将 Azure 资源日志存档到存储帐户Archive Azure resource logs to storage account

Azure 中的资源日志提供有关 Azure 资源内部操作的丰富、频繁的数据。Resource logs in Azure provide rich, frequent data about the internal operation of an Azure resource. 本文介绍如何将资源日志收集到到 Azure 存储帐户,以便保留要存档的数据。This article describes collecting resource logs to an Azure storage account to retain data for archiving.

先决条件Prerequisites

创建 Azure 存储帐户(如果还没有)。You need to create an Azure storage account if you don't already have one. 只要配置设置的用户同时拥有两个订阅的相应 RBAC 访问权限,存储帐户就不必位于发送日志的资源所在的订阅中。The storage account does not have to be in the same subscription as the resource sending logs as long as the user who configures the setting has appropriate RBAC access to both subscriptions.

不应使用其中存储了其他非监视数据的现有存储帐户,以便更好地控制监视数据所需的访问权限。You should not use an existing storage account that has other, non-monitoring data stored in it so that you can better control access to monitoring data. 不过,如果还要将活动日志存档到存储帐户,则可以选择使用该存储帐户在一个中心位置保留所有监视数据。If you are also archiving the Activity log to a storage account though, you may choose to use that same storage account to keep all monitoring data in a central location.

创建诊断设置Create a diagnostic setting

默认不会收集资源日志。Resource logs are not collected by default. 需要通过创建 Azure 资源的诊断设置,在 Azure 存储帐户和其他目标中收集资源日志。Collect them in an Azure storage account and other destinations by creating a diagnostic setting for an Azure resource. 有关详细信息,请参阅创建诊断设置以收集 Azure 中的日志和指标See Create diagnostic setting to collect logs and metrics in Azure for details.

数据保留Data retention

保留策略定义存储在存储帐户中的每个日志类别和指标数据的保留天数。The retention policy defines the number of days to retain the data from each log category and metric data stored in a storage account. 可将保留策略设置为 0 到 365 之间的任意天数。A retention policy can be any number of days between 0 and 365. 保留策略为零表示系统会无限期存储该日志类别的事件。A retention policy of zero specifies that the events for that log category are stored indefinitely.

保留策略按天应用,因此在一天结束时 (UTC),会删除当天已超过保留策略期限的日志。Retention policies are applied per-day, so at the end of a day (UTC), logs from the day that is now beyond the retention policy will be deleted. 例如,假设保留策略的期限为一天,则在今天开始时,会删除前天的日志。For example, if you had a retention policy of one day, at the beginning of the day today the logs from the day before yesterday would be deleted. 删除过程从午夜 (UTC) 开始,但请注意,可能最多需要 24 小时才能将日志从存储帐户中删除。The delete process begins at midnight UTC, but note that it can take up to 24 hours for the logs to be deleted from your storage account.

存储帐户中的资源日志的架构Schema of resource logs in storage account

创建诊断设置以后,一旦在已启用的日志类别之一中出现事件,就会在存储帐户中创建存储容器。Once you have created the diagnostic setting, a storage container is created in the storage account as soon as an event occurs in one of the enabled log categories. 容器中的 blob 使用以下命名约定:The blobs within the container use the following naming convention:

insights-logs-{log category name}/resourceId=/SUBSCRIPTIONS/{subscription ID}/RESOURCEGROUPS/{resource group name}/PROVIDERS/{resource provider name}/{resource type}/{resource name}/y={four-digit numeric year}/m={two-digit numeric month}/d={two-digit numeric day}/h={two-digit 24-hour clock hour}/m=00/PT1H.json

例如,网络安全组的 blob 的名称可能如下所示:For example, the blob for a network security group might have a name similar to the following:

insights-logs-networksecuritygrouprulecounter/resourceId=/SUBSCRIPTIONS/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/RESOURCEGROUPS/TESTRESOURCEGROUP/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUP/TESTNSG/y=2016/m=08/d=22/h=18/m=00/PT1H.json

每个 PT1H.json blob 都包含一个 JSON blob,其中的事件为在 blob URL 中指定的小时(例如 h=12)内发生的。Each PT1H.json blob contains a JSON blob of events that occurred within the hour specified in the blob URL (for example, h=12). 在当前的小时内发生的事件将附加到 PT1H.json 文件。During the present hour, events are appended to the PT1H.json file as they occur. 分钟值始终为 00 (m=00),因为资源日志事件按小时细分成单个 blob。The minute value (m=00) is always 00, since resource log events are broken into individual blobs per hour.

在 PT1H.json 文件中,每个事件都按以下格式存储。Within the PT1H.json file, each event is stored with the following format. 这将使用通用的顶级架构,但每个 Azure 服务并不相同,详见资源日志架构This will use a common top level schema but be unique for each Azure services as described in Resource logs schema.

{"time": "2016-07-01T00:00:37.2040000Z","systemId": "46cdbb41-cb9c-4f3d-a5b4-1d458d827ff1","category": "NetworkSecurityGroupRuleCounter","resourceId": "/SUBSCRIPTIONS/s1id1234-5679-0123-4567-890123456789/RESOURCEGROUPS/TESTRESOURCEGROUP/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TESTNSG","operationName": "NetworkSecurityGroupCounters","properties": {"vnetResourceGuid": "{12345678-9012-3456-7890-123456789012}","subnetPrefix": "10.3.0.0/24","macAddress": "000123456789","ruleName": "/subscriptions/ s1id1234-5679-0123-4567-890123456789/resourceGroups/testresourcegroup/providers/Microsoft.Network/networkSecurityGroups/testnsg/securityRules/default-allow-rdp","direction": "In","type": "allow","matchedConnections": 1988}}

Note

平台日志使用 JSON 行写入到 blob 存储,其中每个事件都是一行,换行符表示新事件。Platform logs are written to blob storage using JSON lines, where each event is a line and the newline character indicates a new event. 此格式已在 2018 年 11 月实现。This format was implemented in November 2018. 在此日期之前,日志以记录的 json 数组形式写入到 blob 存储,详见为存档到存储帐户的 Azure Monitor 平台日志的格式更改做准备Prior to this date, logs were written to blob storage as a json array of records as described in Prepare for format change to Azure Monitor platform logs archived to a storage account.

后续步骤Next steps