将 Azure 资源日志存档到存储帐户Archive Azure resource logs to storage account

Azure 中的平台日志(包括 Azure 活动日志和资源日志)提供 Azure 资源及其所依赖的 Azure 平台的详细诊断和审核信息。Platform logs in Azure, including Azure Activity log and resource logs, provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. 本文介绍如何将平台日志收集到到 Azure 存储帐户,以便保留要存档的数据。This article describes collecting platform logs to an Azure storage account to retain data for archiving.

先决条件Prerequisites

创建 Azure 存储帐户(如果还没有)。You need to create an Azure storage account if you don't already have one. 只要配置设置的用户同时拥有两个订阅的相应 RBAC 访问权限,存储帐户就不必位于发送日志的资源所在的订阅中。The storage account does not have to be in the same subscription as the resource sending logs as long as the user who configures the setting has appropriate RBAC access to both subscriptions.

重要

若要将数据发送到不可变存储,请按照为 Blob 存储设置和管理不可变策略中所述为存储帐户设置不可变策略。To send the data to immutable storage, set the immutable policy for the storage account as described in Set and manage immutability policies for Blob storage. 必须按照本文中的所有步骤操作,包括启用受保护的追加 blob 写入操作。You must follow all steps in this article including enabling protected append blobs writes.

重要

Azure Data Lake Storage Gen2 帐户目前不支持作为诊断设置的目标,即使它们可能在 Azure 门户中被列为有效选项。Azure Data Lake Storage Gen2 accounts are not currently supported as a destination for diagnostic settings even though they may be listed as a valid option in the Azure portal.

不应使用其中存储了其他非监视数据的现有存储帐户,以便更好地控制数据所需的访问权限。You should not use an existing storage account that has other, non-monitoring data stored in it so that you can better control access to the data. 不过,如果要将活动日志和资源日志一同存档,则可以选择使用该存储帐户在一个中心位置保留所有监视数据。If you are archiving the Activity log and resource logs together though, you may choose to use the same storage account to keep all monitoring data in a central location.

创建诊断设置Create a diagnostic setting

需要通过创建 Azure 资源的诊断设置,将平台日志发送到存储和其他目标。Send platform logs to storage and other destinations by creating a diagnostic setting for an Azure resource. 有关详细信息,请参阅创建诊断设置以收集 Azure 中的日志和指标See Create diagnostic setting to collect logs and metrics in Azure for details.

对来自计算资源的数据进行收集Collect data from compute resources

诊断设置将收集 Azure 计算资源的资源日志,如收集任何其他资源一样,但不会收集来宾操作系统或工作负载的资源。Diagnostic settings will collect resource logs for Azure compute resources like any other resource, but not their guest operating system or workloads. 若要收集此数据,请安装 Azure 诊断代理To collect this data, install the Azure Diagnostics agent.

存储帐户中的平台日志架构Schema of platform logs in storage account

创建诊断设置以后,一旦在已启用的日志类别之一中出现事件,就会在存储帐户中创建存储容器。Once you have created the diagnostic setting, a storage container is created in the storage account as soon as an event occurs in one of the enabled log categories. 容器中的 blob 使用以下命名约定:The blobs within the container use the following naming convention:

insights-logs-{log category name}/resourceId=/SUBSCRIPTIONS/{subscription ID}/RESOURCEGROUPS/{resource group name}/PROVIDERS/{resource provider name}/{resource type}/{resource name}/y={four-digit numeric year}/m={two-digit numeric month}/d={two-digit numeric day}/h={two-digit 24-hour clock hour}/m=00/PT1H.json

例如,网络安全组的 blob 的名称可能如下所示:For example, the blob for a network security group might have a name similar to the following:

insights-logs-networksecuritygrouprulecounter/resourceId=/SUBSCRIPTIONS/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/RESOURCEGROUPS/TESTRESOURCEGROUP/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUP/TESTNSG/y=2016/m=08/d=22/h=18/m=00/PT1H.json

每个 PT1H.json blob 都包含一个 JSON blob,其中的事件为在 blob URL 中指定的小时(例如 h=12)内发生的。Each PT1H.json blob contains a JSON blob of events that occurred within the hour specified in the blob URL (for example, h=12). 在当前的小时内发生的事件将附加到 PT1H.json 文件。During the present hour, events are appended to the PT1H.json file as they occur. 分钟值始终为 00 (m=00),因为资源日志事件按小时细分成单个 blob。The minute value (m=00) is always 00, since resource log events are broken into individual blobs per hour.

在 PT1H.json 文件中,每个事件都按以下格式存储。Within the PT1H.json file, each event is stored with the following format. 这将使用通用顶级架构,但对于每个 Azure 服务都是唯一的,如资源日志架构活动日志架构中所述。This will use a common top level schema but be unique for each Azure services as described in Resource logs schema and Activity log schema.

{"time": "2016-07-01T00:00:37.2040000Z","systemId": "46cdbb41-cb9c-4f3d-a5b4-1d458d827ff1","category": "NetworkSecurityGroupRuleCounter","resourceId": "/SUBSCRIPTIONS/s1id1234-5679-0123-4567-890123456789/RESOURCEGROUPS/TESTRESOURCEGROUP/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TESTNSG","operationName": "NetworkSecurityGroupCounters","properties": {"vnetResourceGuid": "{12345678-9012-3456-7890-123456789012}","subnetPrefix": "10.3.0.0/24","macAddress": "000123456789","ruleName": "/subscriptions/ s1id1234-5679-0123-4567-890123456789/resourceGroups/testresourcegroup/providers/Microsoft.Network/networkSecurityGroups/testnsg/securityRules/default-allow-rdp","direction": "In","type": "allow","matchedConnections": 1988}}

后续步骤Next steps