流式传输就会成为一种机制,用于将活动日志通过管道传输到第三方 SIEM 和日志分析解决方案。Stream to third-party logging and telemetry systems: Over time, Azure Event Hubs streaming will become the mechanism to pipe your Activity Log into third-party SIEMs and log analytics solutions.
  • 生成自定义遥测和日志记录平台:如果已经有一个自定义生成的遥测平台,或者正想生成一个,则可利用事件中心高度可缩放的发布-订阅功能,灵活地引入活动日志。Build a custom telemetry and logging platform: If you already have a custom-built telemetry platform or are thinking about building one, the highly scalable publish-subscribe nature of Event Hubs enables you to flexibly ingest the activity log.

先决条件Prerequisites

存储帐户Storage account

如果存档活动日志,需要创建一个存储帐户(如果尚未创建)。If you're archiving your Activity Log, you need to create a storage account if you don't already have one. 不应使用其中存储了其他非监视数据的现有存储帐户,以便更好地控制监视数据所需的访问权限。You should not use an existing storage account that has other, non-monitoring data stored in it so that you can better control access to monitoring data. 不过,如果还要将诊断日志和指标存档到存储帐户,则可以选择使用该存储帐户在一个中心位置保留所有监视数据。If you are also archiving Diagnostic Logs and metrics to a storage account though, you may choose to use that same storage account to keep all monitoring data in a central location.

只要配置设置的用户同时拥有两个订阅的相应 RBAC 访问权限,存储帐户就不必位于发出日志的的订阅中。The storage account does not have to be in the same subscription as the subscription emitting logs as long as the user who configures the setting has appropriate RBAC access to both subscriptions.

备注

当前无法将数据存档到受保护虚拟网络后面的存储帐户。You cannot currently archive data to a storage account that is behind a secured virtual network.

事件中心Event Hubs

如果要将活动日志发送到事件中心,则需要创建一个事件中心(如果尚未创建)。If you're sending your Activity Log to an event hub, then you need to create an event hub if you don't already have one. 如果先前已将活动日志事件流式传输到此事件中心命名空间,则会重用该事件中心。If you previously streamed Activity Log events to this Event Hubs namespace, then that event hub will be reused.

共享访问策略定义流式处理机制具有的权限。The shared access policy defines the permissions that the streaming mechanism has. 流式传输到事件中心需要“管理”、“发送”和“侦听”权限。Streaming to Event Hubs requires Manage, Send, and Listen permissions. 在 Azure 门户中的事件中心命名空间的“配置”选项卡下,可以创建或修改事件中心命名空间的共享访问策略。You can create or modify shared access policies for the Event Hubs namespace in the Azure portal under the Configure tab for your Event Hubs namespace.

若要更新活动日志的日志配置文件,使之包括流式传输,则必须在事件中心授权规则中拥有 ListKey 权限。To update the Activity Log log profile to include streaming, you must have the ListKey permission on that Event Hubs authorization rule. 只要配置设置的用户同时拥有两个订阅的相应 RBAC 访问权限并且这两个订阅都在同一个 AAD 租户中,事件中心命名空间就不必与发出日志的订阅位于同一订阅中。The Event Hubs namespace does not have to be in the same subscription as the subscription that's emitting logs, as long as the user who configures the setting has appropriate RBAC access to both subscriptions and both subscriptions are in the same AAD tenant.

通过创建日志配置文件将活动日志流式传输到事件中心。Stream the Activity Log to an Event Hub by creating a Log Profile.

创建日志配置文件Create a log profile

使用日志配置文件定义如何导出 Azure 活动日志。You define how your Azure Activity log is exported using a log profile. 每个 Azure 订阅只能有一个日志配置文件。Each Azure subscription can only have one log profile. 可通过门户中“活动日志”边栏选项卡的“导出”选项配置这些设置 。These settings can be configured via the Export option in the Activity Log blade in the portal. 还可 使用 Azure Monitor REST API、PowerShell cmdlet 或 CLI 以编程方式配置这些设置。They can also be configured programmatically using the Azure Monitor REST API, PowerShell cmdlets, or CLI.

日志配置文件定义以下设置。The log profile defines the following.

要将活动日志发送到哪个位置。Where the Activity Log should be sent. 目前,可用选项为“存储帐户”或“事件中心”。Currently, the available options are Storage Account or Event Hubs.

要发送哪些事件类别。Which event categories should be sent. 日志配置文件中“类别”的含义与活动日志事件中不同 。The meaning of category in Log Profiles and Activity Log events is different. 在日志配置文件中,“类别”表示操作类型(写入、删除、操作) 。In the Log Profile, Category represents the operation type (Write, Delete, Action). 在活动日志事件中,“类别”属性表示事件的来源或类型(例如,管理、服务运行状况和警报) 。In an Activity Log event, the category"* property represents the source or type of event (for example, Administration, ServiceHealth, and Alert).

要导出哪些区域(位置)。Which regions (locations) should be exported. 应包含所有位置,因为活动日志中的许多事件是全局事件。You should include all locations since many events in the Activity Log are global events.

活动日志应在存储帐户中保留多长时间。How long the Activity Log should be retained in a Storage Account. 保留期为 0 天表示永久保留日志。A retention of zero days means logs are kept forever. 如果不需永久保留,则可将该值设置为 1 到 2147483647 之间的任意天数。Otherwise, the value can be any number of days between 1 and 2147483647.

如果设置了保留策略,但禁止将日志存储在存储帐户中,则保留策略无效。If retention policies are set, but storing logs in a storage account is disabled, then retention policies have no effect. 保留策略按天应用,因此在一天结束时 (UTC),会删除当天已超过保留策略期限的日志。Retention policies are applied per-day, so at the end of a day (UTC), logs from the day that is now beyond the retention policy are deleted. 例如,假设保留策略的期限为一天,则在今天开始时,会删除前天的日志。For example, if you had a retention policy of one day, at the beginning of the day today the logs from the day before yesterday would be deleted. 删除过程从午夜 (UTC) 开始,但请注意,可能最多需要 24 小时才能将日志从存储帐户中删除。The delete process begins at midnight UTC, but note that it can take up to 24 hours for the logs to be deleted from your storage account.

重要

如果未注册 Microsoft.Insights 资源提供程序,则在创建日志配置文件时可能会收到错误。You may receive an error when creating a log profile if the Microsoft.Insights resource provider isn't registered. 若要注册此提供程序,请参阅 Azure 资源提供程序和类型See Azure resource providers and types to register this provider.

使用 Azure 门户创建日志配置文件Create log profile using the Azure portal

使用 Azure 门户中的“导出到事件中心”选项创建或编辑日志配置文件 。Create or edit a log profile with the Export to Event Hub option in the Azure portal.

  1. 从 Azure 门户上的 Azure Monitor 菜单中,选择“活动日志” 。From the Azure Monitor menu in the Azure portal, select Activity log.

  2. 单击“诊断设置”。 Click Diagnostic settings.

    诊断设置

  3. 单击紫色横幅了解旧版体验。Click the purple banner for the legacy experience.

    旧版体验

  4. 在出现的边栏选项卡中指定以下设置:In the blade that appears, specify the following:

    • 包含要导出的事件的区域。Regions with the events to export. 应选择所有区域以确保不会遗漏关键事件,因为活动日志是全局(非区域性)日志,因此,大多数事件都没有关联的区域。You should select all regions to ensure that you don't miss key events since the Activity Log is a global (non-regional) log and so most events do not have a region associated with them.

    • 若要写入存储帐户:If you want to write to storage account:

      • 要将事件保存到的存储帐户。The Storage Account to which you would like to save events.
      • 要在存储中保留这些事件的天数。The number of days you want to retain these events in storage. 设置为 0 天将永久保留日志。A setting of 0 days retains the logs forever.
    • 若要写入事件中心:If you want to write to event hub:

      • 要在其中创建用于流式处理这些事件的事件中心的服务总线命名空间。The Service Bus Namespace in which you would like an Event Hub to be created for streaming these events.

      “导出活动日志”边栏选项卡

  5. 单击“保存”保存这些设置 。Click Save to save these settings. 这些设置将立即应用于你的订阅。The settings are immediately be applied to your subscription.

使用 PowerShell 配置日志配置文件Configure log profile using PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

如果日志配置文件已存在,首先需要删除现有日志配置文件,然后创建新的日志配置文件。If a log profile already exists, you first need to remove the existing log profile and then create a new one.

  1. 使用 Get-AzLogProfile 确定日志配置文件是否存在。Use Get-AzLogProfile to identify if a log profile exists. 如果存在日志配置文件,请记下 name 属性。If a log profile does exist, note the name property.

  2. 使用 Remove-AzLogProfile 通过 name 属性的值删除日志配置文件。Use Remove-AzLogProfile to remove the log profile using the value from the name property.

    # For example, if the log profile name is 'default'
    Remove-AzLogProfile -Name "default"
    
  3. 使用 Add-AzLogProfile 创建新的日志配置文件:Use Add-AzLogProfile to create a new log profile:

    Add-AzLogProfile -Name my_log_profile -StorageAccountId /subscriptions/s1/resourceGroups/myrg1/providers/Microsoft.Storage/storageAccounts/my_storage -serviceBusRuleId /subscriptions/s1/resourceGroups/Default-ServiceBus-Chinaeast/providers/Microsoft.ServiceBus/namespaces/mytestSB/authorizationrules/RootManageSharedAccessKey -Location 'China East' -RetentionInDays 90 -Category Write,Delete,Action
    
    属性Property 必须Required 说明Description
    名称Name Yes 日志配置文件的名称。Name of your log profile.
    StorageAccountIdStorageAccountId No 应该将活动日志保存到其中的存储帐户的资源 ID。Resource ID of the Storage Account where the Activity Log should be saved.
    serviceBusRuleIdserviceBusRuleId No 服务总线命名空间(需在其中创建事件中心)的服务总线规则 ID。Service Bus Rule ID for the Service Bus namespace you would like to have event hubs created in. 这是采用以下格式的字符串:{service bus resource ID}/authorizationrules/{key name}This is a string with the format: {service bus resource ID}/authorizationrules/{key name}.
    LocationLocation Yes 要为其收集活动日志事件的逗号分隔区域的列表。Comma-separated list of regions for which you would like to collect Activity Log events.
    RetentionInDaysRetentionInDays Yes 事件应在存储帐户中保留的天数,介于 1 和 365 之间。Number of days for which events should be retained in the storage account, between 1 and 365. 值为零时,将无限期存储日志。A value of zero stores the logs indefinitely.
    CategoryCategory No 应收集的事件类别的逗号分隔列表。Comma-separated list of event categories that should be collected. 可能的值为 WriteDeleteActionPossible values are Write, Delete, and Action.

示例脚本Example script

以下示例 PowerShell 脚本创建一个日志配置文件,用于将活动日志写入到存储帐户和事件中心。Following is a sample PowerShell script to create a log profile that writes the Activity Log to both a storage account and event hub.

# Settings needed for the new log profile
$logProfileName = "default"
$locations = (Get-AzLocation).Location
$locations += "global"
$subscriptionId = "<your Azure subscription Id>"
$resourceGroupName = "<resource group name your event hub belongs to>"
$eventHubNamespace = "<event hub namespace>"

# Build the service bus rule Id from the settings above
$serviceBusRuleId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.EventHub/namespaces/$eventHubNamespace/authorizationrules/RootManageSharedAccessKey"

# Build the storage account Id from the settings above
$storageAccountId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"

Add-AzLogProfile -Name $logProfileName -Location $locations -ServiceBusRuleId $serviceBusRuleId

使用 Azure CLI 配置日志配置文件Configure log profile using Azure CLI

如果日志配置文件已存在,首先需要删除现有日志配置文件,然后创建新的日志配置文件。If a log profile already exists, you first need to remove the existing log profile and then create a new log profile.

  1. 使用 az monitor log-profiles list 确定日志配置文件是否存在。Use az monitor log-profiles list to identify if a log profile exists.

  2. 使用 az monitor log-profiles delete --name "<log profile name> 通过 name 属性的值删除日志配置文件。Use az monitor log-profiles delete --name "<log profile name> to remove the log profile using the value from the name property.

  3. 使用 az monitor log-profiles create 创建新的日志配置文件:Use az monitor log-profiles create to create a new log profile:

    az monitor log-profiles create --name "default" --location null --locations "China East" "China North" --categories "Delete" "Write" "Action"  --enabled false --days 0 --service-bus-rule-id "/subscriptions/<YOUR SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP NAME>/providers/Microsoft.EventHub/namespaces/<EVENT HUB NAME SPACE>/authorizationrules/RootManageSharedAccessKey"
    
    属性Property 必须Required 说明Description
    namename Yes 日志配置文件的名称。Name of your log profile.
    storage-account-idstorage-account-id Yes 活动日志应保存到的存储帐户的资源 ID。Resource ID of the Storage Account to which Activity Logs should be saved.
    locationslocations Yes 要为其收集活动日志事件的空格分隔区域列表。Space-separated list of regions for which you would like to collect Activity Log events. 可以使用 az account list-locations --query [].name 查看订阅的所有区域列表。You can view a list of all regions for your subscription using az account list-locations --query [].name.
    daysdays Yes 活动的保留天数,介于 1 到 365 之间。Number of days for which events should be retained, between 1 and 365. 值为零时,将无限期(永久)存储日志。A value of zero will store the logs indefinitely (forever). 如果为零,则启用的参数应设置为 false。If zero, then the enabled parameter should be set to false.
    enabledenabled Yes True 或 False。True or False. 用于启用或禁用保留策略。Used to enable or disable the retention policy. 如果为 True,则 days 参数必须为大于 0 的值。If True, then the days parameter must be a value greater than 0.
    Categoriescategories Yes 应收集的事件类别的空格分隔列表。Space-separated list of event categories that should be collected. 可能值包括:Write、Delete 和 Action。Possible values are Write, Delete, and Action.

后续步骤Next steps