Azure 活动日志事件架构Azure Activity Log event schema

Azure 活动日志可以方便用户深入了解 Azure 中发生的任何订阅级别事件。The Azure Activity log provides insight into any subscription-level events that have occurred in Azure. 本文介绍活动日志类别以及每个类别的架构。This article describes Activity log categories and the schema for each.

根据访问日志的方式,架构会有所不同:The schema will vary depending on how you access the log:

CategoriesCategories

活动日志中的每个事件都有特定的类别,该类别在下表中进行了描述。Each event in the Activity Log has a particular category that are described in the following table. 请参阅以下各部分,了解从门户、PowerShell、CLI 和 REST API 访问活动日志时,每个类别及其架构的详细信息。See the sections below for more detail on each category and its schema when you access the Activity log from the portal, PowerShell, CLI, and REST API. 将活动日志流式传输到存储或事件中心时,架构是不同的。The schema is different when you stream the Activity log to storage or Event Hubs. 本文最后一个部分提供了这些属性到资源日志架构的映射。A mapping of the properties to the resource logs schema is provided in the last section of the article.

类别Category 说明Description
管理Administrative 包含对通过资源管理器执行的所有创建、更新、删除和操作的记录。Contains the record of all create, update, delete, and action operations performed through Resource Manager. 管理事件示例包括创建虚拟机和删除网络安全组。Examples of Administrative events include create virtual machine and delete network security group.

使用资源管理器的用户或应用程序执行的每个操作都作为对特定资源类型的操作进行建模。Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. 如果操作类型为写入、删除或操作,则会在“管理”类别中记录该操作的启动和成功或失败记录。If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. 管理事件还包括对订阅中基于角色的访问控制进行的任何更改。Administrative events also include any changes to role-based access control in a subscription.
服务运行状况Service Health 包含对任何发生在 Azure 中的服务运行状况事件的记录。Contains the record of any service health incidents that have occurred in Azure. 服务运行状况事件的一个示例是“中国北部的 SQL Azure 当前发生停机”。An example of a Service Health event SQL Azure in China North is experiencing downtime.

服务运行状况事件分 6 种:需要操作、协助恢复、事件、维护、信息或安全性。Service Health events come in Six varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security. 仅当订阅中有某个资源受事件影响时,才会创建这些事件。These events are only created if you have a resource in the subscription that would be impacted by the event.
资源运行状况Resource Health 包含对 Azure 资源发生的任何资源运行状况事件的记录。Contains the record of any resource health events that have occurred to your Azure resources. 资源运行状况事件的一个示例是,虚拟机运行状况状态更改为“不可用”。An example of a Resource Health event is Virtual Machine health status changed to unavailable.

资源运行状况事件可以表现出以下四种运行状况状态之一:“Available”、“Unavailable”、“Degraded”和“Unknown” 。Resource Health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. 此外,资源运行状况事件可以分为“平台启动”或“用户启动” 。Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated.
AlertAlert 包含 Azure 警报的激活记录。Contains the record of activations for Azure alerts. 警报事件的一个示例是,在过去 5 分钟内,我的 VM 上的 CPU % 始终超过 80。An example of an Alert event is CPU % on myVM has been over 80 for the past 5 minutes.
自动缩放Autoscale 包含基于自动缩放设置(在订阅中定义)的自动缩放引擎操作相关的事件记录。Contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. 自动缩放事件的一个示例是,自动缩放纵向扩展操作失败。An example of an Autoscale event is Autoscale scale up action failed.
建议Recommendation 包含 Azure 顾问提供的建议事件。Contains recommendation events from Azure Advisor.
安全性Security 包含 Azure 安全中心生成的任何警报记录。Contains the record of any alerts generated by Azure Security Center. 安全事件的一个示例是,执行了可疑的双扩展文件。An example of a Security event is Suspicious double extension file executed.
策略Policy 包含 Azure Policy 执行的所有效果操作的记录。Contains records of all effect action operations performed by Azure Policy. Policy 事件的示例包括审核和拒绝。Examples of Policy events include Audit and Deny. Policy 执行的每个操作建模为对资源执行的操作。Every action taken by Policy is modeled as an operation on a resource.

管理类别Administrative category

此类别包含对通过资源管理器执行的所有创建、更新、删除和操作的记录。This category contains the record of all create, update, delete, and action operations performed through Resource Manager. 此类别中的事件类型的示例包括“创建虚拟机”和“删除网络安全组”。用户或应用程序通过资源管理器所进行的每一个操作都会作为特定资源类型上的操作建模。Examples of the types of events you would see in this category include "create virtual machine" and "delete network security group" Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. 如果操作类型为“写入”、“删除”或“操作”,则该操作的开始、成功或失败记录都会记录在管理类别中。If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. 管理类别还包括任何对订阅中基于角色的访问控制进行的更改。The Administrative category also includes any changes to role-based access control in a subscription.

示例事件Sample event

{
    "authorization": {
        "action": "Microsoft.Network/networkSecurityGroups/write",
        "scope": "/subscriptions/<subscription ID>/resourcegroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNSG"
    },
    "caller": "rob@contoso.com",
    "channels": "Operation",
    "claims": {
        "aud": "https://management.core.chinacloudapi.cn/",
        "iss": "https://sts.chinacloudapi.cn/1114444b-7467-4144-a616-e3a5d63e147b/",
        "iat": "1234567890",
        "nbf": "1234567890",
        "exp": "1234567890",
        "_claim_names": "{\"groups\":\"src1\"}",
        "_claim_sources": "{\"src1\":{\"endpoint\":\"https://microsoftgraph.chinacloudapi.cn/1114444b-7467-4144-a616-e3a5d63e147b/users/f409edeb-4d29-44b5-9763-ee9348ad91bb/getMemberObjects\"}}",
        "http://schemas.microsoft.com/claims/authnclassreference": "1",
        "aio": "A3GgTJdwK4vy7Fa7l6DgJC2mI0GX44tML385OpU1Q+z+jaPnFMwB",
        "http://schemas.microsoft.com/claims/authnmethodsreferences": "rsa,mfa",
        "appid": "355249ed-15d9-460d-8481-84026b065942",
        "appidacr": "2",
        "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier": "10845a4d-ffa4-4b61-a3b4-e57b9b31cdb5",
        "e_exp": "262800",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Robertson",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "Rob",
        "ipaddr": "111.111.1.111",
        "name": "Rob Robertson",
        "http://schemas.microsoft.com/identity/claims/objectidentifier": "f409edeb-4d29-44b5-9763-ee9348ad91bb",
        "onprem_sid": "S-1-5-21-4837261184-168309720-1886587427-18514304",
        "puid": "18247BBD84827C6D",
        "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "b-24Jf94A3FH2sHWVIFqO3-RSJEiv24Jnif3gj7s",
        "http://schemas.microsoft.com/identity/claims/tenantid": "1114444b-7467-4144-a616-e3a5d63e147b",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "rob@contoso.com",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "rob@contoso.com",
        "uti": "IdP3SUJGtkGlt7dDQVRPAA",
        "ver": "1.0"
    },
    "correlationId": "b5768deb-836b-41cc-803e-3f4de2f9e40b",
    "eventDataId": "d0d36f97-b29c-4cd9-9d3d-ea2b92af3e9d",
    "eventName": {
        "value": "EndRequest",
        "localizedValue": "End request"
    },
    "category": {
        "value": "Administrative",
        "localizedValue": "Administrative"
    },
    "eventTimestamp": "2018-01-29T20:42:31.3810679Z",
    "id": "/subscriptions/<subscription ID>/resourcegroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNSG/events/d0d36f97-b29c-4cd9-9d3d-ea2b92af3e9d/ticks/636528553513810679",
    "level": "Informational",
    "operationId": "04e575f8-48d0-4c43-a8b3-78c4eb01d287",
    "operationName": {
        "value": "Microsoft.Network/networkSecurityGroups/write",
        "localizedValue": "Microsoft.Network/networkSecurityGroups/write"
    },
    "resourceGroupName": "myResourceGroup",
    "resourceProviderName": {
        "value": "Microsoft.Network",
        "localizedValue": "Microsoft.Network"
    },
    "resourceType": {
        "value": "Microsoft.Network/networkSecurityGroups",
        "localizedValue": "Microsoft.Network/networkSecurityGroups"
    },
    "resourceId": "/subscriptions/<subscription ID>/resourcegroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNSG",
    "status": {
        "value": "Succeeded",
        "localizedValue": "Succeeded"
    },
    "subStatus": {
        "value": "",
        "localizedValue": ""
    },
    "submissionTimestamp": "2018-01-29T20:42:50.0724829Z",
    "subscriptionId": "<subscription ID>",
    "properties": {
        "statusCode": "Created",
        "serviceRequestId": "a4c11dbd-697e-47c5-9663-12362307157d",
        "responseBody": "",
        "requestbody": ""
    },
    "relatedEvents": []
}

属性说明Property descriptions

元素名称Element Name 说明Description
authorizationauthorization 包含事件的 RBAC 属性的 Blob。Blob of RBAC properties of the event. 通常包括“action”、“role”和“scope”属性。Usually includes the “action”, “role” and “scope” properties.
callercaller 执行操作(UPN 声明或 SPN 声明,具体取决于可用性)的用户的电子邮件地址。Email address of the user who has performed the operation, UPN claim, or SPN claim based on availability.
channelschannels 以下值之一:“Admin”、“Operation”One of the following values: “Admin”, “Operation”
声明claims Active Directory 使用 JWT 令牌来验证用户或应用程序,以在资源管理器中执行此操作。The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager.
correlationIdcorrelationId 通常为字符串格式的 GUID。Usually a GUID in the string format. 共享 correlationId 的事件属于同一 uber 操作。Events that share a correlationId belong to the same uber action.
descriptiondescription 事件的静态文本说明。Static text description of an event.
eventDataIdeventDataId 事件的唯一标识符。Unique identifier of an event.
eventNameeventName 管理事件的易记名称。Friendly name of the Administrative event.
categorycategory 始终为“Administrative”Always "Administrative"
httpRequesthttpRequest 描述 Http 请求的 Blob。Blob describing the Http Request. 通常包括 "clientRequestId"、"clientIpAddress" 和 "method"(HTTP 方法,Usually includes the “clientRequestId”, “clientIpAddress” and “method” (HTTP method. 例如 PUT)。For example, PUT).
级别level 事件的级别。Level of the event. 以下值之一:“Critical”、“Error”、“Warning”和“Informational”One of the following values: “Critical”, “Error”, “Warning”, and “Informational”
resourceGroupNameresourceGroupName 受影响资源的资源组的名称。Name of the resource group for the impacted resource.
resourceProviderNameresourceProviderName 受影响资源的资源提供程序的名称Name of the resource provider for the impacted resource
resourceTyperesourceType 受“管理”事件影响的资源类型。The type of resource that was affected by an Administrative event.
ResourceIdresourceId 受影响资源的资源 ID。Resource ID of the impacted resource.
operationIdoperationId 在多个事件(对应于单个操作)之间共享的 GUID。A GUID shared among the events that correspond to a single operation.
operationNameoperationName 操作的名称。Name of the operation.
propertiesproperties <Key, Value> 对集合(即字典),描述事件的详细信息。Set of <Key, Value> pairs (that is, a Dictionary) describing the details of the event.
状态status 描述操作状态的字符串。String describing the status of the operation. 部分常用值包括:Started、In Progress、Succeeded、Failed、Active、Resolved。Some common values are: Started, In Progress, Succeeded, Failed, Active, Resolved.
subStatussubStatus 通常为相应 REST 调用的 HTTP 状态代码,但也可能包括用于描述子状态的其他字符串,例如以下常用值:OK(HTTP 状态代码:200)、Created(HTTP 状态代码:201)、Accepted(HTTP 状态代码:202)、No Content(HTTP 状态代码:204)、Bad Request(HTTP 状态代码:400)、Not Found(HTTP 状态代码:404)、Conflict(HTTP 状态代码:409)、Internal Server Error(HTTP 状态代码:500)、Service Unavailable(HTTP 状态代码:503)、Gateway Timeout(HTTP 状态代码:504)。Usually the HTTP status code of the corresponding REST call, but can also include other strings describing a substatus, such as these common values: OK (HTTP Status Code: 200), Created (HTTP Status Code: 201), Accepted (HTTP Status Code: 202), No Content (HTTP Status Code: 204), Bad Request (HTTP Status Code: 400), Not Found (HTTP Status Code: 404), Conflict (HTTP Status Code: 409), Internal Server Error (HTTP Status Code: 500), Service Unavailable (HTTP Status Code: 503), Gateway Timeout (HTTP Status Code: 504).
eventTimestampeventTimestamp 处理与事件对应的请求的 Azure 服务生成事件时的时间戳。Timestamp when the event was generated by the Azure service processing the request corresponding the event.
submissionTimestampsubmissionTimestamp 事件可供查询的时间戳。Timestamp when the event became available for querying.
subscriptionIdsubscriptionId Azure 订阅 ID。Azure Subscription ID.

服务运行状况类别Service health category

此类别包含对任何发生在 Azure 中的服务运行状况事件的记录。This category contains the record of any service health incidents that have occurred in Azure. 此类别的一个事件类型示例是“中国北部的 SQL Azure 正在发生停机”。An example of the type of event you would see in this category is "SQL Azure in China North is experiencing downtime." 服务运行状况事件分 5 种:必需操作、辅助恢复、事件、维护、信息或安全性,仅当订阅中存在受事件影响的资源时,它们才出现。Service health events come in five varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security, and only appear if you have a resource in the subscription that would be impacted by the event.

示例事件Sample event

{
  "channels": "Admin",
  "correlationId": "c550176b-8f52-4380-bdc5-36c1b59d3a44",
  "description": "Active: Network Infrastructure - UK South",
  "eventDataId": "c5bc4514-6642-2be3-453e-c6a67841b073",
  "eventName": {
      "value": null
  },
  "category": {
      "value": "ServiceHealth",
      "localizedValue": "Service Health"
  },
  "eventTimestamp": "2017-07-20T23:30:14.8022297Z",
  "id": "/subscriptions/<subscription ID>/events/c5bc4514-6642-2be3-453e-c6a67841b073/ticks/636361902148022297",
  "level": "Warning",
  "operationName": {
      "value": "Microsoft.ServiceHealth/incident/action",
      "localizedValue": "Microsoft.ServiceHealth/incident/action"
  },
  "resourceProviderName": {
      "value": null
  },
  "resourceType": {
      "value": null,
      "localizedValue": ""
  },
  "resourceId": "/subscriptions/<subscription ID>",
  "status": {
      "value": "Active",
      "localizedValue": "Active"
  },
  "subStatus": {
      "value": null
  },
  "submissionTimestamp": "2017-07-20T23:30:34.7431946Z",
  "subscriptionId": "<subscription ID>",
  "properties": {
    "title": "Network Infrastructure - UK South",
    "service": "Service Fabric",
    "region": "UK South",
    "communication": "Starting at approximately 21:41 UTC on 20 Jul 2017, a subset of customers in UK South may experience degraded performance, connectivity drops or timeouts when accessing their Azure resources hosted in this region. Engineers are investigating underlying Network Infrastructure issues in this region. Impacted services may include, but are not limited to App Services, Automation, Service Bus, Log Analytics, Key Vault, SQL Database, Service Fabric, Event Hubs, Stream Analytics, Azure Data Movement, API Management, and Azure Cognitive Search. Multiple engineering teams are engaged in multiple workflows to mitigate the impact. The next update will be provided in 60 minutes, or as events warrant.",
    "incidentType": "Incident",
    "trackingId": "NA0F-BJG",
    "impactStartTime": "2017-07-20T21:41:00.0000000Z",
    "impactedServices": "[{\"ImpactedRegions\":[{\"RegionName\":\"UK South\"}],\"ServiceName\":\"Service Fabric\"}]",
    "defaultLanguageTitle": "Network Infrastructure - UK South",
    "defaultLanguageContent": "Starting at approximately 21:41 UTC on 20 Jul 2017, a subset of customers in UK South may experience degraded performance, connectivity drops or timeouts when accessing their Azure resources hosted in this region. Engineers are investigating underlying Network Infrastructure issues in this region. Impacted services may include, but are not limited to App Services, Automation, Service Bus, Log Analytics, Key Vault, SQL Database, Service Fabric, Event Hubs, Stream Analytics, Azure Data Movement, API Management, and Azure Cognitive Search. Multiple engineering teams are engaged in multiple workflows to mitigate the impact. The next update will be provided in 60 minutes, or as events warrant.",
    "stage": "Active",
    "communicationId": "636361902146035247",
    "version": "0.1.1"
  }
}

请参阅服务运行状况通知一文,获取有关属性的值的说明。Refer to the service health notifications article for documentation about the values in the properties.

资源运行状况类别Resource health category

此类别包含 Azure 资源发生的任何资源运行状况事件的记录。This category contains the record of any resource health events that have occurred to your Azure resources. 你将在此类别中看到的事件类型的示例是“虚拟机运行状况已更改为不可用”。An example of the type of event you would see in this category is "Virtual Machine health status changed to unavailable." 资源运行状况事件可以表示四种运行状况之一:Available、Unavailable、Degraded 和 Unknown。Resource health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. 此外,资源运行状况事件可以分为“平台启动”或“用户启动”。Additionally, resource health events can be categorized as being Platform Initiated or User Initiated.

示例事件Sample event

{
    "channels": "Admin, Operation",
    "correlationId": "28f1bfae-56d3-7urb-bff4-194d261248e9",
    "description": "",
    "eventDataId": "a80024e1-883d-37ur-8b01-7591a1befccb",
    "eventName": {
        "value": "",
        "localizedValue": ""
    },
    "category": {
        "value": "ResourceHealth",
        "localizedValue": "Resource Health"
    },
    "eventTimestamp": "2018-09-04T15:33:43.65Z",
    "id": "/subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.Compute/virtualMachines/<resource name>/events/a80024e1-883d-42a5-8b01-7591a1befccb/ticks/636716720236500000",
    "level": "Critical",
    "operationId": "",
    "operationName": {
        "value": "Microsoft.Resourcehealth/healthevent/Activated/action",
        "localizedValue": "Health Event Activated"
    },
    "resourceGroupName": "<resource group>",
    "resourceProviderName": {
        "value": "Microsoft.Resourcehealth/healthevent/action",
        "localizedValue": "Microsoft.Resourcehealth/healthevent/action"
    },
    "resourceType": {
        "value": "Microsoft.Compute/virtualMachines",
        "localizedValue": "Microsoft.Compute/virtualMachines"
    },
    "resourceId": "/subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.Compute/virtualMachines/<resource name>",
    "status": {
        "value": "Active",
        "localizedValue": "Active"
    },
    "subStatus": {
        "value": "",
        "localizedValue": ""
    },
    "submissionTimestamp": "2018-09-04T15:36:24.2240867Z",
    "subscriptionId": "<subscription ID>",
    "properties": {
        "stage": "Active",
        "title": "Virtual Machine health status changed to unavailable",
        "details": "Virtual machine has experienced an unexpected event",
        "healthStatus": "Unavailable",
        "healthEventType": "Downtime",
        "healthEventCause": "PlatformInitiated",
        "healthEventCategory": "Unplanned"
    },
    "relatedEvents": []
}

属性说明Property descriptions

元素名称Element Name 说明Description
channelschannels 始终是“Admin, Operation”Always “Admin, Operation”
correlationIdcorrelationId 字符串格式的 GUID。A GUID in the string format.
descriptiondescription 警报事件的静态文本说明。Static text description of the alert event.
eventDataIdeventDataId 警报事件的唯一标识符。Unique identifier of the alert event.
categorycategory 始终为“ResourceHealth”Always "ResourceHealth"
eventTimestampeventTimestamp 处理与事件对应的请求的 Azure 服务生成事件时的时间戳。Timestamp when the event was generated by the Azure service processing the request corresponding the event.
levellevel 事件的级别。Level of the event. 以下值之一:“Critical”、“Error”、“Warning”、“Informational”和“Verbose”One of the following values: “Critical”, “Error”, “Warning”, “Informational”, and “Verbose”
operationIdoperationId 在多个事件(对应于单个操作)之间共享的 GUID。A GUID shared among the events that correspond to a single operation.
operationNameoperationName 操作的名称。Name of the operation.
resourceGroupNameresourceGroupName 包含资源的资源组的名称。Name of the resource group that contains the resource.
resourceProviderNameresourceProviderName 始终为“Microsoft.Resourcehealth/healthevent/action”。Always "Microsoft.Resourcehealth/healthevent/action".
resourceTyperesourceType 受“资源运行状况”事件影响的资源类型。The type of resource that was affected by a Resource Health event.
ResourceIdresourceId 受影响资源的资源 ID 的名称。Name of the resource ID for the impacted resource.
状态status 描述运行状况事件状态的字符串。String describing the status of the health event. 值可以是:Active、Resolved、InProgress、Updated。Values can be: Active, Resolved, InProgress, Updated.
subStatussubStatus 对警报而言通常为 NULL。Usually null for alerts.
submissionTimestampsubmissionTimestamp 事件可供查询的时间戳。Timestamp when the event became available for querying.
subscriptionIdsubscriptionId Azure 订阅 ID。Azure Subscription ID.
propertiesproperties <Key, Value> 对集合(即字典),描述事件的详细信息。Set of <Key, Value> pairs (that is, a Dictionary) describing the details of the event.
properties.titleproperties.title 用于描述资源运行状况的用户友好字符串。A user-friendly string that describes the health status of the resource.
properties.detailsproperties.details 用于描述有关事件的更多详细信息的用户友好字符串。A user-friendly string that describes further details about the event.
properties.currentHealthStatusproperties.currentHealthStatus 资源的当前运行状况。The current health status of the resource. 以下值之一:“Available”、“Unavailable”、“Degraded”和“Unknown”。One of the following values: "Available", "Unavailable", "Degraded", and "Unknown".
properties.previousHealthStatusproperties.previousHealthStatus 资源的前一运行状况。The previous health status of the resource. 以下值之一:“Available”、“Unavailable”、“Degraded”和“Unknown”。One of the following values: "Available", "Unavailable", "Degraded", and "Unknown".
properties.typeproperties.type 资源运行状况事件的类型说明。A description of the type of resource health event.
properties.causeproperties.cause 资源运行状况事件的原因说明。A description of the cause of the resource health event. “UserInitiated”和“PlatformInitiated”。Either "UserInitiated" and "PlatformInitiated".

警报类别Alert category

此类别包含所有经典 Azure 警报的激活记录。This category contains the record of all activations of classic Azure alerts. 可在此类别中看到的事件类型示例如“过去 5 分钟内,myVM 上的 CPU 百分比已超过 80%”。An example of the type of event you would see in this category is "CPU % on myVM has been over 80 for the past 5 minutes." 许多 Azure 系统都具有警报概念 - 可定义某种类型的规则,并在条件匹配该规则时接收通知。A variety of Azure systems have an alerting concept -- you can define a rule of some sort and receive a notification when conditions match that rule. 每当支持的 Azure 警报类型“激活”或满足生成通知的条件时,激活记录也会推送到此类别的活动日志中。Each time a supported Azure alert type 'activates,' or the conditions are met to generate a notification, a record of the activation is also pushed to this category of the Activity Log.

示例事件Sample event

{
  "caller": "Microsoft.Insights/alertRules",
  "channels": "Admin, Operation",
  "claims": {
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn": "Microsoft.Insights/alertRules"
  },
  "correlationId": "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/microsoft.insights/alertrules/myalert/incidents/L3N1YnNjcmlwdGlvbnMvZGY2MDJjOWMtN2FhMC00MDdkLWE2ZmItZWIyMGM4YmQxMTkyL3Jlc291cmNlR3JvdXBzL0NzbUV2ZW50RE9HRk9PRC1XZXN0VVMvcHJvdmlkZXJzL21pY3Jvc29mdC5pbnNpZ2h0cy9hbGVydHJ1bGVzL215YWxlcnQwNjM2MzYyMjU4NTM1MjIxOTIw",
  "description": "'Disk read LessThan 100000 ([Count]) in the last 5 minutes' has been resolved for CloudService: myResourceGroup/Production/Event.BackgroundJobsWorker.razzle (myResourceGroup)",
  "eventDataId": "149d4baf-53dc-4cf4-9e29-17de37405cd9",
  "eventName": {
    "value": "Alert",
    "localizedValue": "Alert"
  },
  "category": {
    "value": "Alert",
    "localizedValue": "Alert"
  },
  "id": "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.ClassicCompute/domainNames/myResourceGroup/slots/Production/roles/Event.BackgroundJobsWorker.razzle/events/149d4baf-53dc-4cf4-9e29-17de37405cd9/ticks/636362258535221920",
  "level": "Informational",
  "resourceGroupName": "myResourceGroup",
  "resourceProviderName": {
    "value": "Microsoft.ClassicCompute",
    "localizedValue": "Microsoft.ClassicCompute"
  },
  "resourceId": "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.ClassicCompute/domainNames/myResourceGroup/slots/Production/roles/Event.BackgroundJobsWorker.razzle",
  "resourceType": {
    "value": "Microsoft.ClassicCompute/domainNames/slots/roles",
    "localizedValue": "Microsoft.ClassicCompute/domainNames/slots/roles"
  },
  "operationId": "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/microsoft.insights/alertrules/myalert/incidents/L3N1YnNjcmlwdGlvbnMvZGY2MDJjOWMtN2FhMC00MDdkLWE2ZmItZWIyMGM4YmQxMTkyL3Jlc291cmNlR3JvdXBzL0NzbUV2ZW50RE9HRk9PRC1XZXN0VVMvcHJvdmlkZXJzL21pY3Jvc29mdC5pbnNpZ2h0cy9hbGVydHJ1bGVzL215YWxlcnQwNjM2MzYyMjU4NTM1MjIxOTIw",
  "operationName": {
    "value": "Microsoft.Insights/AlertRules/Resolved/Action",
    "localizedValue": "Microsoft.Insights/AlertRules/Resolved/Action"
  },
  "properties": {
    "RuleUri": "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/microsoft.insights/alertrules/myalert",
    "RuleName": "myalert",
    "RuleDescription": "",
    "Threshold": "100000",
    "WindowSizeInMinutes": "5",
    "Aggregation": "Average",
    "Operator": "LessThan",
    "MetricName": "Disk read",
    "MetricUnit": "Count"
  },
  "status": {
    "value": "Resolved",
    "localizedValue": "Resolved"
  },
  "subStatus": {
    "value": null
  },
  "eventTimestamp": "2017-07-21T09:24:13.522192Z",
  "submissionTimestamp": "2017-07-21T09:24:15.6578651Z",
  "subscriptionId": "<subscription ID>"
}

属性说明Property descriptions

元素名称Element Name 说明Description
callercaller 始终是 Microsoft.Insights/alertRulesAlways Microsoft.Insights/alertRules
channelschannels 始终是“Admin, Operation”Always “Admin, Operation”
声明claims 具有 SPN(服务主体名称)的 JSON blob,或警报引擎资源类型。JSON blob with the SPN (service principal name), or resource type, of the alert engine.
correlationIdcorrelationId 字符串格式的 GUID。A GUID in the string format.
descriptiondescription 警报事件的静态文本说明。Static text description of the alert event.
eventDataIdeventDataId 警报事件的唯一标识符。Unique identifier of the alert event.
categorycategory 始终为“Alert”Always "Alert"
levellevel 事件的级别。Level of the event. 以下值之一:“Critical”、“Error”、“Warning”和“Informational”One of the following values: “Critical”, “Error”, “Warning”, and “Informational”
resourceGroupNameresourceGroupName 受影响资源的资源组的名称(如果是指标警报)。Name of the resource group for the impacted resource if it is a metric alert. 对于其他警报类型,它是包含警报本身的资源组的名称。For other alert types, it is the name of the resource group that contains the alert itself.
resourceProviderNameresourceProviderName 受影响资源的资源提供程序的名称(如果是指标警报)。Name of the resource provider for the impacted resource if it is a metric alert. 对于其他警报类型,它是警报本身的资源提供程序的名称。For other alert types, it is the name of the resource provider for the alert itself.
ResourceIdresourceId 受影响资源的资源 ID 的名称(如果是指标警报)。Name of the resource ID for the impacted resource if it is a metric alert. 对于其他警报类型,它是警报资源本身的资源 ID。For other alert types, it is the resource ID of the alert resource itself.
operationIdoperationId 在多个事件(对应于单个操作)之间共享的 GUID。A GUID shared among the events that correspond to a single operation.
operationNameoperationName 操作的名称。Name of the operation.
propertiesproperties <Key, Value> 对集合(即字典),描述事件的详细信息。Set of <Key, Value> pairs (that is, a Dictionary) describing the details of the event.
状态status 描述操作状态的字符串。String describing the status of the operation. 部分常用值包括:Started、In Progress、Succeeded、Failed、Active、Resolved。Some common values are: Started, In Progress, Succeeded, Failed, Active, Resolved.
subStatussubStatus 对警报而言通常为 NULL。Usually null for alerts.
eventTimestampeventTimestamp 处理与事件对应的请求的 Azure 服务生成事件时的时间戳。Timestamp when the event was generated by the Azure service processing the request corresponding the event.
submissionTimestampsubmissionTimestamp 事件可供查询的时间戳。Timestamp when the event became available for querying.
subscriptionIdsubscriptionId Azure 订阅 ID。Azure Subscription ID.

每种警报类型的属性字段Properties field per alert type

该属性字段包含不同的值,具体取决于警报事件的源。The properties field will contain different values depending on the source of the alert event. 两种常见警报事件提供程序是活动日志警报和指标警报。Two common alert event providers are Activity Log alerts and metric alerts.

活动日志警报的属性Properties for Activity Log alerts

元素名称Element Name 说明Description
properties.subscriptionIdproperties.subscriptionId 激活活动日志预警规则的活动日志事件的订阅 ID。The subscription ID from the activity log event which caused this activity log alert rule to be activated.
properties.eventDataIdproperties.eventDataId 激活活动日志预警规则的活动日志事件的事件数据 ID。The event data ID from the activity log event which caused this activity log alert rule to be activated.
properties.resourceGroupproperties.resourceGroup 激活活动日志预警规则的活动日志事件的资源组。The resource group from the activity log event which caused this activity log alert rule to be activated.
properties.resourceIdproperties.resourceId 激活活动日志预警规则的活动日志事件的资源 ID。The resource ID from the activity log event which caused this activity log alert rule to be activated.
properties.eventTimestampproperties.eventTimestamp 激活活动日志预警规则的活动日志事件的事件时间戳。The event timestamp of the activity log event which caused this activity log alert rule to be activated.
properties.operationNameproperties.operationName 激活活动日志预警规则的活动日志事件的操作名称。The operation name from the activity log event which caused this activity log alert rule to be activated.
properties.statusproperties.status 激活活动日志预警规则的活动日志事件的状态。The status from the activity log event which caused this activity log alert rule to be activated.

指标警报的属性Properties for metric alerts

元素名称Element Name 说明Description
properties.RuleUriproperties.RuleUri 指标预警规则自身的资源 ID。Resource ID of the metric alert rule itself.
properties.RuleNameproperties.RuleName 指标预警规则的名称。The name of the metric alert rule.
properties.RuleDescriptionproperties.RuleDescription 对指标预警规则的说明(如预警规则中的定义)。The description of the metric alert rule (as defined in the alert rule).
properties.Thresholdproperties.Threshold 计算指标预警规则所用的阈值。The threshold value used in the evaluation of the metric alert rule.
properties.WindowSizeInMinutesproperties.WindowSizeInMinutes 计算指标预警规则所用的窗口大小。The window size used in the evaluation of the metric alert rule.
properties.Aggregationproperties.Aggregation 在指标预警规则中定义的聚合类型。The aggregation type defined in the metric alert rule.
properties.Operatorproperties.Operator 计算指标预警规则所用的条件运算符。The conditional operator used in the evaluation of the metric alert rule.
properties.MetricNameproperties.MetricName 计算指标预警规则所用的指标的指标名称。The metric name of the metric used in the evaluation of the metric alert rule.
properties.MetricUnitproperties.MetricUnit 计算指标预警规则所用的指标的指标单位。The metric unit for the metric used in the evaluation of the metric alert rule.

自动缩放类别Autoscale category

此类别包含基于在订阅中定义的任何自动缩放设置的自动缩放引擎操作相关的事件记录。This category contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. 可在此类别中看到的事件类型示例如“自动缩放扩展操作失败”。An example of the type of event you would see in this category is "Autoscale scale up action failed." 使用自动缩放,可在支持的资源类型中,通过自动缩放设置基于日期和/或负载(指标)数据来自动增加或减少实例的数量。Using autoscale, you can automatically scale out or scale in the number of instances in a supported resource type based on time of day and/or load (metric) data using an autoscale setting. 满足纵向扩展或缩减条件时,开始、成功或失败的事件将记录到此类别中。When the conditions are met to scale up or down, the start and succeeded or failed events will be recorded in this category.

示例事件Sample event

{
  "caller": "Microsoft.Insights/autoscaleSettings",
  "channels": "Admin, Operation",
  "claims": {
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn": "Microsoft.Insights/autoscaleSettings"
  },
  "correlationId": "fc6a7ff5-ff68-4bb7-81b4-3629212d03d0",
  "description": "The autoscale engine attempting to scale resource '/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.ClassicCompute/domainNames/myResourceGroup/slots/Production/roles/myResource' from 3 instances count to 2 instances count.",
  "eventDataId": "a5b92075-1de9-42f1-b52e-6f3e4945a7c7",
  "eventName": {
    "value": "AutoscaleAction",
    "localizedValue": "AutoscaleAction"
  },
  "category": {
    "value": "Autoscale",
    "localizedValue": "Autoscale"
  },
  "id": "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/microsoft.insights/autoscalesettings/myResourceGroup-Production-myResource-myResourceGroup/events/a5b92075-1de9-42f1-b52e-6f3e4945a7c7/ticks/636361956518681572",
  "level": "Informational",
  "resourceGroupName": "myResourceGroup",
  "resourceProviderName": {
    "value": "microsoft.insights",
    "localizedValue": "microsoft.insights"
  },
  "resourceId": "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/microsoft.insights/autoscalesettings/myResourceGroup-Production-myResource-myResourceGroup",
  "resourceType": {
    "value": "microsoft.insights/autoscalesettings",
    "localizedValue": "microsoft.insights/autoscalesettings"
  },
  "operationId": "fc6a7ff5-ff68-4bb7-81b4-3629212d03d0",
  "operationName": {
    "value": "Microsoft.Insights/AutoscaleSettings/Scaledown/Action",
    "localizedValue": "Microsoft.Insights/AutoscaleSettings/Scaledown/Action"
  },
  "properties": {
    "Description": "The autoscale engine attempting to scale resource '/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.ClassicCompute/domainNames/myResourceGroup/slots/Production/roles/myResource' from 3 instances count to 2 instances count.",
    "ResourceName": "/subscriptions/<subscription ID>/resourceGroups/myResourceGroup/providers/Microsoft.ClassicCompute/domainNames/myResourceGroup/slots/Production/roles/myResource",
    "OldInstancesCount": "3",
    "NewInstancesCount": "2",
    "LastScaleActionTime": "Fri, 21 Jul 2017 01:00:51 GMT"
  },
  "status": {
    "value": "Succeeded",
    "localizedValue": "Succeeded"
  },
  "subStatus": {
    "value": null
  },
  "eventTimestamp": "2017-07-21T01:00:51.8681572Z",
  "submissionTimestamp": "2017-07-21T01:00:52.3008754Z",
  "subscriptionId": "<subscription ID>"
}

属性说明Property descriptions

元素名称Element Name 说明Description
callercaller 始终是 Microsoft.Insights/autoscaleSettingsAlways Microsoft.Insights/autoscaleSettings
channelschannels 始终是“Admin, Operation”Always “Admin, Operation”
声明claims 具有 SPN(服务主体名称)的 JSON blob,或自动缩放引擎资源类型。JSON blob with the SPN (service principal name), or resource type, of the autoscale engine.
correlationIdcorrelationId 字符串格式的 GUID。A GUID in the string format.
descriptiondescription 自动缩放事件的静态文本说明。Static text description of the autoscale event.
eventDataIdeventDataId 自动缩放事件的唯一标识符。Unique identifier of the autoscale event.
levellevel 事件的级别。Level of the event. 以下值之一:“Critical”、“Error”、“Warning”和“Informational”One of the following values: “Critical”, “Error”, “Warning”, and “Informational”
resourceGroupNameresourceGroupName 自动缩放设置的资源组名称。Name of the resource group for the autoscale setting.
resourceProviderNameresourceProviderName 自动缩放设置的资源提供程序名称。Name of the resource provider for the autoscale setting.
ResourceIdresourceId 自动缩放设置的资源 ID。Resource ID of the autoscale setting.
operationIdoperationId 在多个事件(对应于单个操作)之间共享的 GUID。A GUID shared among the events that correspond to a single operation.
operationNameoperationName 操作的名称。Name of the operation.
propertiesproperties <Key, Value> 对集合(即字典),描述事件的详细信息。Set of <Key, Value> pairs (that is, a Dictionary) describing the details of the event.
properties.Descriptionproperties.Description 有关自动缩放引擎执行的操作的详细说明。Detailed description of what the autoscale engine was doing.
properties.ResourceNameproperties.ResourceName 受影响资源(正在执行缩放操作的资源)的资源 IDResource ID of the impacted resource (the resource on which the scale action was being performed)
properties.OldInstancesCountproperties.OldInstancesCount 自动缩放操作生效前的实例数量。The number of instances before the autoscale action took effect.
properties.NewInstancesCountproperties.NewInstancesCount 自动缩放操作生效后的实例数量。The number of instances after the autoscale action took effect.
properties.LastScaleActionTimeproperties.LastScaleActionTime 自动缩放操作发生时的时间戳。The timestamp of when the autoscale action occurred.
状态status 描述操作状态的字符串。String describing the status of the operation. 部分常用值包括:Started、In Progress、Succeeded、Failed、Active、Resolved。Some common values are: Started, In Progress, Succeeded, Failed, Active, Resolved.
subStatussubStatus 对自动缩放而言通常为 NULL。Usually null for autoscale.
eventTimestampeventTimestamp 处理与事件对应的请求的 Azure 服务生成事件时的时间戳。Timestamp when the event was generated by the Azure service processing the request corresponding the event.
submissionTimestampsubmissionTimestamp 事件可供查询的时间戳。Timestamp when the event became available for querying.
subscriptionIdsubscriptionId Azure 订阅 ID。Azure Subscription ID.

安全类别Security category

此类别包含 Azure 安全中心生成的任何警报记录。This category contains the record any alerts generated by Azure Security Center. 可在此类别中看到的事件类型示例为“执行了可疑的双扩展名文件”。An example of the type of event you would see in this category is "Suspicious double extension file executed."

示例事件Sample event

{
    "channels": "Operation",
    "correlationId": "965d6c6a-a790-4a7e-8e9a-41771b3fbc38",
    "description": "Suspicious double extension file executed. Machine logs indicate an execution of a process with a suspicious double extension.\r\nThis extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.",
    "eventDataId": "965d6c6a-a790-4a7e-8e9a-41771b3fbc38",
    "eventName": {
        "value": "Suspicious double extension file executed",
        "localizedValue": "Suspicious double extension file executed"
    },
    "category": {
        "value": "Security",
        "localizedValue": "Security"
    },
    "eventTimestamp": "2017-10-18T06:02:18.6179339Z",
    "id": "/subscriptions/<subscription ID>/providers/Microsoft.Security/locations/chinaeast/alerts/965d6c6a-a790-4a7e-8e9a-41771b3fbc38/events/965d6c6a-a790-4a7e-8e9a-41771b3fbc38/ticks/636439033386179339",
    "level": "Informational",
    "operationId": "965d6c6a-a790-4a7e-8e9a-41771b3fbc38",
    "operationName": {
        "value": "Microsoft.Security/locations/alerts/activate/action",
        "localizedValue": "Microsoft.Security/locations/alerts/activate/action"
    },
    "resourceGroupName": "myResourceGroup",
    "resourceProviderName": {
        "value": "Microsoft.Security",
        "localizedValue": "Microsoft.Security"
    },
    "resourceType": {
        "value": "Microsoft.Security/locations/alerts",
        "localizedValue": "Microsoft.Security/locations/alerts"
    },
    "resourceId": "/subscriptions/<subscription ID>/providers/Microsoft.Security/locations/chinaeast/alerts/2518939942613820660_a48f8653-3fc6-4166-9f19-914f030a13d3",
    "status": {
        "value": "Active",
        "localizedValue": "Active"
    },
    "subStatus": {
        "value": null
    },
    "submissionTimestamp": "2017-10-18T06:02:52.2176969Z",
    "subscriptionId": "<subscription ID>",
    "properties": {
        "accountLogonId": "0x2r4",
        "commandLine": "c:\\mydirectory\\doubleetension.pdf.exe",
        "domainName": "hpc",
        "parentProcess": "unknown",
        "parentProcess id": "0",
        "processId": "6988",
        "processName": "c:\\mydirectory\\doubleetension.pdf.exe",
        "userName": "myUser",
        "UserSID": "S-3-2-12",
        "ActionTaken": "Detected",
        "Severity": "High"
    },
    "relatedEvents": []
}

属性说明Property descriptions

元素名称Element Name 说明Description
channelschannels 始终为“运行”Always “Operation”
correlationIdcorrelationId 字符串格式的 GUID。A GUID in the string format.
descriptiondescription 安全事件的静态文本说明。Static text description of the security event.
eventDataIdeventDataId 安全事件的唯一标识符。Unique identifier of the security event.
eventNameeventName 安全事件的友好名称。Friendly name of the security event.
categorycategory 始终为“Security”Always "Security"
IDID 安全事件的唯一资源标识符。Unique resource identifier of the security event.
levellevel 事件的级别。Level of the event. 以下值之一:“Critical”、“Error”、“Warning”或“Informational”One of the following values: “Critical”, “Error”, “Warning”, or “Informational”
resourceGroupNameresourceGroupName 资源的资源组名称。Name of the resource group for the resource.
resourceProviderNameresourceProviderName Azure 安全中心的资源提供程序名称。Name of the resource provider for Azure Security Center. 始终为“Microsoft.Security”。Always "Microsoft.Security".
resourceTyperesourceType 生成安全事件的资源的类型,如“Microsoft.Security/locations/alerts”The type of resource that generated the security event, such as "Microsoft.Security/locations/alerts"
ResourceIdresourceId 安全警报的资源 ID。Resource ID of the security alert.
operationIdoperationId 在多个事件(对应于单个操作)之间共享的 GUID。A GUID shared among the events that correspond to a single operation.
operationNameoperationName 操作的名称。Name of the operation.
propertiesproperties <Key, Value> 对集合(即字典),描述事件的详细信息。Set of <Key, Value> pairs (that is, a Dictionary) describing the details of the event. 这些属性将因安全警报的类型而异。These properties will vary depending on the type of security alert. 有关来自安全中心的警报类型的说明,请参阅此页See this page for a description of the types of alerts that come from Security Center.
properties.Severityproperties.Severity 严重性级别。The severity level. 可能的值为“High”、“Medium”或“Low”。Possible values are "High," "Medium," or "Low."
状态status 描述操作状态的字符串。String describing the status of the operation. 部分常用值包括:Started、In Progress、Succeeded、Failed、Active、Resolved。Some common values are: Started, In Progress, Succeeded, Failed, Active, Resolved.
subStatussubStatus 对于安全事件通常为 null。Usually null for security events.
eventTimestampeventTimestamp 处理与事件对应的请求的 Azure 服务生成事件时的时间戳。Timestamp when the event was generated by the Azure service processing the request corresponding the event.
submissionTimestampsubmissionTimestamp 事件可供查询的时间戳。Timestamp when the event became available for querying.
subscriptionIdsubscriptionId Azure 订阅 ID。Azure Subscription ID.

建议类别Recommendation category

此类别包含为服务生成的任何新建议的记录。This category contains the record of any new recommendations that are generated for your services. 建议的示例将为“使用可用性集提高容错能力”。An example of a recommendation would be "Use availability sets for improved fault tolerance." 可以生成以下四种类型的“建议”事件:高可用性、性能、安全性和成本优化。There are four types of Recommendation events that can be generated: High Availability, Performance, Security, and Cost Optimization.

示例事件Sample event

{
    "channels": "Operation",
    "correlationId": "92481dfd-c5bf-4752-b0d6-0ecddaa64776",
    "description": "The action was successful.",
    "eventDataId": "06cb0e44-111b-47c7-a4f2-aa3ee320c9c5",
    "eventName": {
        "value": "",
        "localizedValue": ""
    },
    "category": {
        "value": "Recommendation",
        "localizedValue": "Recommendation"
    },
    "eventTimestamp": "2018-06-07T21:30:42.976919Z",
    "id": "/SUBSCRIPTIONS/<Subscription ID>/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/MYVM/events/06cb0e44-111b-47c7-a4f2-aa3ee320c9c5/ticks/636640038429769190",
    "level": "Informational",
    "operationId": "",
    "operationName": {
        "value": "Microsoft.Advisor/generateRecommendations/action",
        "localizedValue": "Microsoft.Advisor/generateRecommendations/action"
    },
    "resourceGroupName": "MYRESOURCEGROUP",
    "resourceProviderName": {
        "value": "MICROSOFT.COMPUTE",
        "localizedValue": "MICROSOFT.COMPUTE"
    },
    "resourceType": {
        "value": "MICROSOFT.COMPUTE/virtualmachines",
        "localizedValue": "MICROSOFT.COMPUTE/virtualmachines"
    },
    "resourceId": "/SUBSCRIPTIONS/<Subscription ID>/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/MYVM",
    "status": {
        "value": "Active",
        "localizedValue": "Active"
    },
    "subStatus": {
        "value": "",
        "localizedValue": ""
    },
    "submissionTimestamp": "2018-06-07T21:30:42.976919Z",
    "subscriptionId": "<Subscription ID>",
    "properties": {
        "recommendationSchemaVersion": "1.0",
        "recommendationCategory": "Security",
        "recommendationImpact": "High",
        "recommendationRisk": "None"
    },
    "relatedEvents": []
}

属性说明Property descriptions

元素名称Element Name 说明Description
channelschannels 始终为“运行”Always “Operation”
correlationIdcorrelationId 字符串格式的 GUID。A GUID in the string format.
descriptiondescription 建议事件的静态文本说明Static text description of the recommendation event
eventDataIdeventDataId 建议事件的唯一标识符。Unique identifier of the recommendation event.
categorycategory 始终为“Recommendation”Always "Recommendation"
IDID 建议事件的唯一资源标识符。Unique resource identifier of the recommendation event.
levellevel 事件的级别。Level of the event. 以下值之一:“Critical”、“Error”、“Warning”或“Informational”One of the following values: “Critical”, “Error”, “Warning”, or “Informational”
operationNameoperationName 操作的名称。Name of the operation. 始终为“Microsoft.Advisor/generateRecommendations/action”Always "Microsoft.Advisor/generateRecommendations/action"
resourceGroupNameresourceGroupName 资源的资源组名称。Name of the resource group for the resource.
resourceProviderNameresourceProviderName 此建议适用的资源的资源提供程序名称,例如“MICROSOFT.COMPUTE”Name of the resource provider for the resource that this recommendation applies to, such as "MICROSOFT.COMPUTE"
resourceTyperesourceType 此建议适用的资源的资源类型名称,例如“MICROSOFT.COMPUTE/virtualmachines”Name of the resource type for the resource that this recommendation applies to, such as "MICROSOFT.COMPUTE/virtualmachines"
ResourceIdresourceId 此建议适用的资源的资源 IDResource ID of the resource that the recommendation applies to
状态status 始终为“Active”Always "Active"
submissionTimestampsubmissionTimestamp 事件可供查询的时间戳。Timestamp when the event became available for querying.
subscriptionIdsubscriptionId Azure 订阅 ID。Azure Subscription ID.
propertiesproperties <Key, Value> 对集(即字典),描述建议的详细信息。Set of <Key, Value> pairs (that is, a Dictionary) describing the details of the recommendation.
properties.recommendationSchemaVersionproperties.recommendationSchemaVersion 在活动日志条目中发布的建议属性的架构版本Schema version of the recommendation properties published in the Activity Log entry
properties.recommendationCategoryproperties.recommendationCategory 建议的类别。Category of the recommendation. 可能的值为“High Availability”、“Performance”、“Security”和“Cost”Possible values are "High Availability", "Performance", "Security", and "Cost"
properties.recommendationImpactproperties.recommendationImpact 建议的影响。Impact of the recommendation. 可能的值为“High”、“Medium”、“Low”Possible values are "High", "Medium", "Low"
properties.recommendationRiskproperties.recommendationRisk 建议的风险。Risk of the recommendation. 可能的值为“Error”、“Warning”、“None”Possible values are "Error", "Warning", "None"

策略类别Policy category

此类别包含 Azure Policy 执行的所有效果操作的记录。This category contains records of all effect action operations performed by Azure Policy. 在此类别中看到的事件类型示例包括“审核”和“拒绝”。 Examples of the types of events you would see in this category include Audit and Deny. Policy 执行的每个操作建模为对资源执行的操作。Every action taken by Policy is modeled as an operation on a resource.

示例 Policy 事件Sample Policy event

{
    "authorization": {
        "action": "Microsoft.Resources/checkPolicyCompliance/read",
        "scope": "/subscriptions/<subscriptionID>"
    },
    "caller": "33a68b9d-63ce-484c-a97e-94aef4c89648",
    "channels": "Operation",
    "claims": {
        "aud": "https://management.chinacloudapi.cn/",
        "iss": "https://sts.chinacloudapi.cn/1114444b-7467-4144-a616-e3a5d63e147b/",
        "iat": "1234567890",
        "nbf": "1234567890",
        "exp": "1234567890",
        "aio": "A3GgTJdwK4vy7Fa7l6DgJC2mI0GX44tML385OpU1Q+z+jaPnFMwB",
        "appid": "1d78a85d-813d-46f0-b496-dd72f50a3ec0",
        "appidacr": "2",
        "http://schemas.microsoft.com/identity/claims/identityprovider": "https://sts.chinacloudapi.cn/1114444b-7467-4144-a616-e3a5d63e147b/",
        "http://schemas.microsoft.com/identity/claims/objectidentifier": "f409edeb-4d29-44b5-9763-ee9348ad91bb",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "b-24Jf94A3FH2sHWVIFqO3-RSJEiv24Jnif3gj7s",
        "http://schemas.microsoft.com/identity/claims/tenantid": "1114444b-7467-4144-a616-e3a5d63e147b",
        "uti": "IdP3SUJGtkGlt7dDQVRPAA",
        "ver": "1.0"
    },
    "correlationId": "b5768deb-836b-41cc-803e-3f4de2f9e40b",
    "description": "",
    "eventDataId": "d0d36f97-b29c-4cd9-9d3d-ea2b92af3e9d",
    "eventName": {
        "value": "EndRequest",
        "localizedValue": "End request"
    },
    "category": {
        "value": "Policy",
        "localizedValue": "Policy"
    },
    "eventTimestamp": "2019-01-15T13:19:56.1227642Z",
    "id": "/subscriptions/<subscriptionID>/resourceGroups/myResourceGroup/providers/Microsoft.Sql/servers/contososqlpolicy/events/13bbf75f-36d5-4e66-b693-725267ff21ce/ticks/636831551961227642",
    "level": "Warning",
    "operationId": "04e575f8-48d0-4c43-a8b3-78c4eb01d287",
    "operationName": {
        "value": "Microsoft.Authorization/policies/audit/action",
        "localizedValue": "Microsoft.Authorization/policies/audit/action"
    },
    "resourceGroupName": "myResourceGroup",
    "resourceProviderName": {
        "value": "Microsoft.Sql",
        "localizedValue": "Microsoft SQL"
    },
    "resourceType": {
        "value": "Microsoft.Resources/checkPolicyCompliance",
        "localizedValue": "Microsoft.Resources/checkPolicyCompliance"
    },
    "resourceId": "/subscriptions/<subscriptionID>/resourceGroups/myResourceGroup/providers/Microsoft.Sql/servers/contososqlpolicy",
    "status": {
        "value": "Succeeded",
        "localizedValue": "Succeeded"
    },
    "subStatus": {
        "value": "",
        "localizedValue": ""
    },
    "submissionTimestamp": "2019-01-15T13:20:17.1077672Z",
    "subscriptionId": "<subscriptionID>",
    "properties": {
        "isComplianceCheck": "True",
        "resourceLocation": "chinaeast2",
        "ancestors": "72f988bf-86f1-41af-91ab-2d7cd011db47",
        "policies": "[{\"policyDefinitionId\":\"/subscriptions/<subscriptionID>/providers/Microsoft.
            Authorization/policyDefinitions/5775cdd5-d3d3-47bf-bc55-bb8b61746506/\",\"policyDefiniti
            onName\":\"5775cdd5-d3d3-47bf-bc55-bb8b61746506\",\"policyDefinitionEffect\":\"Deny\",\"
            policyAssignmentId\":\"/subscriptions/<subscriptionID>/providers/Microsoft.Authorization
            /policyAssignments/991a69402a6c484cb0f9b673/\",\"policyAssignmentName\":\"991a69402a6c48
            4cb0f9b673\",\"policyAssignmentScope\":\"/subscriptions/<subscriptionID>\",\"policyAssig
            nmentParameters\":{}}]"
    },
    "relatedEvents": []
}

Policy 事件属性说明Policy event property descriptions

元素名称Element Name 说明Description
authorizationauthorization 事件的 RBAC 属性数组。Array of RBAC properties of the event. 对于新资源,这是触发评估的请求的操作和范围。For new resources, this is the action and scope of the request that triggered evaluation. 对于现有资源,操作是“Microsoft.Resources/checkPolicyCompliance/read”。For existing resources, the action is "Microsoft.Resources/checkPolicyCompliance/read".
callercaller 对于新资源,为启动部署的标识。For new resources, the identity that initiated a deployment. 对于现有资源,这是 Azure Policy Insights RP 的 GUID。For existing resources, the GUID of the Azure Policy Insights RP.
channelschannels Policy 事件仅使用“操作”通道。Policy events use only the "Operation" channel.
声明claims Active Directory 使用 JWT 令牌来验证用户或应用程序,以在资源管理器中执行此操作。The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager.
correlationIdcorrelationId 通常为字符串格式的 GUID。Usually a GUID in the string format. 共享 correlationId 的事件属于同一 uber 操作。Events that share a correlationId belong to the same uber action.
descriptiondescription 对于 Policy 事件,此字段是空白的。This field is blank for Policy events.
eventDataIdeventDataId 事件的唯一标识符。Unique identifier of an event.
eventNameeventName “BeginRequest”或“EndRequest”。Either "BeginRequest" or "EndRequest". “BeginRequest”用于延迟的 auditIfNotExists 和 deployIfNotExists 评估,并且在 deployIfNotExists 效果启动模板部署时使用。"BeginRequest" is used for delayed auditIfNotExists and deployIfNotExists evaluations and when a deployIfNotExists effect starts a template deployment. 所有其他操作返回“EndRequest”。All other operations return "EndRequest".
categorycategory 将活动日志事件声明为属于“Policy”。Declares the activity log event as belonging to "Policy".
eventTimestampeventTimestamp 处理与事件对应的请求的 Azure 服务生成事件时的时间戳。Timestamp when the event was generated by the Azure service processing the request corresponding the event.
IDID 特定资源中的事件的唯一标识符。Unique identifier of the event on the specific resource.
levellevel 事件的级别。Level of the event. 审核使用“警告”,拒绝使用“错误”。Audit uses "Warning" and Deny uses "Error". auditIfNotExists 或 deployIfNotExists 错误可以根据严重性生成“警告”或“错误”。An auditIfNotExists or deployIfNotExists error can generate "Warning" or "Error" depending on severity. 所有其他 Policy 事件使用“信息”。All other Policy events use "Informational".
operationIdoperationId 在多个事件(对应于单个操作)之间共享的 GUID。A GUID shared among the events that correspond to a single operation.
operationNameoperationName 操作的名称,与策略效果直接相关。Name of the operation and directly correlates to the Policy effect.
resourceGroupNameresourceGroupName 评估的资源的资源组名称。Name of the resource group for the evaluated resource.
resourceProviderNameresourceProviderName 评估的资源的资源提供程序名称。Name of the resource provider for the evaluated resource.
resourceTyperesourceType 对于新资源,它是评估的类型。For new resources, it is the type being evaluated. 对于现有资源,返回“Microsoft.Resources/checkPolicyCompliance”。For existing resources, returns "Microsoft.Resources/checkPolicyCompliance".
ResourceIdresourceId 评估的资源的资源 ID。Resource ID of the evaluated resource.
状态status 用于描述 Policy 评估结果状态的字符串。String describing the status of the Policy evaluation result. 大多数 Policy 评估返回“成功”,但拒绝效果返回“失败”。Most Policy evaluations return "Succeeded", but a Deny effect returns "Failed". auditIfNotExists 或 deployIfNotExists 中的错误也返回“失败”。Errors in auditIfNotExists or deployIfNotExists also return "Failed".
subStatussubStatus 对于 Policy 事件,此字段是空白的。Field is blank for Policy events.
submissionTimestampsubmissionTimestamp 事件可供查询的时间戳。Timestamp when the event became available for querying.
subscriptionIdsubscriptionId Azure 订阅 ID。Azure Subscription ID.
properties.isComplianceCheckproperties.isComplianceCheck 部署新资源或更新现有资源的资源管理器属性时,将返回“False”。Returns "False" when a new resource is deployed or an existing resource's Resource Manager properties are updated. 所有其他评估触发器会生成“True”。All other evaluation triggers result in "True".
properties.resourceLocationproperties.resourceLocation 所评估资源的 Azure 区域。The Azure region of the resource being evaluated.
properties.ancestorsproperties.ancestors 从直接父级到最远祖父级排序的父管理组的逗号分隔列表。A comma-separated list of parent management groups ordered from direct parent to farthest grandparent.
properties.policiesproperties.policies 包括有关生成此策略评估结果的策略定义、分配、影响和参数的详细信息。Includes details about the policy definition, assignment, effect, and parameters that this Policy evaluation is a result of.
relatedEventsrelatedEvents 对于 Policy 事件,此字段是空白的。This field is blank for Policy events.

来自存储帐户和事件中心的架构Schema from storage account and event hubs

将 Azure 活动日志流式传输到存储帐户或事件中心时,数据遵循资源日志架构When streaming the Azure Activity log to a storage account or event hub, the data follows the resource log schema. 下表提供从上述架构到资源日志架构的属性映射。The table below provides a mapping of properties from the above schemas to the resource logs schema.

资源日志架构属性Resource logs schema property 活动日志 REST API 架构属性Activity Log REST API schema property 注释Notes
timetime eventTimestampeventTimestamp
ResourceIdresourceId ResourceIdresourceId subscriptionId、resourceType 和 resourceGroupName 都是从 resourceId 推断而来。subscriptionId, resourceType, resourceGroupName are all inferred from the resourceId.
operationNameoperationName operationName.valueoperationName.value
categorycategory 操作名称的一部分Part of operation name 操作类型分类:“写入”/“删除”/“操作”Breakout of the operation type - "Write"/"Delete"/"Action"
resultTyperesultType status.valuestatus.value
resultSignatureresultSignature substatus.valuesubstatus.value
resultDescriptionresultDescription descriptiondescription
durationMsdurationMs 空值N/A 始终为 0Always 0
callerIpAddresscallerIpAddress httpRequest.clientIpAddresshttpRequest.clientIpAddress
correlationIdcorrelationId correlationIdcorrelationId
identityidentity 声明和授权属性claims and authorization properties
LevelLevel LevelLevel
locationlocation 空值N/A 处理事件的位置。Location of where the event was processed. 这不是资源所在位置,而是处理事件的位置。未来更新中将删除此属性。This is not the location of the resource, but rather where the event was processed. This property will be removed in a future update.
属性Properties properties.eventPropertiesproperties.eventProperties
properties.eventCategoryproperties.eventCategory categorycategory 如果不存在 properties.eventCategory,则 category 是“管理”If properties.eventCategory is not present, category is "Administrative"
properties.eventNameproperties.eventName eventNameeventName
properties.operationIdproperties.operationId operationIdoperationId
properties.eventPropertiesproperties.eventProperties propertiesproperties

下面是使用此架构的事件的示例。Following is an example of an event using this schema..

{
    "records": [
        {
            "time": "2019-01-21T22:14:26.9792776Z",
            "resourceId": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841",
            "operationName": "microsoft.support/supporttickets/write",
            "category": "Write",
            "resultType": "Success",
            "resultSignature": "Succeeded.Created",
            "durationMs": 2826,
            "callerIpAddress": "111.111.111.11",
            "correlationId": "c776f9f4-36e5-4e0e-809b-c9b3c3fb62a8",
            "identity": {
                "authorization": {
                    "scope": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841",
                    "action": "microsoft.support/supporttickets/write",
                    "evidence": {
                        "role": "Subscription Admin"
                    }
                },
                "claims": {
                    "aud": "https://management.core.chinacloudapi.cn/",
                    "iss": "https://sts.chinacloudapi.cn/72f988bf-86f1-41af-91ab-2d7cd011db47/",
                    "iat": "1421876371",
                    "nbf": "1421876371",
                    "exp": "1421880271",
                    "ver": "1.0",
                    "http://schemas.microsoft.com/identity/claims/tenantid": "00000000-0000-0000-0000-000000000000",
                    "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
                    "http://schemas.microsoft.com/identity/claims/objectidentifier": "2468adf0-8211-44e3-95xq-85137af64708",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "admin@contoso.com",
                    "puid": "20030000801A118C",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Smith",
                    "name": "John Smith",
                    "groups": "cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c",
                    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": " admin@contoso.com",
                    "appid": "c44b4083-3bq0-49c1-b47d-974e53cbdf3c",
                    "appidacr": "2",
                    "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
                    "http://schemas.microsoft.com/claims/authnclassreference": "1"
                }
            },
            "level": "Information",
            "location": "global",
            "properties": {
                "statusCode": "Created",
                "serviceRequestId": "50d5cddb-8ca0-47ad-9b80-6cde2207f97c"
            }
        }
    ]
}

后续步骤Next steps