Azure Monitor 中的 Windows 事件日志数据源Windows event log data sources in Azure Monitor

由于许多应用程序都会写入 Windows 事件日志,因此 Windows 事件日志是使用 Windows 代理收集数据的最常见数据源之一。Windows Event logs are one of the most common data sources for collecting data using Windows agents since many applications write to the Windows event log. 除了指定由需要监视的应用程序创建的任何自定义日志,还可以从标准日志(如系统和应用程序)中收集事件。You can collect events from standard logs such as System and Application in addition to specifying any custom logs created by applications you need to monitor.

Windows 事件

配置 Windows 事件日志Configuring Windows Event logs

可以从“高级设置”中的“数据”菜单配置 Windows 事件日志。Configure Windows Event logs from the Data menu in Advanced Settings.

Azure Monitor 仅从在设置中指定的 Windows 事件日志收集事件。Azure Monitor only collects events from the Windows event logs that are specified in the settings. 可以通过键入日志名称并单击“+”添加事件日志。You can add an event log by typing in the name of the log and clicking +. 对于每个日志,仅收集具有所选严重级别的事件。For each log, only the events with the selected severities are collected. 检查要收集的特定日志的严重级别。Check the severities for the particular log that you want to collect. 不能向筛选事件提供任何其他条件。You cannot provide any additional criteria to filter events.

键入事件日志名称时,Azure Monitor 会提供常见事件日志名称的建议。As you type the name of an event log, Azure Monitor provides suggestions of common event log names. 如果要添加的日志未显示在列表中,仍可以通过键入日志全名添加。If the log you want to add does not appear in the list, you can still add it by typing in the full name of the log. 可以使用事件查看器查找日志全名。You can find the full name of the log by using event viewer. 在事件查看器中,打开日志的“属性”页面,并从“全名”字段复制字符串。In event viewer, open the Properties page for the log and copy the string from the Full Name field.

配置 Windows 事件


Windows 事件日志中的严重事件在 Azure Monitor 日志中的严重性为“错误”。Critical events from the Windows event log will have a severity of "Error" in Azure Monitor Logs.

数据收集Data collection

Azure Monitor 在事件创建时从受监视的事件日志中收集与所选严重级别相匹配的每个事件。Azure Monitor collects each event that matches a selected severity from a monitored event log as the event is created. 代理会在将其收集到的每个事件日志的位置记录下来。The agent records its place in each event log that it collects from. 如果代理在一段时间内处于脱机状态,则它从其上次脱机的位置收集事件,即使这些事件是在代理脱机期间创建的。If the agent goes offline for a period of time, then it collects events from where it last left off, even if those events were created while the agent was offline. 如果事件日志在代理脱机时,还有未收集的事件正在被覆盖,则可能无法收集这些事件。There is a potential for these events to not be collected if the event log wraps with uncollected events being overwritten while the agent is offline.


对于其中包含带关键字“经典”或“审核成功”以及关键字 0xa0000000000000 的事件 ID 为 18453 的源 MSSQLSERVER,Azure Monitor 不会从中收集 SQL Server 创建的审核事件。Azure Monitor does not collect audit events created by SQL Server from source MSSQLSERVER with event ID 18453 that contains keywords - Classic or Audit Success and keyword 0xa0000000000000.

Windows 事件的记录属性Windows event records properties

Windows 事件记录都有一个事件类型,并且具有下表中的属性:Windows event records have a type of Event and have the properties in the following table:

属性Property 说明Description
ComputerComputer 从中收集事件的计算机的名称。Name of the computer that the event was collected from.
EventCategoryEventCategory 事件的类别。Category of the event.
EventDataEventData 所有原始格式的事件数据。All event data in raw format.
EventIDEventID 事件数。Number of the event.
EventLevelEventLevel 以数字形式指示的事件严重性。Severity of the event in numeric form.
EventLevelNameEventLevelName 以文本形式指示的事件严重性。Severity of the event in text form.
EventLogEventLog 从中收集事件的事件日志名称。Name of the event log that the event was collected from.
ParameterXmlParameterXml XML 格式的事件参数值。Event parameter values in XML format.
ManagementGroupNameManagementGroupName System Center Operations Manager 代理的管理组名称。Name of the management group for System Center Operations Manager agents. 对于其他代理,该值为 AOI-<workspace ID>For other agents, this value is AOI-<workspace ID>
RenderedDescriptionRenderedDescription 具有参数值的事件描述Event description with parameter values
SourceSource 事件源。Source of the event.
SourceSystemSourceSystem 从中收集事件的代理类型。Type of agent the event was collected from.
OpsManager – Windows 代理,直接连接或 Operations Manager 管理OpsManager – Windows agent, either direct connect or Operations Manager managed
Linux - 所有 Linux 代理Linux – All Linux agents
AzureStorage – Azure 诊断AzureStorage – Azure Diagnostics
TimeGeneratedTimeGenerated 在 Windows 中创建事件的日期和时间。Date and time the event was created in Windows.
UserNameUserName 记录事件的帐户的用户名。User name of the account that logged the event.

使用 Windows 事件的日志查询Log queries with Windows Events

下表提供了检索 Windows 事件记录的不同日志查询的示例。The following table provides different examples of log queries that retrieve Windows Event records.

查询Query 说明Description
事件Event 所有 Windows 事件。All Windows events.
Event | where EventLevelName == "error"Event | where EventLevelName == "error" 所有 Windows 事件与错误的严重性。All Windows events with severity of error.
Event | summarize count() by SourceEvent | summarize count() by Source 按源计数 Windows 事件。Count of Windows events by source.
Event | where EventLevelName == "error" | summarize count() by SourceEvent | where EventLevelName == "error" | summarize count() by Source 按源计数 Windows 错误事件。Count of Windows error events by source.

后续步骤Next steps

  • 配置 Log Analytics 以收集其他数据源进行分析。Configure Log Analytics to collect other data sources for analysis.
  • 了解日志查询以便分析从数据源和解决方案中收集的数据。Learn about log queries to analyze the data collected from data sources and solutions.
  • 配置来自 Windows 代理的性能计数器集合。Configure collection of performance counters from your Windows agents.