查看活动日志以审核对资源的操作View activity logs to audit actions on resources

通过活动日志,可以确定:Through activity logs, you can determine:

  • 对订阅中的资源执行了什么操作what operations were taken on the resources in your subscription
  • 谁启动了该操作who started the operation
  • 操作何时发生when the operation occurred
  • 操作的状态the status of the operation
  • 其他可能有助于研究操作的属性的值the values of other properties that might help you research the operation

活动日志包含针对资源执行的所有写入操作(PUT、POST、DELETE)。The activity log contains all write operations (PUT, POST, DELETE) performed on your resources. 它不包含读取操作 (GET)。It doesn't include read operations (GET). 有关资源操作的列表,请参阅 Azure 资源管理器资源提供程序操作For a list of resource actions, see Azure Resource Manager Resource Provider operations. 在进行故障排除或监视组织中的用户如何修改资源时,可以使用审核日志来查找错误。You can use the audit logs to find an error when troubleshooting or to monitor how a user in your organization modified a resource.

活动日志可存储 90 天。Activity logs are kept for 90 days. 可以查询任何日期范围,只要开始日期不早于过去 90 天。You can query for any range of dates, as long as the starting date isn't more than 90 days in the past.

可以通过门户、PowerShell、Azure CLI、Insights REST API 或 Insights .NET 库检索活动日志中的信息。You can retrieve information from the activity logs through the portal, PowerShell, Azure CLI, Insights REST API, or Insights .NET Library.

Azure 门户The Azure portal

  1. 若要通过门户查看活动日志,请选择“监视”。To view the activity logs through the portal, select Monitor.

    选择“监视”

  2. 选择“活动日志”。Select Activity Log.

    选择“活动日志”

  3. 将显示最近操作的摘要。You see a summary of recent operations. 系统会向这些操作应用一组默认的筛选器。A default set of filters is applied to the operations.

    查看最近操作的摘要

  4. 若要快速运行一组预定义的筛选器,请选择“快速见解”并选择其中一个选项。To quickly run a pre-defined set of filters, select Quick Insights and pick one of the options.

    选择查询

  5. 若要专注于特定操作,请更改筛选器或应用新的筛选器。To focus on specific operations, change the filters or apply new ones. 例如,下图显示了“时间跨度”的新值,且“资源类型”设置为存储帐户。For example, the following image shows a new value for the Timespan and Resource type is set to storage accounts.

    设置筛选器选项

  6. 如果稍后需要重新运行该查询,请选择“固定当前筛选器”。If you need to run the query again later, select Pin current filters.

    固定筛选器

  7. 为筛选器命名。Give the filter a name.

    为筛选器命名

  8. 该筛选器将显示在仪表板中。The filter is available in the dashboard.

    在仪表板上显示筛选器

PowerShellPowerShell

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

  • 若要检索日志条目,请运行 Get-AzLog 命令。To retrieve log entries, run the Get-AzLog command. 可以提供附加参数来筛选条目列表。You provide additional parameters to filter the list of entries. 如果未指定开始和结束时间,将返回最后七天的条目。If you don't specify a start and end time, entries for the last seven days are returned.

    Get-AzLog -ResourceGroup ExampleGroup
    

    以下示例演示了如何使用活动日志来调查在指定时间内执行的操作。The following example shows how to use the activity log to research operations taken during a specified time. 开始日期和结束日期以日期格式指定。The start and end dates are specified in a date format.

    Get-AzLog -ResourceGroup ExampleGroup -StartTime 2019-01-09T06:00 -EndTime 2019-01-15T06:00
    

    或者,可以使用 date 函数来指定日期范围,例如过去 14 天。Or, you can use date functions to specify the date range, such as the last 14 days.

    Get-AzLog -ResourceGroup ExampleGroup -StartTime (Get-Date).AddDays(-14)
    
  • 可以查看特定用户针对某个资源组执行的操作,即使该资源组不再存在。You can look up the actions taken by a particular user, even for a resource group that no longer exists.

    Get-AzLog -ResourceGroup deletedgroup -StartTime (Get-Date).AddDays(-14) -Caller someone@contoso.com
    
  • 可以筛选失败的操作。You can filter for failed operations.

    Get-AzLog -ResourceGroup ExampleGroup -Status Failed
    
  • 可以专注于一个错误,只需查看该条目的状态消息即可。You can focus on one error by looking at the status message for that entry.

    ((Get-AzLog -ResourceGroup ExampleGroup -Status Failed).Properties[0].Content.statusMessage | ConvertFrom-Json).error
    
  • 可以选择特定值来限制返回的数据。You can select specific values to limit the data that is returned.

    Get-AzLog -ResourceGroupName ExampleGroup | Format-table EventTimeStamp, Caller, @{n='Operation'; e={$_.OperationName.value}}, @{n='Status'; e={$_.Status.value}}, @{n='SubStatus'; e={$_.SubStatus.LocalizedValue}}
    
  • 根据指定的开始时间,前面的命令可能会返回对该资源组执行的一长串操作。Depending on the start time you specify, the previous commands can return a long list of operations for the resource group. 可以提供搜索条件,以筛选所要查找的结果。You can filter the results for what you are looking for by providing search criteria. 例如,可以按操作类型进行筛选。For example, you can filter by the type of operation.

    Get-AzLog -ResourceGroup ExampleGroup | Where-Object {$_.OperationName.value -eq "Microsoft.Resources/deployments/write"}
    

Azure CLIAzure CLI

  • 若要检索日志条目,请运行带有偏移量(用于指示时间跨度)的 az monitor activity-log list 命令。To retrieve log entries, run the az monitor activity-log list command with an offset to indicate the time span.

    az monitor activity-log list --resource-group ExampleGroup --offset 7d
    

    以下示例演示了如何使用活动日志来调查在指定时间内执行的操作。The following example shows how to use the activity log to research operations taken during a specified time. 开始日期和结束日期以日期格式指定。The start and end dates are specified in a date format.

    az monitor activity-log list -g ExampleGroup --start-time 2019-01-01 --end-time 2019-01-15
    
  • 可以查看特定用户针对某个资源组执行的操作,即使该资源组不再存在。You can look up the actions taken by a particular user, even for a resource group that no longer exists.

    az monitor activity-log list -g ExampleGroup --caller someone@contoso.com --offset 5d
    
  • 可以筛选失败的操作。You can filter for failed operations.

    az monitor activity-log list -g demoRG --status Failed --offset 1d
    
  • 可以专注于一个错误,只需查看该条目的状态消息即可。You can focus on one error by looking at the status message for that entry.

    az monitor activity-log list -g ExampleGroup --status Failed --offset 1d --query [].properties.statusMessage
    
  • 可以选择特定值来限制返回的数据。You can select specific values to limit the data that is returned.

    az monitor activity-log list -g ExampleGroup --offset 1d --query '[].{Operation: operationName.value, Status: status.value, SubStatus: subStatus.localizedValue}'
    
  • 根据指定的开始时间,前面的命令可能会返回对该资源组执行的一长串操作。Depending on the start time you specify, the previous commands can return a long list of operations for the resource group. 可以提供搜索条件,以筛选所要查找的结果。You can filter the results for what you are looking for by providing search criteria. 例如,可以按操作类型进行筛选。For example, you can filter by the type of operation.

    az monitor activity-log list -g ExampleGroup --offset 1d --query "[?operationName.value=='Microsoft.Storage/storageAccounts/write']"
    

REST APIREST API

用于处理活动日志的 REST 操作是 Insights REST API的一部分。The REST operations for working with the activity log are part of the Insights REST API. 若要检索活动日志事件,请参阅 列出订阅中的管理事件To retrieve activity log events, see List the management events in a subscription.

后续步骤Next steps