您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 活动日志概述Overview of Azure Activity log

Azure 活动日志可以方便用户深入了解 Azure 中发生的订阅级别事件。The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. 这包括从 Azure 资源管理器操作数据到服务运行状况事件更新的一系列数据。This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. 活动日志之前称为“审核日志”或“操作日志”,因为“管理”类别报告订阅的控制平面事件。The Activity Log was previously known as Audit Logs or Operational Logs, since the Administrative category reports control-plane events for your subscriptions.

通过活动日志,可确定订阅中资源上进行的任何写入操作 (PUT, POST, DELETE) 的“什么操作、谁操作和操作时间”等信息。Use the Activity Log, to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. 还可以了解该操作和其他相关属性的状态。You can also understand the status of the operation and other relevant properties.

活动日志未包括读取 (GET) 操作或针对使用经典/RDFE 模型的资源的操作。The Activity Log does not include read (GET) operations or operations for resources that use the Classic/RDFE model.

与资源日志比较Comparison to resource logs

每个 Azure 订阅都有一个活动日志。There is a single Activity Log for each Azure subscription. 它提供从外部(“控制面”)对资源执行的操作的相关数据。It provides data about the operations on a resource from the outside (the "control plane"). 资源日志由资源发出,并提供有关该资源("数据平面")的操作的信息。Resource Logs are emitted by a resource and provide information about the operation of that resource (the "data plane"). 必须为每个资源创建诊断设置以收集资源日志。You must create a diagnostic setting for each resource to collect resource logs.

与资源日志比较的活动日志

备注

Azure 活动日志主要用于在 Azure 资源管理器中发生的活动。The Azure Activity Log is primarily for activities that occur in Azure Resource Manager. 它不跟踪使用经典/RDFE 模型的资源。It does not track resources using the Classic/RDFE model. 某些经典资源类型在 Azure 资源管理器中具有代理资源提供程序(例如 Microsoft.ClassicCompute)。Some Classic resource types have a proxy resource provider in Azure Resource Manager (for example, Microsoft.ClassicCompute). 如果通过 Azure 资源管理器使用这些代理资源提供程序与经典资源类型进行交互,则操作会显示在活动日志中。If you interact with a Classic resource type through Azure Resource Manager using these proxy resource providers, the operations appear in the Activity Log. 如果在 Azure 资源管理器代理外部与经典资源类型进行交互,则操作只会记录在操作日志中。If you interact with a Classic resource type outside of the Azure Resource Manager proxies, your actions are only recorded in the Operation Log. 可以在门户的一个单独部分中浏览操作日志。The Operation Log can be browsed in a separate section of the portal.

活动日志保留期Activity Log retention

创建活动日志条目后,系统不会修改或删除它们。Once created, Activity Log entries are not modified or deleted by the system. 另外,你也不能通过界面或编程方式更改它们。Also, you can't change them in the interface or programmatically. 活动日志事件会存储 90 天。Activity Log events are stored for 90 days. 若要将此类数据存储更长的时间,请在 Azure Monitor 中收集它,或者将它导出到存储或事件中心To store this data for longer periods, collect it in Azure Monitor or export it to storage or Event Hubs.

查看活动日志View the Activity Log

在 Azure 门户的“监视器”菜单中查看所有资源的活动日志。View the Activity Log for all resources from the Monitor menu in the Azure portal. 在该资源的菜单的“活动日志”选项中查看特定资源的活动日志。View the Activity Log for a particular resource from the Activity Log option in that resource's menu. 也可通过 PowerShell、CLI 或 REST API 检索活动日志记录。You can also retrieve Activity Log records with PowerShell, CLI, or REST API. 请参阅查看和检索 Azure 活动日志事件See View and retrieve Azure Activity log events.

查看活动日志

收集 Azure Monitor 中的活动日志Collect Activity Log in Azure Monitor

将活动日志收集到 Azure Monitor 的 Log Analytics 工作区中,将它与其他监视数据一起分析,这样可以将数据保留 90 天以上。Collect the Activity Log into a Log Analytics workspace in Azure Monitor to analyze it with other monitoring data and to retain the data for longer than 90 days. 请参阅收集和分析 Azure Monitor 的 Log Analytics 工作区中的 Azure 活动日志See Collect and analyze Azure activity logs in Log Analytics workspace in Azure Monitor.

查询活动日志

导出活动日志Export Activity Log

将活动日志导出到 Azure 存储,以便将其存档或流式传输到事件中心,方便第三方服务或自定义分析解决方案引入。Export the Activity Log to Azure Storage for archiving or stream it to an Event Hub for ingestion by a third-party service or custom analytics solution. 请参阅导出 Azure 活动日志See Export the Azure Activity Log. 你还可以使用Power BI 内容包在 Power BI 中分析活动日志事件。You can also analyze Activity Log events in Power BI using the Power BI content pack.

活动日志警报Alert on Activity Log

当系统在活动日志中创建特定事件时,你可以通过活动日志警报创建警报。You can create an alert when particular events are created in the Activity Log with an Activity Log alert. 也可在活动日志连接到 Log Analytics 工作区时使用日志查询创建警报,但日志查询警报有成本。You can also create an alert using a log query when your Activity Log is connected to a Log Analytics workspace, but there is a cost to log query alerts. 活动日志警报无成本。There is no cost for Activity Log alerts.

活动日志中的类别Categories in the Activity Log

活动日志中的每个事件都有特定的类别,该类别在下表中进行了描述。Each event in the Activity Log has a particular category that are described in the following table. 有关这些类别的架构的完整详细信息,请参阅 Azure 活动日志事件架构For full details on the schemata of these categories, see Azure Activity Log event schema.

类别Category 描述Description
管理Administrative 包含对通过资源管理器执行的所有创建、更新、删除和操作的记录。Contains the record of all create, update, delete, and action operations performed through Resource Manager. 管理事件的示例包括创建虚拟机和删除网络安全组。Examples of Administrative events include create virtual machine and delete network security group.

用户或应用程序通过资源管理器所进行的每一个操作都会作为特定资源类型上的操作建模。Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. 如果操作类型为“写入”、“删除”或“操作”,则该操作的开始、成功或失败记录都会记录在管理类别中。If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. 管理事件还包括任何对订阅中基于角色的访问控制进行的更改。Administrative events also include any changes to role-based access control in a subscription.
服务运行状况Service Health 包含对任何发生在 Azure 中的服务运行状况事件的记录。Contains the record of any service health incidents that have occurred in Azure. 服务运行状况事件的一个示例是“美国东部的 SQL Azure 正处于故障时间”。An example of a Service Health event SQL Azure in East US is experiencing downtime.

服务运行状况事件分为六种种类:需要操作、协助恢复、事件、维护、信息或安全性。Service Health events come in Six varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security. 仅当订阅中存在会受事件影响的资源时,才会创建这些事件。These events are only created if you have a resource in the subscription that would be impacted by the event.
资源运行状况Resource Health 包含 Azure 资源发生的任何资源运行状况事件的记录。Contains the record of any resource health events that have occurred to your Azure resources. 资源运行状况事件的示例是“虚拟机运行状况已更改为不可用”。An example of a Resource Health event is Virtual Machine health status changed to unavailable.

资源运行状况事件可以表示四种运行状况之一:可用、不可用、已降级、未知。Resource Health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. 此外,资源运行状况事件可以归类为“平台启动”或“用户启动”。Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated.
警报Alert 包含 Azure 警报的激活记录。Contains the record of activations for Azure alerts. “过去 5 分钟内,myVM 上的 CPU 百分比已超过 80%”是警报事件的示例。An example of an Alert event is CPU % on myVM has been over 80 for the past 5 minutes.
自动缩放Autoscale 包含基于在订阅中定义的任何自动缩放设置的自动缩放引擎操作相关的事件记录。Contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. 自动缩放事件的一个示例是“自动缩放纵向扩展操作失败”。An example of an Autoscale event is Autoscale scale up action failed.
建议Recommendation 包含 Azure 顾问提供的建议事件。Contains recommendation events from Azure Advisor.
安全性Security 包含 Azure 安全中心生成的任何警报的记录。Contains the record of any alerts generated by Azure Security Center. 安全事件的一个示例是“执行了可疑的双扩展名文件”。An example of a Security event is Suspicious double extension file executed.
策略Policy 包含 Azure Policy 执行的所有效果操作的记录。Contains records of all effect action operations performed by Azure Policy. 策略事件的示例包括审核和拒绝。Examples of Policy events include Audit and Deny. Policy 执行的每个操作建模为对资源执行的操作。Every action taken by Policy is modeled as an operation on a resource.

后续步骤Next Steps