Azure 诊断日志概述Overview of Azure Diagnostic Logs

诊断日志提供有关 Azure 资源操作的丰富、频繁的数据。Diagnostic logs provide rich, frequent data about the operation of an Azure resource. Azure Monitor 提供两种类型的诊断日志:Azure Monitor makes available two types of diagnostic logs:

  • 租户日志 - 这些日志来自 Azure 订阅之外存在的租户级服务,例如 Azure Active Directory 日志。Tenant logs - these logs come from tenant-level services that exist outside of an Azure subscription, such as Azure Active Directory logs.

  • 资源日志 - 这些日志来自在 Azure 订阅中部署资源的 Azure 服务,例如网络安全组或存储帐户。Resource logs - these logs come from Azure services that deploy resources within an Azure subscription, such as Network Security Groups or Storage Accounts.

    资源诊断日志与其他类型的日志Resource diagnostics logs vs other types of logs

这些日志的内容因 Azure 服务和资源类型而异。The content of these logs varies by the Azure service and resource type. 例如,网络安全组规则计数器和 Key Vault 审核是两种类型的诊断日志。For example, Network Security Group rule counters and Key Vault audits are two types of diagnostic logs.

这些日志与活动日志不同。These logs differ from the Activity Log. 通过活动日志,可以深入了解使用资源管理器在订阅中的资源上执行的操作,例如创建虚拟机或删除逻辑应用。The Activity Log provides insight into the operations that were performed on resources in your subscription using Resource Manager, for example, creating a virtual machine or deleting a logic app. 活动日志是一个订阅级别的日志。The Activity Log is a subscription-level log. 通过资源级诊断日志深入了解在资源本身内执行的操作,例如,从 Key Vault 获取机密。Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault.

这些日志也与来宾 OS 级诊断日志不同。These logs also differ from guest OS-level diagnostic logs. 来宾 OS 级诊断日志是由在虚拟机内部或其他受支持的资源类型中运行的代理收集的日志。Guest OS diagnostic logs are those collected by an agent running inside of a virtual machine or other supported resource type. 资源级诊断日志不需要代理并从 Azure 平台本身捕获特定于资源的数据,而来宾 OS 级诊断日志从操作系统和在虚拟机上运行的应用程序捕获数据。Resource-level diagnostic logs require no agent and capture resource-specific data from the Azure platform itself, while guest OS-level diagnostic logs capture data from the operating system and applications running on a virtual machine.

并非所有服务都支持此处所述的诊断日志。Not all services support the diagnostic logs described here. 本文包含的一个部分列出了哪些服务支持诊断日志This article contains a section listing which services support diagnostic logs.

可以对诊断日志执行的操作What you can do with diagnostic logs

可以对诊断日志执行的部分操作如下:Here are some of the things you can do with diagnostic logs:

诊断日志的逻辑位置

  • 将诊断日志保存到存储帐户进行审核或手动检查。Save them to a Storage Account for auditing or manual inspection. 可以使用资源诊断设置指定保留时间(天)。You can specify the retention time (in days) using resource diagnostic settings.
  • 将诊断日志流式传输到事件中心,方便第三方服务或自定义分析解决方案(例如 PowerBI)引入。Stream them to Event Hubs for ingestion by a third-party service or custom analytics solution such as PowerBI.
  • 使用 Azure Monitor 对其进行分析时,其中的数据将立即写入到 Azure Monitor,而无需先将数据写入到存储。Analyze them with Azure Monitor, where the data is written immediately to Azure Monitor with no need to first write the data to storage.

Note

本文最近已更新,从使用术语“Log Analytics”改为使用术语“Azure Monitor 日志”。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 日志数据仍然存储在 Log Analytics 工作区中,并仍然由同一 Log Analytics 服务收集并分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我们正在更新术语,以便更好地反映 Azure Monitor 中日志的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 有关详细信息,请参阅 Azure Monitor 术语更改See Azure Monitor terminology changes for details.

可以使用与发出日志的订阅不同的订阅中的存储帐户或事件中心命名空间。You can use a storage account or Event Hubs namespace that is not in the same subscription as the one emitting logs. 配置设置的用户必须对这两个订阅具有相应的 RBAC 访问权限。The user who configures the setting must have the appropriate RBAC access to both subscriptions.

Note

当前无法将网络流日志存档到安全虚拟网络后的存储帐户。You cannot currently archive network flow logs to a storage account that is behind a secured virtual network.

诊断设置Diagnostic settings

使用资源诊断设置配置资源诊断日志。Resource diagnostic logs are configured using resource diagnostic settings. 使用租户诊断设置配置租户诊断日志。Tenant diagnostic logs are configured using a tenant diagnostic setting. 用于服务控制的诊断设置Diagnostic settings for a service control:

  • 将诊断日志和指标发送到的位置(存储帐户、事件中心和/或 Azure Monitor)。Where diagnostic logs and metrics are sent (Storage Account, Event Hubs, and/or Azure Monitor).
  • 发送哪些日志类别,是否也会发送指标数据。Which log categories are sent and whether metric data is also sent.
  • 应该将每个日志类别在存储帐户中保留多长时间How long each log category should be retained in a storage account
    • 保留期为 0 天表示永久保留日志。A retention of zero days means logs are kept forever. 如果不需永久保留,则可将该值设置为 1 到 365 之间的任意天数。Otherwise, the value can be any number of days between 1 and 365.
    • 如果设置了保留策略,但禁止将日志存储在存储帐户中(例如,如果仅选择了“事件中心”或“Log Analytics”选项),则保留策略无效。If retention policies are set but storing logs in a Storage Account is disabled (for example, if only Event Hubs or Log Analytics options are selected), the retention policies have no effect.
    • 保留策略按天应用,因此在一天结束时 (UTC),会删除当天已超过保留策略期限的日志。Retention policies are applied per-day, so at the end of a day (UTC), logs from the day that is now beyond the retention policy are deleted. 例如,假设保留策略的期限为一天,则在今天开始时,会删除前天的日志。For example, if you had a retention policy of one day, at the beginning of the day today the logs from the day before yesterday would be deleted. 删除过程从午夜 (UTC) 开始,但请注意,可能最多需要 24 小时才能将日志从存储帐户中删除。The delete process begins at midnight UTC, but note that it can take up to 24 hours for the logs to be deleted from your storage account.

这些设置可以通过门户中的诊断设置、Azure PowerShell 和 CLI 命令或 Azure Monitor REST API 轻松进行配置。These settings are easily configured from the diagnostic settings in the portal, with Azure PowerShell and CLI commands, or using the Azure Monitor REST API.

Note

当前不支持通过诊断设置发送多维指标。Sending multi-dimensional metrics via diagnostic settings is not currently supported. 多维指标将按平展后的单维指标导出,并跨维值聚合。Metrics with dimensions are exported as flattened single dimensional metrics, aggregated across dimension values.

例如:可以基于每个队列级别浏览和绘制事件中心上的“传入消息”指标。For example: The 'Incoming Messages' metric on an Event Hub can be explored and charted on a per queue level. 但是,当通过诊断设置导出时,该指标将表示为事件中心的所有队列中的所有传入消息。However, when exported via diagnostic settings the metric will be represented as all incoming messages across all queues in the Event Hub.

诊断日志支持的服务、类别和架构Supported services, categories, and schemas for diagnostic logs

参阅此文获取受支持服务的完整列表,以及这些服务使用的日志类别和架构。See this article for a complete list of supported services and the log categories and schemas used by those services.

后续步骤Next steps