用于诊断评估和审核的 Azure 容器注册表日志Azure Container Registry logs for diagnostic evaluation and auditing

本文介绍如何使用 Azure Monitor 的功能收集 Azure 容器注册表的日志数据。This article explains how to collect log data for an Azure container registry using features of Azure Monitor. Azure Monitor 针对注册表中的用户驱动事件收集资源日志(前称为诊断日志)。Azure Monitor collects resource logs (formerly called diagnostic logs) for user-driven events in your registry. 收集并使用这些数据可以解决如下所述的需求:Collect and consume this data to meet needs such as:

  • 审核注册表身份验证事件,以确保安全与合规Audit registry authentication events to ensure security and compliance

  • 提供有关注册表项目的完整活动线索(例如拉取和拉取事件),以便可以诊断注册表的操作问题Provide a complete activity trail on registry artifacts such as pull and pull events so you can diagnose operational issues with your registry

使用 Azure Monitor 收集资源日志数据可能会产生额外的费用。Collecting resource log data using Azure Monitor may incur additional costs. 请参阅 Azure Monitor 定价See Azure Monitor pricing.

存储库事件Repository events

当前会记录映像和其他项目的以下存储库级事件:The following repository-level events for images and other artifacts are currently logged:

  • 推送Push
  • 拉取Pull
  • 取消标记Untag
  • 删除(包括存储库删除事件)Delete (including repository delete events)
  • 清除标记清除清单Purge tag and Purge manifest

备注

仅当配置了注册表保留策略时,才记录清除事件。Purge events are logged only if a registry retention policy is configured.

注册表资源日志Registry resource logs

资源日志包含 Azure 资源发出的描述其内部操作的信息。Resource logs contain information emitted by Azure resources that describe their internal operation. 对于 Azure 容器注册表,日志包含下表中存储的身份验证和存储库级事件。For an Azure container registry, the logs contain authentication and repository-level events stored in the following tables.

  • ContainerRegistryLoginEvents - 注册表身份验证事件和状态,包括传入标识和 IP 地址ContainerRegistryLoginEvents - Registry authentication events and status, including the incoming identity and IP address
  • ContainerRegistryRepositoryEvents - 注册表存储库中的映像及其他项目的推送和拉取等操作ContainerRegistryRepositoryEvents - Operations such as push and pull for images and other artifacts in registry repositories
  • AzureMetrics - 推送和拉取聚合计数等容器注册表指标AzureMetrics - Container registry metrics such as aggregated push and pull counts.

对于操作,日志数据包括:For operations, log data includes:

  • 成功或失败状态Success or failure status
  • 开始和结束时间戳Start and end time stamps

除资源日志以外,Azure 还提供活动日志,它是 Azure 管理事件(例如创建或删除容器注册表)的单个订阅级记录。In addition to resource logs, Azure provides an activity log, a single subscription-level record of Azure management events such as the creation or deletion of a container registry.

启用资源日志的收集Enable collection of resource logs

默认未启用容器注册表的资源日志收集。Collection of resource logs for a container registry isn't enabled by default. 针对每个需要监视的注册表显式启用诊断设置。Explicitly enable diagnostic settings for each registry you want to monitor. 关于那些可启用诊断设置的选项,请参阅创建诊断设置以收集 Azure 中的平台日志和指标For options to enable diagnostic settings, see Create diagnostic setting to collect platform logs and metrics in Azure.

例如,若要在 Azure Monitor 中近实时查看容器注册表的日志和指标,请在 Log Analytics 工作区中收集资源日志。For example, to view logs and metrics for a container registry in near real-time in Azure Monitor, collect the resource logs in a Log Analytics workspace. 若要使用 Azure 门户启用此诊断设置,请执行以下操作:To enable this diagnostic setting using the Azure portal:

  1. 如果没有工作区,请使用 Azure 门户创建一个工作区。If you don't already have a workspace, create a workspace using the Azure portal. 为了尽量减少数据收集时的延迟,请确保工作区与容器注册表位于同一区域To minimize latency in data collection, ensure that the workspace is in the same region as your container registry.
  2. 在门户中选择注册表,然后选择“监视”>“诊断设置”>“添加诊断设置”。In the portal, select the registry, and select Monitoring > Diagnostic settings > Add diagnostic setting.
  3. 输入设置名称,然后选择“发送到 Log Analytics”。Enter a name for the setting, and select Send to Log Analytics.
  4. 选择注册表诊断日志对应的工作区。Select the workspace for the registry diagnostic logs.
  5. 选择要收集的日志数据,然后单击“保存”。Select the log data you want to collect, and click Save.

下图显示了如何使用门户创建注册表的诊断设置。The following image shows creation of a diagnostic setting for a registry using the portal.

启用诊断设置

提示

仅收集所需的数据,以便在成本与监视需求之间进行适当的平衡。Collect only the data that you need, balancing cost and your monitoring needs. 例如,如果只需审核身份验证事件,请仅选择“ContainerRegistryLoginEvents”日志。For example, if you only need to audit authentication events, select only the ContainerRegistryLoginEvents log.

在 Azure Monitor 中查看数据View data in Azure Monitor

在 Log Analytics 中启用诊断日志收集后,数据可能需要在几分钟时间后才出现在 Azure Monitor 中。After you enable collection of diagnostic logs in Log Analytics, it can take a few minutes for data to appear in Azure Monitor. 若要在门户中查看数据,请选择注册表,然后选择“监视”>“日志”。To view the data in the portal, select the registry, and select Monitoring > Logs. 选择一个包含注册表数据的表。Select one of the tables that contains data for the registry.

运行查询以查看数据。Run queries to view the data. 系统中提供了多个示例查询,你也可以运行自己的查询。Several sample queries are provided, or run your own. 例如,以下查询从 ContainerRegistryRepositoryEvents 表中检索最近 24 小时的数据:For example, the following query retrieves the most recent 24 hours of data from the ContainerRegistryRepositoryEvents table:

ContainerRegistryRepositoryEvents
| where TimeGenerated > ago(1d) 

下图显示了示例输出:The following image shows sample output:

查询日志数据

有关在 Azure 门户中使用 Log Analytics 的教程,请参阅 Azure Monitor Log Analytics 入门,或试用 Log Analytics 演示环境For a tutorial on using Log Analytics in the Azure portal, see Get started with Azure Monitor Log Analytics, or try the Log Analytics Demo environment.

有关日志查询的详细信息,请参阅 Azure Monitor 中的日志查询概述For more information on log queries, see Overview of log queries in Azure Monitor.

查询示例Query examples

最近一小时内的错误事件Error events from the last hour

union Event, Syslog // Event table stores Windows event records, Syslog stores Linux records
| where TimeGenerated > ago(1h)
| where EventLevelName == "Error" // EventLevelName is used in the Event (Windows) records
    or SeverityLevel== "err" // SeverityLevel is used in Syslog (Linux) records

100 个最近的注册表事件100 most recent registry events

ContainerRegistryRepositoryEvents
| union ContainerRegistryLoginEvents
| top 100 by TimeGenerated
| project TimeGenerated, LoginServer, OperationName, Identity, Repository, DurationMs, Region , ResultType

删除了存储库的用户或对象的标识Identity of user or object that deleted repository

ContainerRegistryRepositoryEvents
| where OperationName contains "Delete"
| project LoginServer, OperationName, Repository, Identity, CallerIpAddress

删除了标记的用户或对象的标识Identity of user or object that deleted tag

ContainerRegistryRepositoryEvents
| where OperationName contains "Untag"
| project LoginServer, OperationName, Repository, Tag, Identity, CallerIpAddress

存储库级操作失败Repository-level operation failures

ContainerRegistryRepositoryEvents 
| where ResultDescription contains "40"
| project TimeGenerated, OperationName, Repository, Tag, ResultDescription

注册表身份验证失败Registry authentication failures

ContainerRegistryLoginEvents 
| where ResultDescription != "200"
| project TimeGenerated, Identity, CallerIpAddress, ResultDescription

其他日志目标Additional log destinations

除了将日志发送到 Log Analytics 以外,还有一种常见的替代方案,那就是选择 Azure 存储帐户作为日志目标。In addition to sending the logs to Log Analytics, or as an alternative, a common scenario is to select an Azure Storage account as a log destination. 若要将日志存档在 Azure 存储中,请先创建一个存储帐户,然后通过诊断设置启用存档。To archive logs in Azure Storage, create a storage account before enabling archiving through the diagnostic settings.

还可以将诊断日志事件流式传输到 Azure 事件中心You can also stream diagnostic log events to an Azure Event Hub. 数据中心每秒可以接受数百万事件,用户可以使用任何实时分析提供程序转换并存储这些事件。Event Hubs can ingest millions of events per second, which you can then transform and store using any real-time analytics provider.

后续步骤Next steps