查看和检索 Azure 活动日志事件View and retrieve Azure Activity log events

Azure 活动日志 可以方便用户深入了解 Azure 中发生的订阅级别事件。The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. 本文详细介绍了如何使用不同的方法来查看和检索活动日志事件。This article provides details on different methods for viewing and retrieving Activity Log events.

Azure 门户Azure portal

在 Azure 门户的“监视器”菜单中查看所有资源的活动日志。 View the Activity Log for all resources from the Monitor menu in the Azure portal. 在该资源的菜单的“活动日志”选项中查看特定资源的活动日志。 View the Activity Log for a particular resource from the Activity Log option in that resource's menu.

查看活动日志

可以按以下字段筛选活动日志事件:You can filter Activity Log events by the following fields:

  • 时间跨度:事件的开始时间和结束时间。Timespan: The start and end time for events.
  • 类别活动日志中的类别中所述的事件类别。Category: The event category as described in Categories in the Activity Log.
  • 订阅:一个或多个 Azure 订阅名称。Subscription: One or more Azure subscription names.
  • 资源组:所选订阅中的一个或多个资源组。Resource group: One or more resource groups within the selected subscriptions.
  • 资源(名称) - 特定资源的名称。Resource (name): - The name of a specific resource.
  • 资源类型:资源的类型,例如 Microsoft.Compute/virtualmachinesResource type: The type of resource, for example Microsoft.Compute/virtualmachines.
  • 操作名称 - Azure 资源管理器操作的名称,例如 Microsoft.SQL/servers/WriteOperation name - The name of an Azure Resource Manager operation, for example Microsoft.SQL/servers/Write.
  • 严重性:事件的严重级别。Severity: The severity level of the event. 可用值为“信息性”、“警告”、“错误”、“严重”。 Available values are Informational, Warning, Error, Critical.
  • 事件发起者:执行了操作的用户。Event initiated by: The user who performed the operation.
  • 开放搜索:开放的文本搜索框,可在所有事件的所有字段中搜索该字符串。Open search: Open text search box that searches for that string across all fields in all events.

活动日志中的类别Categories in the Activity log

活动日志中的每个事件都有特定的类别,该类别在下表中进行了描述。Each event in the Activity Log has a particular category that are described in the following table. 有关这些类别的架构的完整详细信息,请参阅 Azure 活动日志事件架构For full details on the schemata of these categories, see Azure Activity Log event schema.

CategoryCategory 说明Description
管理Administrative 包含对通过资源管理器执行的所有创建、更新、删除和操作的记录。Contains the record of all create, update, delete, and action operations performed through Resource Manager. 管理事件的示例包括创建虚拟机 和删除网络安全组 。Examples of Administrative events include create virtual machine and delete network security group.

用户或应用程序通过资源管理器所进行的每一个操作都会作为特定资源类型上的操作建模。Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. 如果操作类型为“写入”、“删除”或“操作”,则该操作的开始、成功或失败记录都会记录在管理类别中。 If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. 管理事件还包括任何对订阅中基于角色的访问控制进行的更改。Administrative events also include any changes to role-based access control in a subscription.
服务运行状况Service Health 包含对任何发生在 Azure 中的服务运行状况事件的记录。Contains the record of any service health incidents that have occurred in Azure. 服务运行状况事件的一个示例是“美国东部的 SQL Azure 正处于故障时间”。 An example of a Service Health event SQL Azure in East US is experiencing downtime.

服务运行状况事件分 6 种:需要操作、协助恢复、事件、维护、信息或安全性。 Service Health events come in Six varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security. 仅当订阅中存在会受事件影响的资源时,才会创建这些事件。These events are only created if you have a resource in the subscription that would be impacted by the event.
资源运行状况Resource Health 包含 Azure 资源发生的任何资源运行状况事件的记录。Contains the record of any resource health events that have occurred to your Azure resources. 资源运行状况事件的示例是“虚拟机运行状况已更改为不可用”。 An example of a Resource Health event is Virtual Machine health status changed to unavailable.

资源运行状况事件可以表示四种运行状况之一:可用、不可用、已降级、未知。 Resource Health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. 此外,资源运行状况事件可以归类为“平台启动”或“用户启动”。 Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated.
警报Alert 包含 Azure 警报的激活记录。Contains the record of activations for Azure alerts. “过去 5 分钟内,myVM 上的 CPU 百分比已超过 80%”是警报事件的示例。 An example of an Alert event is CPU % on myVM has been over 80 for the past 5 minutes.
自动缩放Autoscale 包含基于在订阅中定义的任何自动缩放设置的自动缩放引擎操作相关的事件记录。Contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. 自动缩放事件的一个示例是“自动缩放纵向扩展操作失败”。 An example of an Autoscale event is Autoscale scale up action failed.
建议Recommendation 包含 Azure 顾问提供的建议事件。Contains recommendation events from Azure Advisor.
安全性Security 包含 Azure 安全中心生成的任何警报的记录。Contains the record of any alerts generated by Azure Security Center. 安全事件的一个示例是“执行了可疑的双扩展名文件”。 An example of a Security event is Suspicious double extension file executed.
策略Policy 包含 Azure Policy 执行的所有效果操作的记录。Contains records of all effect action operations performed by Azure Policy. 策略事件的示例包括审核 和拒绝 。Examples of Policy events include Audit and Deny. Policy 执行的每个操作建模为对资源执行的操作。Every action taken by Policy is modeled as an operation on a resource.

查看更改历史记录View change history

查看活动日志时,可以查看在该事件时间范围内发生了哪些更改。When reviewing the Activity Log, it can help to see what changes happened during that event time. 可以通过“更改历史记录”查看此信息。 You can view this information with Change history. 从活动日志中选择一个需要深入了解的事件。Select an event from the Activity Log you want to look deeper into. 选择“更改历史记录(预览)”选项卡,查看与该事件关联的任何更改。 Select the Change history (Preview) tab to view any associated changes with that event.

事件的更改历史记录列表

如果有任何与该事件关联的更改,则会看到一个列表,其中包含可以选择的更改。If there are any associated changes with the event, you'll see a list of changes that you can select. 此时会打开“更改历史记录(预览)”页。 This opens up the Change history (Preview) page. 在此页上,可以看到对资源的更改。On this page you see the changes to the resource. 从以下示例可以看出,我们不仅能够看到 VM 更改了大小,而且能够看到更改前 VM 的大小,以及更改后的大小。As you can see from the following example, we are able to see not only that the VM changed sizes, but what the previous VM size was before the change and what it was changed to.

显示了差异的更改历史记录页

PowerShellPowerShell

使用 Get-AzLog cmdlet 从 PowerShell 检索活动日志。Use the Get-AzLog cmdlet to retrieve the Activity Log from PowerShell. 下面是一些常见示例。Following are some common examples.

Note

Get-AzLog 仅提供 15 天的历史记录。Get-AzLog only provides 15 days of history. 使用 -MaxEvents 参数查询 15 天之外的最后 N 个事件。Use the -MaxEvents parameter to query the last N events beyond 15 days. 若要访问超过 15 天的事件,请使用 REST API 或 SDK。To access events older than 15 days, use the REST API or SDK. 如果不包括 StartTime,则默认值为 EndTime 减去一小时。If you do not include StartTime, then the default value is EndTime minus one hour. 如果不包括 EndTime,则默认值为当前时间。If you do not include EndTime, then the default value is current time. 所有时间均是 UTC 时间。All times are in UTC.

获取在特定日期时间之后创建的日志条目:Get log entries created after a particular date time:

Get-AzLog -StartTime 2016-03-01T10:30

在一个日期时间范围中获取日志条目:Get log entries between a date time range:

Get-AzLog -StartTime 2015-01-01T10:30 -EndTime 2015-01-01T11:30

从特定资源组中获取日志条目︰Get log entries from a specific resource group:

Get-AzLog -ResourceGroup 'myrg1'

在一个日期时间范围中从特定资源提供程序获取日志条目:Get log entries from a specific resource provider between a date time range:

Get-AzLog -ResourceProvider 'Microsoft.Web' -StartTime 2015-01-01T10:30 -EndTime 2015-01-01T11:30

获取特定调用方的日志条目:Get log entries with a specific caller:

Get-AzLog -Caller 'myname@company.com'

获取最后 1000 个事件:Get the last 1000 events:

Get-AzLog -MaxEvents 1000

CLICLI

使用 az monitor activity-log 从 CLI 检索活动日志。Use az monitor activity-log to retrieve the Activity Log from CLI. 下面是一些常见示例。Following are some common examples.

查看所有可用选项。View all available options.

az monitor activity-log list -h

从特定资源组中获取日志条目︰Get log entries from a specific resource group:

az monitor activity-log list --resource-group <group name>

获取特定调用方的日志条目:Get log entries with a specific caller:

az monitor activity-log list --caller myname@company.com

在日期范围内,按调用方获取某个资源类型的日志:Get logs by caller on a resource type, within a date range:

az monitor activity-log list --resource-provider Microsoft.Web \
    --caller myname@company.com \
    --start-time 2016-03-08T00:00:00Z \
    --end-time 2016-03-16T00:00:00Z

REST APIREST API

使用 Azure Monitor REST API 从 REST 客户端检索活动日志。Use the Azure Monitor REST API to retrieve the Activity Log from a REST client. 下面是一些常见示例。Following are some common examples.

使用筛选器获取活动日志:Get Activity Logs with filter:

GET https://management.chinacloudapi.cn/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2018-01-21T20:00:00Z' and eventTimestamp le '2018-01-23T20:00:00Z' and resourceGroupName eq 'MSSupportGroup'

使用筛选器和 select 获取活动日志:Get Activity Logs with filter and select:

GET https://management.chinacloudapi.cn/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2015-01-21T20:00:00Z' and eventTimestamp le '2015-01-23T20:00:00Z' and resourceGroupName eq 'MSSupportGroup'&$select=eventName,id,resourceGroupName,resourceProviderName,operationName,status,eventTimestamp,correlationId,submissionTimestamp,level

使用 select 获取活动日志:Get Activity Logs with select:

GET https://management.chinacloudapi.cn/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$select=eventName,id,resourceGroupName,resourceProviderName,operationName,status,eventTimestamp,correlationId,submissionTimestamp,level

不使用筛选器或 select 获取活动日志:Get Activity Logs without filter or select:

GET https://management.chinacloudapi.cn/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01

Activity Logs Analytics 监视解决方案Activity Logs Analytics monitoring solution

Azure Log Analytics 监视解决方案包含多个日志查询和视图,用于分析 Log Analytics 工作区中的活动日志记录。The Azure Log Analytics monitoring solution includes multiple log queries and views for analyzing the Activity Log records in your Log Analytics workspace.

先决条件Prerequisites

必须创建一个诊断设置,以便将订阅的活动日志发送到 Log Analytics 工作区。You must create a diagnostic setting to send the Activity log for your subscription to a Log Analytics workspace. 请参阅在 Azure Monitor 的 Log Analytics 工作区中收集 Azure 平台日志See Collect Azure platform logs in Log Analytics workspace in Azure Monitor.

安装解决方案Install the solution

按照监视解决方案中的过程安装 Activity Log Analytics 解决方案。Use the procedure in Install a monitoring solution to install the Activity Log Analytics solution. 无需其他配置。There is no additional configuration required.

使用解决方案Use the solution

单击“活动日志”页顶部的“日志”,打开订阅的 Activity Log Analytics 监视解决方案Click Logs at the top of the Activity Log page to open the Activity Log Analytics monitoring solution for the subscription. 或在 Azure 门户的订阅“监视” 菜单中访问所有监视解决方案。Or access all the monitoring solutions in your subscription Monitor menu in the Azure portal. 在“见解”部分选择“更多”,打开包含解决方案磁贴的“概览”页 。Select More in the Insights section to open the Overview page with the solution tiles. “Azure 活动日志”磁贴显示工作区中 AzureActivity 记录的计数。 The Azure Activity Logs tile displays a count of the number of AzureActivity records in your workspace.

Azure 活动日志磁贴

单击“Azure 活动日志” 磁贴,打开“Azure 活动日志” 视图。Click the Azure Activity Logs tile to open the Azure Activity Logs view. 视图包含下表中的可视化部件。The view includes the visualization parts in the following table. 每个部件按照指定时间范围列出了匹配该部件条件的最多 10 个项。Each part lists up to 10 items matching that parts's criteria for the specified time range. 可通过单击部件底部的“查看全部” 运行返回所有匹配记录的日志查询。You can run a log query that returns all matching records by clicking See all at the bottom of the part.

Azure 活动日志仪表板

可视化部件Visualization part 说明Description
Azure 活动日志条目Azure Activity Log Entries 显示所选日期范围内排名前列的 Azure 活动日志条目记录总数的条形图,并显示前 10 个活动调用方的列表。Shows a bar chart of the top Azure Activity Log entry record totals for the date range that you have selected and shows a list of the top 10 activity callers. 单击该条形图可针对 AzureActivity 运行日志搜索。Click the bar chart to run a log search for AzureActivity. 单击某个调用方项,运行日志搜索,为该项返回所有活动日志条目。Click a caller item to run a log search returning all Activity Log entries for that item.
按状态分类的活动日志Activity Logs by Status 为所选日期范围内的 Azure 活动日志状态显示圆环图,并显示一个包含前十个状态记录的列表。Shows a doughnut chart for Azure Activity Log status for the selected date range and a list of the top ten status records. 单击该图表可针对 AzureActivity | summarize AggregatedValue = count() by ActivityStatus 运行日志查询。Click the chart to run a log query for AzureActivity | summarize AggregatedValue = count() by ActivityStatus. 单击某个状态项,运行日志搜索,为该状态记录返回所有活动日志条目。Click a status item to run a log search returning all Activity Log entries for that status record.
按资源分类的活动日志Activity Logs by Resource 显示包含活动日志的资源总数,并列出前十个为每个资源显示记录计数的资源。Shows the total number of resources with Activity Logs and lists the top ten resources with record counts for each resource. 单击全部区域可针对 AzureActivity | summarize AggregatedValue = count() by Resource 运行日志搜索,这会显示解决方案可以使用的所有 Azure 资源。Click the total area to run a log search for AzureActivity | summarize AggregatedValue = count() by Resource, which shows all Azure resources available to the solution. 单击某个资源以运行日志查询,为该资源返回所有活动记录。Click a resource to run a log query returning all activity records for that resource.
按资源提供程序分类的活动日志Activity Logs by Resource Provider 显示生成活动日志的资源提供程序的总数,并列出前十个资源提供程序。Shows the total number of resource providers that produce Activity Logs and lists the top ten. 单击总区域可针对 AzureActivity | summarize AggregatedValue = count() by ResourceProvider 运行日志查询,这会显示所有 Azure 资源提供程序。Click the total area to run a log query for AzureActivity | summarize AggregatedValue = count() by ResourceProvider, which shows all Azure resource providers. 单击某个资源提供程序可以运行日志查询,为该提供程序返回所有活动记录。Click a resource provider to run a log query returning all activity records for the provider.

后续步骤Next steps