Azure Monitor 中的日志Logs in Azure Monitor

备注

Azure Monitor 收集的所有数据属于以下两种基本类型之一:指标和日志。All data collected by Azure Monitor fits into one of two fundamental types, Metrics and Logs. 本文对日志进行了介绍。This article describes Logs. 有关指标的详细说明,请参阅 Azure Monitor 中的指标;有关两者的比较,请参阅 Azure Monitor 收集的监视数据Refer to Metrics in Azure Monitor for a detailed description of metrics and to Monitoring data collected by Azure Monitor for a comparison of the two.

Azure Monitor 中的日志对于跨各种来源的数据执行复杂分析特别有用。Logs in Azure Monitor are especially useful for performing complex analysis across data from a variety of sources. 本文介绍了 Azure Monitor 中日志的结构和数据用途,并标识了在日志中存储数据的不同数据源。This article describes how Logs are structured in Azure Monitor, what you can do with the data, and identifies different data sources that store data in Logs.

备注

区分 Azure Monitor 日志和 Azure 中的日志数据源很重要。It's important to distinguish between Azure Monitor Logs and sources of log data in Azure. 例如,Azure 中的订阅级别事件将写入活动日志,你可以从 Azure Monitor 菜单查看该日志。For example, subscription level events in Azure are written to an activity log that you can view from the Azure Monitor menu. 大多数资源将操作信息写入资源日志,你可以将其转发到不同的位置。Most resources will write operational information to a resource log that you can forward to different locations. Azure Monitor 日志是一种日志数据平台,它收集活动日志和资源日志以及其他监视数据,以便对整个资源集进行深入分析。Azure Monitor Logs is a log data platform that collects activity logs and resource logs along with other monitoring data to provide deep analysis across your entire set of resources.

什么是 Azure Monitor 日志?What are Azure Monitor Logs?

Azure Monitor 中的日志包含不同类型的已经整理成记录的数据,每种类型都有不同的属性集。Logs in Azure Monitor contain different kinds of data organized into records with different sets of properties for each type. 日志可能包含数值(例如 Azure Monitor 指标),但通常包含带详细说明的文本数据。Logs can contain numeric values like Azure Monitor Metrics but typically contain text data with detailed descriptions. 日志与指标数据的不同之处还在于,日志有结构差异,且通常不按固定时间间隔收集。They further differ from metric data in that they vary in their structure and are often not collected at regular intervals. 与性能数据一样,事件和跟踪等遥测数据还存储 Azure Monitor 日志,因此,可将它们合并以进行分析。Telemetry such as events and traces are stored Azure Monitor Logs in addition to performance data so that it can all be combined for analysis.

常见类型的日志项是偶尔收集的事件。A common type of log entry is an event, which is collected sporadically. 事件是由应用程序或服务创建的,通常包含足够的信息,其本身提供的上下文已经很完整。Events are created by an application or service and typically include enough information to provide complete context on their own. 例如,事件可能会指示特定资源已创建或修改、新主机开始响应流量增高的情况,或者在应用程序中检测到了错误。For example, an event can indicate that a particular resource was created or modified, a new host started in response to increased traffic, or an error was detected in an application.

考虑到数据的格式可能有差异,应用程序可以使用所需结构创建自定义日志。Because the format of the data can vary, applications can create custom logs by using the structure that they need. 甚至可以在日志中存储指标数据,以便将其与其他监视数据组合起来,进行趋势推断和其他数据分析。Metric data can even be stored in Logs to combine them with other monitoring data for trending and other data analysis.

可以对 Azure Monitor 日志执行哪些操作?What can you do with Azure Monitor Logs?

下表列出了 Azure Monitor 中的日志的不同使用方式。The following table lists the different ways that you can use Logs in Azure Monitor.

说明Description
分析Analyze 使用 Azure 门户中的 Log Analytics 编写日志查询,并使用功能强大的数据资源管理器分析引擎以交互方式分析日志数据。Use Log Analytics in the Azure portal to write log queries and interactively analyze log data using the powerful Data Explorer analysis engine.
使用 Azure 门户中的 Application Insights 分析控制台来编写日志查询并以交互方式分析 Application Insights 中的日志数据。Use the Application Insights analytics console in the Azure portal to write log queries and interactively analyze log data from Application Insights.
可视化Visualize 将以表格或图表形式呈现的查询结果固定到 Azure 仪表板Pin query results rendered as tables or charts to an Azure dashboard.
创建一个工作簿以与交互式报表中的多组数据合并。Create a workbook to combine with multiple sets of data in an interactive report.
将查询结果导出到 Power BI,以使用不同的可视化效果并与 Azure 外部的用户共享。Export the results of a query to Power BI to use different visualizations and share with users outside of Azure.
AlertAlert 配置日志警报规则,以便在查询结果与特定的结果匹配时发送通知或执行自动化操作Configure a log alert rule that sends a notification or takes automated action when the results of the query match a particular result.
对提取为指标的某些日志数据日志配置指标警报规则Configure a metric alert rule on certain log data logs extracted as metrics.
检索Retrieve 使用 Azure CLI 从命令行访问日志查询结果。Access log query results from a command line using Azure CLI.
使用 PowerShell cmdlet 从命令行访问日志查询结果。Access log query results from a command line using PowerShell cmdlets.
使用 REST API 从自定义应用程序访问日志查询结果。Access log query results from a custom application using REST API.
导出Export 构建一个工作流来检索日志数据,并使用逻辑应用将其复制到外部位置。Build a workflow to retrieve log data and copy it to an external location using Logic Apps.

Azure Monitor 日志中的数据结构是怎样的?How is data in Azure Monitor Logs structured?

Azure Monitor 日志收集的数据存储在 Log Analytics 工作区中。Data collected by Azure Monitor Logs is stored in a Log Analytics workspace. 每个工作区包含多个表,每个表存储来自特定源的数据。Each workspace contains multiple tables that each store data from a particular source. 虽然所有表都共享一些公共属性,但根据存储的数据类型,每个表都有一组唯一的属性。While all tables share some common properties, each has a unique set of properties depending on the kind of data it stores. 新工作区将包含一组标准表,不同的监视解决方案和其他写入工作区的服务将添加更多的表。A new workspace will have standard set of tables, and more tables will be added by different monitoring solutions and other services that write to the workspace.

来自 Application Insights 的日志数据使用与工作区相同的 Log Analytics 引擎,但它是为每个受监视的应用程序单独存储的。Log data from Application Insights uses the same Log Analytics engine as workspaces, but it's stored separately for each monitored application. 每个应用程序都有一组标准的表来保存数据,如应用程序请求、异常和页面视图。Each application has a standard set of tables to hold data such as application requests, exceptions, and page views.

日志查询将使用来自 Log Analytics 工作区或 Application Insights 应用程序的数据。Log queries will either use data from a Log Analytics workspace or an Application Insights application. 你可使用跨资源查询将应用程序数据与其他日志数据一起分析,或者创建包含多个工作区或应用程序的查询。You can use a cross-resource query to analyze application data together with other log data or to create queries including multiple workspaces or applications.

工作区

日志查询Log queries

Azure Monitor 日志中的数据都是使用以 Kusto 查询语言编写的日志查询检索的,这使得你可以快速检索、合并和分析所收集的数据。Data in Azure Monitor Logs is retrieved using a log query written with the Kusto query language, which allows you to quickly retrieve, consolidate, and analyze collected data. 可以在 Azure 门户中使用 Log Analytics 编写和测试日志查询。Use Log Analytics to write and test log queries in the Azure portal. 这样你可以交互方式使用结果,也可将其固定到某个仪表板,与其他可视化效果一起查看。It allows you to work with results interactively or pin them to a dashboard to view them with other visualizations.

Log Analytics

打开 Application Insights Log Analytics 以分析 Application Insights 数据。Open Log Analytics from Application Insights to analyze Application Insights data.

Application Insights Analytics

还可以使用 Log Analytics APIApplication Insights REST API 检索日志数据。You can also retrieve log data by using the Log Analytics API and the Application Insights REST API.

Azure Monitor 日志的源Sources of Azure Monitor Logs

Azure Monitor 可从 Azure 和本地资源中的各种源收集日志数据。Azure Monitor can collect log data from a variety of sources both within Azure and from on-premises resources. 下表列出了不同资源中可用于将数据写入 Azure Monitor 日志的不同数据源。The following tables list the different data sources available from different resources that write data to Azure Monitor Logs. 每个数据源都有一个链接,指向任何所需配置的详细信息。Each has a link to details on any required configuration.

Azure 租户和订阅Azure tenant and subscription

数据Data 说明Description
活动日志Activity logs 默认情况下单独存储,可用于近实时的警报。Stored separately by default and can be used for near real time alerts. 安装 Activity Log Analytics 解决方案以写入 Log Analytics 工作区。Install Activity log Analytics solution to write to Log Analytics workspace. 请参阅收集和分析 Log Analytics 中的 Azure 活动日志See Collect and analyze Azure activity logs in Log Analytics.

Azure 资源Azure resources

数据Data 说明Description
资源诊断Resource diagnostics 配置诊断设置以写入诊断数据,包括写入 Log Analytics 工作区的指标。Configure Diagnostic settings to write to diagnostic data, including metrics to a Log Analytics workspace. 请参阅将 Azure 资源日志流式传输到 Log AnalyticsSee Stream Azure resource logs to Log Analytics.
监视解决方案Monitoring solutions 监视解决方案将收集的数据写入其 Log Analytics 工作区。Monitoring solutions write data they collect to their Log Analytics workspace. 如需查看解决方案列表,请参阅 Azure 中的管理解决方案的数据收集详细信息See Data collection details for management solutions in Azure for a list of solutions. 有关安装和使用解决方案的详细信息,请参阅 Azure Monitor 中的监视解决方案See Monitoring solutions in Azure Monitor for details on installing and using solutions.
指标Metrics 将 Azure Monitor 资源的平台指标发送到 Log Analytics 工作区以长期保留日志数据,并使用 Kusto 查询语言对其他数据类型执行复杂分析。Send platform metrics for Azure Monitor resources to a Log Analytics workspace to retain log data for longer periods and to perform complex analysis with other data types using the Kusto query language. 请参阅将 Azure 资源日志流式传输到 Log AnalyticsSee Stream Azure resource Logs to Log Analytics.
Azure 表存储Azure table storage 从某些 Azure 资源写入监视数据的 Azure 存储中收集数据。Collect data from Azure storage where some Azure resources write monitoring data. 请参阅将适用于 IIS 的 Azure Blob 存储和适用于事件的 Azure 表存储与 Log Analytics 配合使用See Use Azure blob storage for IIS and Azure table storage for events with Log Analytics.

虚拟机Virtual Machines

数据Data 说明Description
代理数据源Agent data sources WindowsLinux 代理收集的数据源包括事件、性能数据和自定义日志。Data sources collected from Windows and Linux agents include events, performance data, and custom logs. 有关数据源列表和配置的详细信息,请参阅 Azure Monitor 中的代理数据源See Agent data sources in Azure Monitor for a list of data sources and details on configuration.
监视解决方案Monitoring solutions 监视解决方案将从代理处收集的数据写入其 Log Analytics 工作区。Monitoring solutions write data they collect from agents to their Log Analytics workspace. 如需查看解决方案列表,请参阅 Azure 中的管理解决方案的数据收集详细信息See Data collection details for management solutions in Azure for a list of solutions. 有关安装和使用解决方案的详细信息,请参阅 Azure Monitor 中的监视解决方案See Monitoring solutions in Azure Monitor for details on installing and using solutions.

应用程序Applications

数据Data 说明Description
请求和异常Requests and exceptions 应用程序请求和异常的相关详细数据位于“requests”、“pageViews”和“exceptions”表中 。Detailed data about application requests and exceptions are in the requests, pageViews, and exceptions tables. 外部组件的调用位于“dependencies”表中。Calls to external components are in the dependencies table.
使用情况和性能Usage and performance 应用程序的性能数据位于“requests”、“browserTimings”和“performanceCounters”表中 。Performance for the application is available in the requests, browserTimings and performanceCounters tables. 自定义指标的数据位于“customMetrics”表中。Data for custom metrics is in the customMetrics table.
跟踪数据Trace data 来自分布式跟踪的结果存储在“traces”表中。Results from distributed tracing are stored in the traces table.
可用性测试Availability tests 来自可用性测试的摘要数据存储在“availabilityResults”表中。Summary data from availability tests is stored in the availabilityResults table. 这些测试的详细数据存储在单独的存储中,你可从 Azure 门户中的 Application Insights 对其进行访问。Detailed data from these tests are in separate storage and accessed from Application Insights in the Azure portal.

见解Insights

数据Data 说明Description
用于容器的 Azure MonitorAzure Monitor for containers 用于容器的 Azure Monitor 收集的清单和性能数据。Inventory and performance data collected by Azure Monitor for containers. 有关表的列表,请参阅容器数据收集详细信息See Container data-collection details for a list of the tables.

“自定义”Custom

数据Data 说明Description
REST APIREST API 从任何 REST 客户端向 Log Analytics 工作区写入数据。Write data to a Log Analytics workspace from any REST client. 有关详细信息,请参阅使用 HTTP 数据收集器 API 将日志数据发送到 Azure MonitorSee Send log data to Azure Monitor with the HTTP Data Collector API for details.
逻辑应用Logic App 使用“Azure Log Analytics 数据收集器”操作从逻辑应用工作流将任何数据写入 Log Analytics 工作区。Write any data to a Log Analytics workspace from a Logic App workflow with the Azure Log Analytics Data Collector action.

安全性Security

数据Data 说明Description
Azure 安全中心Azure Security Center Azure 安全中心将其收集的数据存储在 Log Analytics 工作区中,你可在该工作区中使用其他日志数据进行分析。Azure Security Center stores data that it collects in a Log Analytics workspace where it can be analyzed with other log data. 有关工作区配置的详细信息,请参阅 Azure 安全中心中的数据收集See Data collection in Azure Security Center for details on workspace configuration.

后续步骤Next steps