创建诊断设置以将平台日志和指标发送到不同的目标Create diagnostic settings to send platform logs and metrics to different destinations

Azure 中的平台日志(包括 Azure 活动日志和资源日志)提供 Azure 资源及其所依赖的 Azure 平台的详细诊断和审核信息。Platform logs in Azure, including the Azure Activity log and resource logs, provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. 默认情况下会收集平台指标,它们通常存储在 Azure Monitor 指标数据库中。Platform metrics are collected by default and typically stored in the Azure Monitor metrics database. 本文详细介绍如何创建和配置诊断设置,以将平台指标和平台日志发送到不同的目标。This article provides details on creating and configuring diagnostic settings to send platform metrics and platform logs to different destinations.

重要

应先禁用任何旧的配置,然后再为活动日志创建诊断设置。Before you create a diagnostic setting for the Activity log, you should first disable any legacy configuration. 有关详细信息,请参阅旧式收集方法See Legacy collection methods for details.

每个 Azure 资源都需有自身的诊断设置,其设置定义了以下条件:Each Azure resource requires its own diagnostic setting, which defines the following criteria:

  • 发送到设置中所定义目标的日志和指标数据的类别。Categories of logs and metric data sent to the destinations defined in the setting. 不同资源类型的可用类别各不相同。The available categories will vary for different resource types.
  • 要将日志发送到的一个或多个目标。One or more destinations to send the logs. 当前目标包括 Log Analytics 工作区、事件中心和 Azure 存储。Current destinations include Log Analytics workspace, Event Hubs, and Azure Storage.

一个诊断设置只能为每个目标定义一种类型。A single diagnostic setting can define no more than one of each of the destinations. 若要将数据发送到多个特定的目标类型(例如,两个不同的 Log Analytics 工作区),请创建多个设置。If you want to send data to more than one of a particular destination type (for example, two different Log Analytics workspaces), then create multiple settings. 每个资源最多可以有 5 个诊断设置。Each resource can have up to 5 diagnostic settings.

备注

平台指标自动发送到 Azure Monitor 指标中。Platform metrics are sent automatically to Azure Monitor Metrics. 使用诊断设置可将特定 Azure 服务的指标发送到 Azure Monitor 日志中,以使用具有特定限制的日志查询结合其他监视数据进行分析。Diagnostic settings can be used to send metrics for certain Azure services into Azure Monitor Logs for analysis with other monitoring data using log queries with certain limitations.

当前不支持通过诊断设置发送多维指标。Sending multi-dimensional metrics via diagnostic settings is not currently supported. 多维指标将按平展后的单维指标导出,并跨维值聚合。Metrics with dimensions are exported as flattened single dimensional metrics, aggregated across dimension values. 例如:可以在每个节点级别浏览区块链上的“IOReadBytes”指标并为其绘制图表。For example: The 'IOReadBytes' metric on an Blockchain can be explored and charted on a per node level. 但是,当通过诊断设置导出时,导出的指标将表示为所有节点的所有读取字节数。However, when exported via diagnostic settings, the metric exported represents as all read bytes for all nodes. 此外,由于内部限制,并非所有指标都可以导出到 Azure Monitor 日志/Log Analytics。In addition, due to internal limitations not all metrics are exportable to Azure Monitor Logs / Log Analytics. 有关详细信息,请参阅可导出指标的列表For more information, see the list of exportable metrics.

若要解决特定指标的这些限制,建议你使用指标 REST API 手动提取它们并使用 Azure Monitor 数据收集器 API 将其导入到 Azure Monitor 日志中。To get around these limitations for specific metrics, we suggest you manually extract them using the Metrics REST API and import them into Azure Monitor Logs using the Azure Monitor Data collector API.

DestinationsDestinations

平台日志和指标可以发送到下表中列出的目标。Platform logs and metrics can be sent to the destinations in the following table.

目标Destination 说明Description
Log Analytics 工作区Log Analytics workspace 将日志和指标发送到 Log Analytics 工作区可以使用强大的日志查询结合 Azure Monitor 收集的其他监视数据对其进行分析,并利用其他 Azure Monitor 功能,例如警报和可视化。Sending logs and metrics to a Log Analytics workspace allows you to analyze them with other monitoring data collected by Azure Monitor using powerful log queries and also to leverage other Azure Monitor features such as alerts and visualizations.
事件中心Event hubs 向事件中心发送日志和指标可将数据流式传输到外部系统,例如第三方 SIEM 和其他日志分析解决方案。Sending logs and metrics to Event Hubs allows you to stream data to external systems such as third-party SIEMs and other log analytics solutions.
Azure 存储帐户Azure storage account 将日志和指标存档到 Azure 存储帐户有助于审核、静态分析或备份。Archiving logs and metrics to an Azure storage account is useful for audit, static analysis, or backup. 与 Azure Monitor 日志和 Log Analytics 工作区相比,Azure 存储成本较低,并且日志可以无限期保留。Compared to Azure Monitor Logs and a Log Analytics workspace, Azure storage is less expensive and logs can be kept there indefinitely.

目标要求Destination requirements

在创建诊断设置之前,必须已创建诊断设置的任何目标。Any destinations for the diagnostic setting must be created before creating the diagnostic settings. 只要配置设置的用户同时拥有两个订阅的相应 RBAC 访问权限,目标就不必位于发送日志的资源所在的订阅中。The destination does not have to be in the same subscription as the resource sending logs as long as the user who configures the setting has appropriate RBAC access to both subscriptions. 下表提供了每个目标的独特要求,包括任何区域限制。The following table provides unique requirements for each destination including any regional restrictions.

目标Destination 要求Requirements
Log Analytics 工作区Log Analytics workspace 此工作区无需与要监视的资源在同一区域。The workspace does not need to be in the same region as the resource being monitored.
事件中心Event hubs 命名空间的共享访问策略定义流式处理机制具有的权限。The shared access policy for the namespace defines the permissions that the streaming mechanism has. 流式传输到事件中心需要“管理”、“发送”和“侦听”权限。Streaming to Event Hubs requires Manage, Send, and Listen permissions. 若要更新诊断设置,使之包括流式传输,则必须在事件中心授权规则中拥有 ListKey 权限。To update the diagnostic setting to include streaming, you must have the ListKey permission on that Event Hubs authorization rule.

如果资源是区域性的,则事件中心命名空间需要与要监视的资源位于同一区域中。The event hub namespace needs to be in the same region as the resource being monitored if the resource is regional.
Azure 存储帐户Azure storage account 不应使用其中存储了其他非监视数据的现有存储帐户,以便更好地控制数据所需的访问权限。You should not use an existing storage account that has other, non-monitoring data stored in it so that you can better control access to the data. 不过,如果要将活动日志和资源日志一同存档,则可以选择使用该存储帐户在一个中心位置保留所有监视数据。If you are archiving the Activity log and resource logs together though, you may choose to use the same storage account to keep all monitoring data in a central location.

若要将数据发送到不可变存储,请按照为 Blob 存储设置和管理不可变策略中所述为存储帐户设置不可变策略。To send the data to immutable storage, set the immutable policy for the storage account as described in Set and manage immutability policies for Blob storage. 必须按照本文中的所有步骤操作,包括启用受保护的追加 blob 写入操作。You must follow all steps in this article including enabling protected append blobs writes.

如果资源是区域性的,则存储帐户需要与要监视的资源位于同一区域中。The storage account needs to be in the same region as the resource being monitored if the resource is regional.

备注

Azure Data Lake Storage Gen2 帐户目前不支持作为诊断设置的目标,即使它们可能在 Azure 门户中被列为有效选项。Azure Data Lake Storage Gen2 accounts are not currently supported as a destination for diagnostic settings even though they may be listed as a valid option in the Azure portal.

在 Azure 门户中创建Create in Azure portal

可以在 Azure 门户中通过“Azure Monitor”菜单或资源菜单配置诊断设置。You can configure diagnostic settings in the Azure portal either from the Azure Monitor menu or from the menu for the resource.

  1. 在 Azure 门户中配置诊断设置的位置取决于资源。Where you configure diagnostic settings in the Azure portal depends on the resource.

    • 对于单项资源,在资源菜单中的“监视器”下,单击“诊断设置”。 For a single resource, click Diagnostic settings under Monitor in the resource's menu.

      诊断设置

    • 对于一项或多项资源,在 Azure Monitor 菜单中,单击“设置”下的“诊断设置”,然后单击相应资源。 For one or more resources, click Diagnostic settings under Settings in the Azure Monitor menu and then click on the resource.

      诊断设置

    • 对于活动日志,在“Azure Monitor”菜单中,单击“活动日志”,然后单击“诊断设置”。 For the Activity log, click Activity log in the Azure Monitor menu and then Diagnostic settings. 请确保禁用活动日志的任何旧配置。Make sure you disable any legacy configuration for the Activity log. 有关详细信息,请参阅禁用现有设置See Disable existing settings for details.

      诊断设置

  2. 如果选定的资源上不存在任何设置,系统会提示创建设置。If no settings exist on the resource you have selected, you are prompted to create a setting. 单击“添加诊断设置”。Click Add diagnostic setting.

    添加诊断设置 - 没有现有的设置

    如果资源上有现有的设置,则会看到已配置的设置列表。If there are existing settings on the resource, you see a list of settings already configured. 单击“添加诊断设置”以添加新设置,或单击“编辑设置”以编辑现有设置。 Either click Add diagnostic setting to add a new setting or Edit setting to edit an existing one. 每个设置最多只能包含一个目标类型。Each setting can have no more than one of each of the destination types.

    添加诊断设置 - 现有的设置

  3. 为设置指定名称(如果未指定)。Give your setting a name if it doesn't already have one.

    添加诊断设置

  4. 类别详细信息(要路由的内容) - 选中要发送到稍后指定的目标的每个数据类别对应的框。Category details (what to route) - Check the box for each category of data you want to send to destinations specified later. 每种 Azure 服务的类别列表各不相同。The list of categories varies for each Azure service.

    • 所有指标 - 将资源的平台指标路由到 Azure 日志存储,但采用日志格式。AllMetrics routes a resource's platform metrics into the Azure Logs store, but in log form. 这些指标平常只发送到 Azure Monitor 指标时序数据库。These metrics are usually sent only to the Azure Monitor metrics time-series database. 将它们发送到 Azure Monitor 日志存储(可通过 Log Analytics 进行搜索),以将它们集成到跨其他日志进行搜索的查询中。Sending them to the Azure Monitor Logs store (which is searchable via Log Analytics) you to integrate them into queries which search across other logs. 此选项不一定适用于所有资源类型。This option may not be available for all resource types. 当受支持时,Azure Monitor 支持的指标会列出为具体资源类型收集的具体指标。When it is supported, Azure Monitor supported metrics lists what metrics are collected for what resource types.

      备注

      请参阅本文前面部分介绍的将指标路由到 Azure Monitor 日志时的限制。See limitatation for routing metrics to Azure Monitor Logs earlier in this article.

    • 日志 - 列出根据资源类型提供的各种类别。Logs lists the different categories available depending on the resource type. 请选中你希望路由到目标的所有类别。Check any categories that you would like to route to a destination.

  5. 目标详细信息 - 选中每个目标对应的框。Destination details - Check the box for each destination. 当选中每个框时,将显示用于添加其他信息的选项。When you check each box, options appear to allow you to add additional information.

    发送到 Log Analytics 或事件中心

    1. Log Analytics - 输入订阅和工作区。Log Analytics - Enter the subscription and workspace. 如果没有工作区,则需在继续操作之前创建一个If you don't have a workspace, you need to create one before proceeding.

    2. 事件中心 - 指定以下条件:Event hubs - Specify the following criteria:

      • 事件中心所属的订阅The subscription which the event hub is part of
      • 事件中心命名空间 - 如果还没有,则需创建一个The Event hub namespace - If you do not yet have one, you'll need to create one
      • 要向其发送所有数据的事件中心的名称(可选)。An Event hub name (optional) to send all data to. 如果未指定名称,将为每个日志类别创建一个事件中心。If you don't specify a name, an event hub is created for each log category. 如果发送多个类别,可能需要指定一个名称来限制创建的事件中心数。If you are sending multiple categories, you may want to specify a name to limit the number of event hubs created. 有关详细信息,请参阅 Azure 事件中心配额和限制See Azure Event Hubs quotas and limits for details.
      • 事件中心策略(可选)- 策略定义流式处理机制具有的权限。An Event Hub policy (optional) A policy defines the permissions that the streaming mechanism has. 有关详细信息,请参阅 Event-hubs-featuresFor more information, see Event-hubs-features.
    3. 存储 - 选择订阅、存储帐户和保留策略。Storage - Choose the subscription, storage account, and retention policy.

      发送到存储

      提示

      请考虑将保留策略设置为 0,并使用计划的作业手动从存储中删除数据,避免将来可能会造成的混乱。Consider setting the retention policy to 0 and manually deleting your data from storage using a scheduled job to avoid possible confusion in the future.

      首先,如果要使用存储进行存档,你通常希望数据保留 365 天以上。First, if you are using storage for archiving, you generally want your data around for more than 365 days. 其次,如果选择的保留策略大于 0,则在存储时会向日志附加一个到期日期。Second, if you choose a retention policy that is greater than 0, the expiration date is attached to the logs at the time of storage. 日志一旦存储,则无法为其更改该日期。You can't change the date for those logs once stored.

      例如,如果将 WorkflowRuntime 的保留策略设置为 180 天,24 小时后又将其设置为 365 天,则在前 24 小时内存储的日志将在 180 天后自动删除,而该类型的所有后续日志将在 365 天后自动删除。For example, if you set the retention policy for WorkflowRuntime to 180 days and then 24 hours later set it to 365 days, the logs stored during those first 24 hours will be automatically deleted after 180 days, while all subsequent logs of that type will be automatically deleted after 365 days. 后来进行的保留策略更改不会使前 24 小时的日志保留 365 天。Changing the retention policy later doesn't make the first 24 hours of logs stay around for 365 days.

  6. 单击“保存” 。Click Save.

片刻之后,新设置会显示在此资源的设置列表中,生成新的事件数据后,日志会立即流式传输到指定的目标。After a few moments, the new setting appears in your list of settings for this resource, and logs are streamed to the specified destinations as new event data is generated. 发出事件后可能需要长达 15 分钟的时间该事件才会出现在 Log Analytics 工作区中It may take up to 15 minutes between when an event is emitted and when it appears in a Log Analytics workspace.

使用 PowerShell 创建Create using PowerShell

Azure PowerShell 中使用 Set-AzDiagnosticSetting cmdlet 创建诊断设置。Use the Set-AzDiagnosticSetting cmdlet to create a diagnostic setting with Azure PowerShell. 有关参数说明,请参阅此 cmdlet 的文档。See the documentation for this cmdlet for descriptions of its parameters.

重要

不能将此方法用于 Azure 活动日志。You cannot use this method for the Azure Activity log. 请改为利用使用资源管理器模板在 Azure Monitor 中创建诊断设置,创建资源管理器模板并使用 PowerShell 进行部署。Instead, use Create diagnostic setting in Azure Monitor using a Resource Manager template to create a Resource Manager template and deploy it with PowerShell.

以下示例 PowerShell cmdlet 使用所有三个目标创建诊断设置。Following is an example PowerShell cmdlet to create a diagnostic setting using all three destinations.

Set-AzDiagnosticSetting -Name KeyVault-Diagnostics -ResourceId /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mykeyvault -Category AuditEvent -MetricCategory AllMetrics -Enabled $true -StorageAccountId /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount -WorkspaceId /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/oi-default-east-us/providers/microsoft.operationalinsights/workspaces/myworkspace  -EventHubAuthorizationRuleId /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.EventHub/namespaces/myeventhub/authorizationrules/RootManageSharedAccessKey

使用 Azure CLI 创建Create using Azure CLI

Azure CLI 中使用 az monitor diagnostic-settings create 命令创建诊断设置。Use the az monitor diagnostic-settings create command to create a diagnostic setting with Azure CLI. 有关参数说明,请参阅此命令的文档。See the documentation for this command for descriptions of its parameters.

重要

不能将此方法用于 Azure 活动日志。You cannot use this method for the Azure Activity log. 请改为按使用资源管理器模板在 Azure Monitor 中创建诊断设置中的说明操作,创建资源管理器模板并使用 CLI 进行部署。Instead, use Create diagnostic setting in Azure Monitor using a Resource Manager template to create a Resource Manager template and deploy it with CLI.

以下示例 CLI 命令使用所有三个目标创建诊断设置。Following is an example CLI command to create a diagnostic setting using all three destinations.

az monitor diagnostic-settings create  \
--name KeyVault-Diagnostics \
--resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mykeyvault \
--logs    '[{"category": "AuditEvent","enabled": true}]' \
--metrics '[{"category": "AllMetrics","enabled": true}]' \
--storage-account /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount \
--workspace /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/oi-default-east-china/providers/microsoft.operationalinsights/workspaces/myworkspace \
--event-hub-rule /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.EventHub/namespaces/myeventhub/authorizationrules/RootManageSharedAccessKey

使用资源管理器模板创建Create using Resource Manager template

若要使用资源管理器模板创建或更新诊断设置,请参阅 Azure Monitor 中的诊断设置的资源管理器模板示例See Resource Manager template samples for diagnostic settings in Azure Monitor to create or update diagnostic settings with a Resource Manager template.

使用 REST API 创建Create using REST API

若要使用 Azure Monitor REST API 创建或更新诊断设置,请参阅诊断设置See Diagnostic Settings to create or update diagnostic settings using the Azure Monitor REST API.

使用 Azure Policy 创建Create using Azure Policy

由于需要为每个 Azure 资源创建诊断设置,因此在创建每个资源时,可以使用 Azure Policy 来自动创建诊断设置。Since a diagnostic setting needs to be created for each Azure resource, Azure Policy can be used to automatically create a diagnostic setting as each resource is created. 有关详细信息,请参阅使用 Azure Policy 大规模部署 Azure MonitorSee Deploy Azure Monitor at scale using Azure Policy for details.

后续步骤Next steps