使用 Log Analytics 代理收集 Windows 事件日志数据源Collect Windows event log data sources with Log Analytics agent

由于许多应用程序都会写入 Windows 事件日志,因此 Windows 事件日志是 Windows 虚拟机上 Log Analytics 代理最常见的数据源之一。Windows Event logs are one of the most common data sources for Log Analytics agents on Windows virtual machines since many applications write to the Windows event log. 除了指定由需要监视的应用程序创建的任何自定义日志,还可以从标准日志(如系统和应用程序)中收集事件。You can collect events from standard logs such as System and Application in addition to specifying any custom logs created by applications you need to monitor.

重要

本文介绍如何使用 Log Analytics 代理收集 Windows 事件,该代理是 Azure Monitor 使用的代理之一。This article covers collecting Windows events with the Log Analytics agent which is one of the agents used by Azure Monitor. 其他代理收集的数据不同,且配置也不同。Other agents collect different data and are configured differently. 有关可用代理及其可收集的数据的列表,请参阅 Azure Monitor 代理概述See Overview of Azure Monitor agents for a list of the available agents and the data they can collect.

Windows 事件

配置 Windows 事件日志Configuring Windows Event logs

从 Log Analytics 工作区的“高级设置”中的“数据”菜单配置 Windows 事件日志。Configure Windows Event logs from the Data menu in Advanced Settings for the Log Analytics workspace.

Azure Monitor 仅从在设置中指定的 Windows 事件日志收集事件。Azure Monitor only collects events from the Windows event logs that are specified in the settings. 可以通过键入日志名称并单击“+”添加事件日志。You can add an event log by typing in the name of the log and clicking +. 对于每个日志,仅收集具有所选严重级别的事件。For each log, only the events with the selected severities are collected. 检查要收集的特定日志的严重级别。Check the severities for the particular log that you want to collect. 不能向筛选事件提供任何其他条件。You cannot provide any additional criteria to filter events.

键入事件日志名称时,Azure Monitor 会提供常见事件日志名称的建议。As you type the name of an event log, Azure Monitor provides suggestions of common event log names. 如果要添加的日志未显示在列表中,仍可以通过键入日志全名添加。If the log you want to add does not appear in the list, you can still add it by typing in the full name of the log. 可以使用事件查看器查找日志全名。You can find the full name of the log by using event viewer. 在事件查看器中,打开日志的“属性”页面,并从“全名”字段复制字符串。In event viewer, open the Properties page for the log and copy the string from the Full Name field.

配置 Windows 事件

备注

Windows 事件日志中的严重事件在 Azure Monitor 日志中的严重性为“错误”。Critical events from the Windows event log will have a severity of "Error" in Azure Monitor Logs.

数据收集Data collection

Azure Monitor 在事件创建时从受监视的事件日志中收集与所选严重级别相匹配的每个事件。Azure Monitor collects each event that matches a selected severity from a monitored event log as the event is created. 代理会在将其收集到的每个事件日志的位置记录下来。The agent records its place in each event log that it collects from. 如果代理在一段时间内处于脱机状态,则它从其上次脱机的位置收集事件,即使这些事件是在代理脱机期间创建的。If the agent goes offline for a period of time, then it collects events from where it last left off, even if those events were created while the agent was offline. 如果事件日志在代理脱机时,还有未收集的事件正在被覆盖,则可能无法收集这些事件。There is a potential for these events to not be collected if the event log wraps with uncollected events being overwritten while the agent is offline.

备注

对于其中包含带关键字“经典”或“审核成功”以及关键字 0xa0000000000000 的事件 ID 为 18453 的源 MSSQLSERVER,Azure Monitor 不会从中收集 SQL Server 创建的审核事件。Azure Monitor does not collect audit events created by SQL Server from source MSSQLSERVER with event ID 18453 that contains keywords - Classic or Audit Success and keyword 0xa0000000000000.

Windows 事件的记录属性Windows event records properties

Windows 事件记录都有一个 事件 类型,并且具有下表中的属性:Windows event records have a type of Event and have the properties in the following table:

属性Property 说明Description
ComputerComputer 从中收集事件的计算机的名称。Name of the computer that the event was collected from.
EventCategoryEventCategory 事件的类别。Category of the event.
EventDataEventData 所有原始格式的事件数据。All event data in raw format.
EventIDEventID 事件数。Number of the event.
EventLevelEventLevel 以数字形式指示的事件严重性。Severity of the event in numeric form.
EventLevelNameEventLevelName 以文本形式指示的事件严重性。Severity of the event in text form.
EventLogEventLog 从中收集事件的事件日志名称。Name of the event log that the event was collected from.
ParameterXmlParameterXml XML 格式的事件参数值。Event parameter values in XML format.
ManagementGroupNameManagementGroupName System Center Operations Manager 代理的管理组名称。Name of the management group for System Center Operations Manager agents. 对于其他代理,该值为 AOI-<workspace ID>For other agents, this value is AOI-<workspace ID>
RenderedDescriptionRenderedDescription 具有参数值的事件描述Event description with parameter values
Source 事件源。Source of the event.
SourceSystemSourceSystem 从中收集事件的代理类型。Type of agent the event was collected from.
OpsManager - Windows 代理,直接连接或由 Operations Manager 管理OpsManager - Windows agent, either direct connect or Operations Manager managed
Linux - 所有 Linux 代理Linux - All Linux agents
AzureStorage - Azure 诊断AzureStorage - Azure Diagnostics
TimeGeneratedTimeGenerated 在 Windows 中创建事件的日期和时间。Date and time the event was created in Windows.
UserNameUserName 记录事件的帐户的用户名。User name of the account that logged the event.

使用 Windows 事件的日志查询Log queries with Windows Events

下表提供了检索 Windows 事件记录的不同日志查询的示例。The following table provides different examples of log queries that retrieve Windows Event records.

查询Query 说明Description
事件Event 所有 Windows 事件。All Windows events.
Event | where EventLevelName == "error"Event | where EventLevelName == "error" 所有 Windows 事件与错误的严重性。All Windows events with severity of error.
Event | summarize count() by SourceEvent | summarize count() by Source 按源计数 Windows 事件。Count of Windows events by source.
Event | where EventLevelName == "error" | summarize count() by SourceEvent | where EventLevelName == "error" | summarize count() by Source 按源计数 Windows 错误事件。Count of Windows error events by source.

后续步骤Next steps