用于日志警报规则的 Webhook 操作Webhook actions for log alert rules

在 Azure 中创建日志警报时,可以选择使用操作组配置以执行一个或多个操作。When a log alert is created in Azure, you have the option of configuring it by using action groups to perform one or more actions. 本文介绍可用的不同 Webhook 操作,以及如何配置基于 JSON 的自定义 Webhook。This article describes the different webhook actions that are available and shows how to configure a custom JSON-based webhook.

备注

还可以使用通用警报架构进行 Webhook 集成。You also can use the common alert schema for your webhook integrations. 常见警报架构具有以下优势:跨 Azure Monitor 中的所有警报服务提供单个可扩展且统一的警报有效负载。请注意,常见警报架构不支持日志警报的自定义 JSON 选项。The common alert schema provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor.Please note that the common alert schema does not honour the custom JSON option for log alerts. 如果选择了此选项,则它将遵从常见警报架构有效负载,而不考虑在警报规则级别执行的自定义。It defers to the common alert schema payload if that is selected irrespective of the customization you might have done at the alert rule level. 了解常见的警报架构定义。Learn about the common alert schema definitions.

Webhook 操作Webhook actions

使用 Webhook 操作可通过单个 HTTP POST 请求调用外部进程。With webhook actions, you can invoke an external process through a single HTTP POST request. 被调用的服务应支持 Webhook,并确定将如何使用接收的任何有效负载。The service that's called should support webhooks and determine how to use any payload it receives.

Webhook 操作需要下表中的属性。Webhook actions require the properties in the following table.

属性Property 说明Description
Webhook URLWebhook URL Webhook 的 URL。The URL of the webhook.
自定义 JSON 有效负载Custom JSON payload 如果在创建警报期间选择了此选项,请自定义要通过 webhook 发送的有效负载。The custom payload to send with the webhook when this option is chosen during alert creation. 有关详细信息,请参阅管理日志警报For more information, see Manage log alerts.

备注

单击日志警报的“包括 Webhook 的自定义 JSON 有效负载”选项旁边的“查看 Webhook”按钮会显示所提供的自定义的示例 Webhook 有效负载。The View Webhook button alongside the Include custom JSON payload for webhook option for the log alert displays the sample webhook payload for the customization that was provided. 它不包含实际数据,也不代表用于日志警报的 JSON 架构。It doesn't contain actual data but is representative of the JSON schema that's used for log alerts.

Webhooks 包括 URL 和 JSON 格式的有效负载(即发送到外部服务的数据)。Webhooks include a URL and a payload formatted in JSON that the data sent to the external service. 默认情况下,有效负载包括下表中的值。By default, the payload includes the values in the following table. 可以选择将此负载替换成自己的自定义负载。You can choose to replace this payload with a custom one of your own. 在这种情况下,可以使用下表中每个参数的变量,将其值包含在自定义有效负载中。In that case, use the variables in the table for each of the parameters to include their values in your custom payload.

参数Parameter 变量Variable 说明Description
AlertRuleNameAlertRuleName #alertrulename#alertrulename 警报规则的名称。Name of the alert rule.
严重性Severity #severity#severity 为触发的日志警报设置的严重性。Severity set for the fired log alert.
AlertThresholdOperatorAlertThresholdOperator #thresholdoperator#thresholdoperator 警报规则的阈值运算符,使用“大于”或“小于”。Threshold operator for the alert rule, which uses greater than or less than.
AlertThresholdValueAlertThresholdValue #thresholdvalue#thresholdvalue 警报规则的阈值。Threshold value for the alert rule.
LinkToSearchResultsLinkToSearchResults #linktosearchresults#linktosearchresults 指向 Analytics 门户的链接,该门户会从创建警报的查询返回记录。Link to the Analytics portal that returns the records from the query that created the alert.
LinkToSearchResultsAPILinkToSearchResultsAPI #linktosearchresultsapi#linktosearchresultsapi 指向 Analytics API 的链接,该 API 会从创建警报的查询返回记录。Link to the Analytics API that returns the records from the query that created the alert.
LinkToFilteredSearchResultsUILinkToFilteredSearchResultsUI #linktofilteredsearchresultsui#linktofilteredsearchresultsui 指向 Analytics 门户的链接,该门户返回按创建警报的维度值组合筛选的查询中的记录。Link to the Analytics portal that returns the records from the query filtered by dimensions value combinations that created the alert.
LinkToFilteredSearchResultsAPILinkToFilteredSearchResultsAPI #linktofilteredsearchresultsapi#linktofilteredsearchresultsapi 指向 Analytics API 的链接,该 API 返回按创建警报的维度值组合筛选的查询中的记录。Link to the Analytics API that returns the records from the query filtered by dimensions value combinations that created the alert.
ResultCountResultCount #searchresultcount#searchresultcount 搜索结果中的记录数。Number of records in the search results.
搜索时间间隔结束时间Search Interval End time #searchintervalendtimeutc#searchintervalendtimeutc 查询结束时间 (UTC),格式为 mm/dd/yyyy HH:mm:ss AM/PM。End time for the query in UTC, with the format mm/dd/yyyy HH:mm:ss AM/PM.
搜索时间间隔Search Interval #searchinterval#searchinterval 警报规则的时间范围,格式为 HH:mm:ss。Time window for the alert rule, with the format HH:mm:ss.
搜索时间间隔开始时间Search Interval StartTime #searchintervalstarttimeutc#searchintervalstarttimeutc 查询开始时间 (UTC),格式为 mm/dd/yyyy HH:mm:ss AM/PM。Start time for the query in UTC, with the format mm/dd/yyyy HH:mm:ss AM/PM.
SearchQuerySearchQuery #searchquery#searchquery 警报规则所使用的日志搜索查询。Log search query used by the alert rule.
SearchResultsSearchResults "IncludeSearchResults": true"IncludeSearchResults": true 查询以 JSON 表形式返回的记录,仅限于前 1,000 条记录。Records returned by the query as a JSON table, limited to the first 1,000 records. 在自定义 JSON Webhook 定义中添加 "IncludeSearchResults": true 作为顶级属性。"IncludeSearchResults": true is added in a custom JSON webhook definition as a top-level property.
DimensionsDimensions "IncludeDimensions": true"IncludeDimensions": true 将该警报作为 JSON 部分触发的维度值组合。Dimensions value combinations that triggered that alert as a JSON section. 在自定义 JSON Webhook 定义中添加 "IncludeDimensions": true 作为顶级属性。"IncludeDimensions": true is added in a custom JSON webhook definition as a top-level property.
警报类型Alert Type #alerttype#alerttype 配置为指标度量结果数的日志警报规则的类型。The type of log alert rule configured as Metric measurement or Number of results.
WorkspaceIDWorkspaceID #workspaceid#workspaceid Log Analytics 工作区的 ID。ID of your Log Analytics workspace.
应用程序 IDApplication ID #applicationid#applicationid Application Insights 应用的 ID。ID of your Application Insights app.
订阅 IDSubscription ID #subscriptionid#subscriptionid 使用的 Azure 订阅的 ID。ID of your Azure subscription used.

备注

给定链接将 URL 中的参数(如 SearchQuery、“搜索时间间隔开始时间”和“搜索时间间隔结束时间”)传递到 Azure 门户或 API 。The provided links passes parameters like SearchQuery, Search Interval StartTime, and Search Interval End time in the URL to the Azure portal or API.

例如,可以指定以下自定义负载,其中包含名为 text 的单一参数。For example, you might specify the following custom payload that includes a single parameter called text. 此 Webhook 调用的服务需要此参数。The service that this webhook calls expects this parameter.


    {
        "text":"#alertrulename fired with #searchresultcount over threshold of #thresholdvalue."
    }

此示例的有效负载会在发送到 Webhook 时解析如下:This example payload resolves to something like the following when it's sent to the webhook:

    {
        "text":"My Alert Rule fired with 18 records over threshold of 10 ."
    }

由于自定义 Webhook 中的所有变量都必须在 JSON enclosure(如“#searchinterval”)内指定,因此生成的 Webhook 在 enclosure(如“00:05:00”)内也会有可变数据。Because all variables in a custom webhook must be specified within a JSON enclosure, like "#searchinterval," the resultant webhook also has variable data inside enclosures, like "00:05:00."

若要在自定义有效负载中包含搜索结果,请确保在 JSON 有效负载中将 IncludeSearchResults 设置为顶级属性。To include search results in a custom payload, ensure that IncludeSearchResults is set as a top-level property in the JSON payload.

示例有效负载Sample payloads

本部分显示用于日志警报的 Webhook 的示例有效负载。This section shows sample payloads for webhooks for log alerts. 示例有效负载包括有效负载是标准有效负载时以及是自定义有效负载时的示例。The sample payloads include examples when the payload is standard and when it's custom.

用于日志警报的标准 WebhookStandard webhook for log alerts

这两个示例是仅包含两列和两行的虚拟有效负载。Both of these examples have a dummy payload with only two columns and two rows.

Log Analytics 的日志警报Log alert for Log Analytics

以下示例有效负载适用于基于 Log Analytics 的警报使用的不带自定义 JSON 选项的标准 Webhook 操作。The following sample payload is for a standard webhook action without a custom JSON option that's used for alerts based on Log Analytics:

{
    "SubscriptionId": "12345a-1234b-123c-123d-12345678e",
    "AlertRuleName": "AcmeRule",
    "SearchQuery": "Perf | where ObjectName == \"Processor\" and CounterName == \"% Processor Time\" | summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 5m), Computer",
    "SearchIntervalStartTimeUtc": "2018-03-26T08:10:40Z",
    "SearchIntervalEndtimeUtc": "2018-03-26T09:10:40Z",
    "AlertThresholdOperator": "Greater Than",
    "AlertThresholdValue": 0,
    "ResultCount": 2,
    "SearchIntervalInSeconds": 3600,
    "LinkToSearchResults": "https://portal.azure.cn/#Analyticsblade/search/index?_timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
    "LinkToFilteredSearchResultsUI": "https://portal.azure.cn/#Analyticsblade/search/index?_timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
    "LinkToSearchResultsAPI": "https://api.loganalytics.io/v1/workspaces/workspaceID/query?query=Heartbeat&timespan=2020-05-07T18%3a11%3a51.0000000Z%2f2020-05-07T18%3a16%3a51.0000000Z",
    "LinkToFilteredSearchResultsAPI": "https://api.loganalytics.io/v1/workspaces/workspaceID/query?query=Heartbeat&timespan=2020-05-07T18%3a11%3a51.0000000Z%2f2020-05-07T18%3a16%3a51.0000000Z",
    "Description": "log alert rule",
    "Severity": "Warning",
    "AffectedConfigurationItems": [
        "INC-Gen2Alert"
    ],
    "Dimensions": [
        {
            "name": "Computer",
            "value": "INC-Gen2Alert"
        }
    ],
    "SearchResult": {
        "tables": [
            {
                "name": "PrimaryResult",
                "columns": [
                    {
                        "name": "$table",
                        "type": "string"
                    },
                    {
                        "name": "Computer",
                        "type": "string"
                    },
                    {
                        "name": "TimeGenerated",
                        "type": "datetime"
                    }
                ],
                "rows": [
                    [
                        "Fabrikam",
                        "33446677a",
                        "2018-02-02T15:03:12.18Z"
                    ],
                    [
                        "Contoso",
                        "33445566b",
                        "2018-02-02T15:16:53.932Z"
                    ]
                ]
            }
        ]
    },
    "WorkspaceId": "12345a-1234b-123c-123d-12345678e",
    "AlertType": "Metric measurement"
}

Application Insights 的日志警报Log alert for Application Insights

以下示例有效负载是适用于基于 Application Insights 的日志警报使用的不带自定义 JSON 选项的标准 Webhook。The following sample payload is for a standard webhook without a custom JSON option when it's used for log alerts based on Application Insights:

{
    "schemaId": "Microsoft.Insights/LogAlert",
    "data": {
        "SubscriptionId": "12345a-1234b-123c-123d-12345678e",
        "AlertRuleName": "AcmeRule",
        "SearchQuery": "requests | where resultCode == \"500\" | summarize AggregatedValue = Count by bin(Timestamp, 5m), IP",
        "SearchIntervalStartTimeUtc": "2018-03-26T08:10:40Z",
        "SearchIntervalEndtimeUtc": "2018-03-26T09:10:40Z",
        "AlertThresholdOperator": "Greater Than",
        "AlertThresholdValue": 0,
        "ResultCount": 2,
        "SearchIntervalInSeconds": 3600,
        "LinkToSearchResults": "https://portal.azure.cn/AnalyticsBlade/subscriptions/12345a-1234b-123c-123d-12345678e/?query=search+*+&timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
        "LinkToFilteredSearchResultsUI": "https://portal.azure.cn/AnalyticsBlade/subscriptions/12345a-1234b-123c-123d-12345678e/?query=search+*+&timeInterval.intervalEnd=2018-03-26T09%3a10%3a40.0000000Z&_timeInterval.intervalDuration=3600&q=Usage",
        "LinkToSearchResultsAPI": "https://api.applicationinsights.io/v1/apps/0MyAppId0/metrics/requests/count",
        "LinkToFilteredSearchResultsAPI": "https://api.applicationinsights.io/v1/apps/0MyAppId0/metrics/requests/count",
        "Description": null,
        "Severity": "3",
        "Dimensions": [
            {
                "name": "IP",
                "value": "1.1.1.1"
            }
        ],
        "SearchResult": {
            "tables": [
                {
                    "name": "PrimaryResult",
                    "columns": [
                        {
                            "name": "$table",
                            "type": "string"
                        },
                        {
                            "name": "Id",
                            "type": "string"
                        },
                        {
                            "name": "Timestamp",
                            "type": "datetime"
                        }
                    ],
                    "rows": [
                        [
                            "Fabrikam",
                            "33446677a",
                            "2018-02-02T15:03:12.18Z"
                        ],
                        [
                            "Contoso",
                            "33445566b",
                            "2018-02-02T15:16:53.932Z"
                        ]
                    ]
                }
            ]
        },
        "ApplicationId": "123123f0-01d3-12ab-123f-abc1ab01c0a1",
        "AlertType": "Metric measurement"
    }
}

带自定义 JSON 有效负载的日志警报Log alert with custom JSON payload

例如,若要创建只包含警报名称和搜索结果的自定义有效负载,可以使用以下代码:For example, to create a custom payload that includes just the alert name and the search results, you can use the following:

    {
       "alertname":"#alertrulename",
       "IncludeSearchResults":true
    }

下面是用于任何日志警报的自定义 Webhook 操作的示例有效负载:The following sample payload is for a custom webhook action for any log alert:

    {
    "alertname":"AcmeRule","IncludeSearchResults":true,
    "SearchResults":
        {
        "tables":[
                    {"name":"PrimaryResult","columns":
                        [
                        {"name":"$table","type":"string"},
                        {"name":"Id","type":"string"},
                        {"name":"TimeGenerated","type":"datetime"}
                        ],
                    "rows":
                        [
                            ["Fabrikam","33446677a","2018-02-02T15:03:12.18Z"],
                            ["Contoso","33445566b","2018-02-02T15:16:53.932Z"]
                        ]
                    }
                ]
        }
    }

后续步骤Next steps