查看和检索 Azure 活动日志事件View and retrieve Azure Activity log events

Azure 活动日志 可以方便用户深入了解 Azure 中发生的订阅级别事件。The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. 本文详细介绍了如何使用不同的方法来查看和检索活动日志事件。This article provides details on different methods for viewing and retrieving Activity Log events.

Azure 门户Azure portal

在 Azure 门户的“监视器”菜单中查看所有资源的活动日志。View the Activity Log for all resources from the Monitor menu in the Azure portal. 在该资源的菜单的“活动日志”选项中查看特定资源的活动日志。View the Activity Log for a particular resource from the Activity Log option in that resource's menu.

查看活动日志

可以按以下字段筛选活动日志事件:You can filter Activity Log events by the following fields:

  • 时间跨度:事件的开始时间和结束时间。Timespan: The start and end time for events.
  • 类别活动日志中的类别中所述的事件类别。Category: The event category as described in Categories in the Activity Log.
  • 订阅:一个或多个 Azure 订阅名称。Subscription: One or more Azure subscription names.
  • 资源组:所选订阅中的一个或多个资源组。Resource group: One or more resource groups within the selected subscriptions.
  • 资源(名称) - 特定资源的名称。Resource (name): - The name of a specific resource.
  • 资源类型:资源的类型,例如 Microsoft.Compute/virtualmachinesResource type: The type of resource, for example Microsoft.Compute/virtualmachines.
  • 操作名称 - Azure 资源管理器操作的名称,例如 Microsoft.SQL/servers/WriteOperation name - The name of an Azure Resource Manager operation, for example Microsoft.SQL/servers/Write.
  • 严重性:事件的严重级别。Severity: The severity level of the event. 可用值为“信息性”、“警告”、“错误”、“严重”。 Available values are Informational, Warning, Error, Critical.
  • 事件发起者:执行了操作的用户。Event initiated by: The user who performed the operation.
  • 开放搜索:开放的文本搜索框,可在所有事件的所有字段中搜索该字符串。Open search: Open text search box that searches for that string across all fields in all events.

活动日志中的类别Categories in the Activity log

活动日志中的每个事件都有特定的类别,该类别在下表中进行了描述。Each event in the Activity Log has a particular category that are described in the following table. 有关这些类别的架构的完整详细信息,请参阅 Azure 活动日志事件架构For full details on the schemata of these categories, see Azure Activity Log event schema.

CategoryCategory 说明Description
管理Administrative 包含对通过资源管理器执行的所有创建、更新、删除和操作的记录。Contains the record of all create, update, delete, and action operations performed through Resource Manager. 管理事件的示例包括创建虚拟机和删除网络安全组。Examples of Administrative events include create virtual machine and delete network security group.

用户或应用程序通过资源管理器所进行的每一个操作都会作为特定资源类型上的操作建模。Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. 如果操作类型为“写入”、“删除”或“操作”,则该操作的开始、成功或失败记录都会记录在管理类别中。 If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. 管理事件还包括任何对订阅中基于角色的访问控制进行的更改。Administrative events also include any changes to role-based access control in a subscription.
服务运行状况Service Health 包含对任何发生在 Azure 中的服务运行状况事件的记录。Contains the record of any service health incidents that have occurred in Azure. 服务运行状况事件的一个示例是“中国北部的 SQL Azure 当前发生停机”。An example of a Service Health event SQL Azure in China North is experiencing downtime.

服务运行状况事件分 6 种:需要操作、协助恢复、事件、维护、信息或安全性。 Service Health events come in Six varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security. 仅当订阅中存在会受事件影响的资源时,才会创建这些事件。These events are only created if you have a resource in the subscription that would be impacted by the event.
资源运行状况Resource Health 包含 Azure 资源发生的任何资源运行状况事件的记录。Contains the record of any resource health events that have occurred to your Azure resources. 资源运行状况事件的示例是“虚拟机运行状况已更改为不可用”。An example of a Resource Health event is Virtual Machine health status changed to unavailable.

资源运行状况事件可以表示四种运行状况之一:可用、不可用、已降级、未知。 Resource Health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. 此外,资源运行状况事件可以归类为“平台启动”或“用户启动”。 Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated.
警报Alert 包含 Azure 警报的激活记录。Contains the record of activations for Azure alerts. “过去 5 分钟内,myVM 上的 CPU 百分比已超过 80%”是警报事件的示例。An example of an Alert event is CPU % on myVM has been over 80 for the past 5 minutes.
自动缩放Autoscale 包含基于在订阅中定义的任何自动缩放设置的自动缩放引擎操作相关的事件记录。Contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. 自动缩放事件的一个示例是“自动缩放纵向扩展操作失败”。An example of an Autoscale event is Autoscale scale up action failed.
建议Recommendation 包含 Azure 顾问提供的建议事件。Contains recommendation events from Azure Advisor.
安全性Security 包含 Azure 安全中心生成的任何警报的记录。Contains the record of any alerts generated by Azure Security Center. 安全事件的一个示例是“执行了可疑的双扩展名文件”。An example of a Security event is Suspicious double extension file executed.
策略Policy 包含 Azure Policy 执行的所有效果操作的记录。Contains records of all effect action operations performed by Azure Policy. 策略事件的示例包括审核和拒绝。Examples of Policy events include Audit and Deny. Policy 执行的每个操作建模为对资源执行的操作。Every action taken by Policy is modeled as an operation on a resource.

PowerShellPowerShell

使用 Get-AzLog cmdlet 从 PowerShell 检索活动日志。Use the Get-AzLog cmdlet to retrieve the Activity Log from PowerShell. 下面是一些常见示例。Following are some common examples.

备注

Get-AzLog 仅提供 15 天的历史记录。Get-AzLog only provides 15 days of history. 使用 -MaxRecord 参数查询 15 天之外的最后 N 个事件。Use the -MaxRecord parameter to query the last N events beyond 15 days. 若要访问超过 15 天的事件,请使用 REST API 或 SDK。To access events older than 15 days, use the REST API or SDK. 如果不包括 StartTime,则默认值为 EndTime 减去一小时。If you do not include StartTime, then the default value is EndTime minus one hour. 如果不包括 EndTime,则默认值为当前时间。If you do not include EndTime, then the default value is current time. 所有时间均是 UTC 时间。All times are in UTC.

获取在特定日期时间之后创建的日志条目:Get log entries created after a particular date time:

Get-AzLog -StartTime 2016-03-01T10:30

在一个日期时间范围中获取日志条目:Get log entries between a date time range:

Get-AzLog -StartTime 2015-01-01T10:30 -EndTime 2015-01-01T11:30

从特定资源组中获取日志条目︰Get log entries from a specific resource group:

Get-AzLog -ResourceGroup 'myrg1'

在一个日期时间范围中从特定资源提供程序获取日志条目:Get log entries from a specific resource provider between a date time range:

Get-AzLog -ResourceProvider 'Microsoft.Web' -StartTime 2015-01-01T10:30 -EndTime 2015-01-01T11:30

获取特定调用方的日志条目:Get log entries with a specific caller:

Get-AzLog -Caller 'myname@company.com'

获取最后 1000 个事件:Get the last 1000 events:

Get-AzLog -MaxRecord 1000

CLICLI

使用 az monitor activity-log 从 CLI 检索活动日志。Use az monitor activity-log to retrieve the Activity Log from CLI. 下面是一些常见示例。Following are some common examples.

查看所有可用选项。View all available options.

az monitor activity-log list -h

从特定资源组中获取日志条目︰Get log entries from a specific resource group:

az monitor activity-log list --resource-group <group name>

获取特定调用方的日志条目:Get log entries with a specific caller:

az monitor activity-log list --caller myname@company.com

在日期范围内,按调用方获取某个资源类型的日志:Get logs by caller on a resource type, within a date range:

az monitor activity-log list --resource-provider Microsoft.Web \
    --caller myname@company.com \
    --start-time 2016-03-08T00:00:00Z \
    --end-time 2016-03-16T00:00:00Z

REST APIREST API

使用 Azure Monitor REST API 从 REST 客户端检索活动日志。Use the Azure Monitor REST API to retrieve the Activity Log from a REST client. 下面是一些常见示例。Following are some common examples.

使用筛选器获取活动日志:Get Activity Logs with filter:

GET https://management.chinacloudapi.cn/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2018-01-21T20:00:00Z' and eventTimestamp le '2018-01-23T20:00:00Z' and resourceGroupName eq 'MSSupportGroup'

使用筛选器和 select 获取活动日志:Get Activity Logs with filter and select:

GET https://management.chinacloudapi.cn/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2015-01-21T20:00:00Z' and eventTimestamp le '2015-01-23T20:00:00Z' and resourceGroupName eq 'MSSupportGroup'&$select=eventName,id,resourceGroupName,resourceProviderName,operationName,status,eventTimestamp,correlationId,submissionTimestamp,level

使用 select 获取活动日志:Get Activity Logs with select:

GET https://management.chinacloudapi.cn/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$select=eventName,id,resourceGroupName,resourceProviderName,operationName,status,eventTimestamp,correlationId,submissionTimestamp,level

不使用筛选器或 select 获取活动日志:Get Activity Logs without filter or select:

GET https://management.chinacloudapi.cn/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01

后续步骤Next steps