您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

从 Azure 存储中收集 Azure 诊断日志Collect Azure diagnostic logs from Azure Storage

Azure Monitor 可以读取将诊断写入到表存储的以下服务的日志或写入到 Blob 存储的 IIS 日志:Azure Monitor can read the logs for the following services that write diagnostics to table storage or IIS logs written to blob storage:

  • Service Fabric 群集(预览版)Service Fabric clusters (Preview)
  • 虚拟机Virtual Machines
  • Web/辅助角色Web/Worker Roles

必须启用 Azure 诊断之后,Azure Monitor 才可以将这些资源的数据收集到 Log Analytics 工作区中。Before Azure Monitor can collect data into a Log Analytics workspace for these resources, Azure diagnostics must be enabled.

诊断已启用后,可以使用 Azure 门户或 PowerShell 配置工作区以收集日志。Once diagnostics are enabled, you can use the Azure portal or PowerShell configure the workspace to collect the logs.

Azure 诊断是用于从 Azure 中运行的辅助角色、Web 角色或虚拟机收集诊断数据的 Azure 扩展。Azure Diagnostics is an Azure extension that enables you to collect diagnostic data from a worker role, web role, or virtual machine running in Azure. 该数据存储在 Azure 存储帐户中,可以由 Azure Monitor 进行收集。The data is stored in an Azure storage account and can then be collected by Azure Monitor.

为了使 Azure Monitor 能够收集这些 Azure 诊断日志,这些日志必须位于以下位置:For Azure Monitor to collect these Azure Diagnostics logs, the logs must be in the following locations:

日志类型Log Type 资源类型Resource Type LocationLocation
IIS 日志IIS logs 虚拟机Virtual Machines
Web 角色Web roles
辅助角色Worker roles
wad-iis-logfiles(Blob 存储)wad-iis-logfiles (Blob Storage)
SyslogSyslog 虚拟机Virtual Machines LinuxsyslogVer2v0(表存储)LinuxsyslogVer2v0 (Table Storage)
Service Fabric 操作事件Service Fabric Operational Events Service Fabric 节点Service Fabric nodes WADServiceFabricSystemEventTableWADServiceFabricSystemEventTable
Service Fabric Reliable Actor 事件Service Fabric Reliable Actor Events Service Fabric 节点Service Fabric nodes WADServiceFabricReliableActorEventTableWADServiceFabricReliableActorEventTable
Service Fabric Reliable Service 事件Service Fabric Reliable Service Events Service Fabric 节点Service Fabric nodes WADServiceFabricReliableServiceEventTableWADServiceFabricReliableServiceEventTable
Windows 事件日志Windows Event logs Service Fabric 节点Service Fabric nodes
虚拟机Virtual Machines
Web 角色Web roles
辅助角色Worker roles
WADWindowsEventLogsTable(表存储)WADWindowsEventLogsTable (Table Storage)
Windows ETW 日志Windows ETW logs Service Fabric 节点Service Fabric nodes
虚拟机Virtual Machines
Web 角色Web roles
辅助角色Worker roles
WADETWEventTable(表存储)WADETWEventTable (Table Storage)

备注

当前不支持 Azure 网站中的 IIS 日志。IIS logs from Azure Websites are not currently supported.

对于虚拟机,可以选择将 Log Analytics 代理安装到虚拟机来支持其他见解。For virtual machines, you have the option of installing the Log Analytics agent into your virtual machine to enable additional insights. 除了能够分析 IIS 日志和事件日志之外,还可以执行其他分析,包括配置更改跟踪、SQL 评估和更新评估。In addition to being able to analyze IIS logs and Event Logs, you can perform additional analysis including configuration change tracking, SQL assessment, and update assessment.

在虚拟机中为事件日志和 IIS 日志收集启用 Azure 诊断Enable Azure diagnostics in a virtual machine for event log and IIS log collection

通过以下过程,使用 Microsoft Azure 门户在虚拟机中为事件日志和 IIS 日志收集启用 Azure 诊断。Use the following procedure to enable Azure diagnostics in a virtual machine for Event Log and IIS log collection using the Microsoft Azure portal.

使用 Azure 门户在虚拟机中启用 Azure 诊断To enable Azure diagnostics in a virtual machine with the Azure portal

  1. 创建虚拟机时安装 VM 代理。Install the VM Agent when you create a virtual machine. 如果虚拟机已存在,请验证 VM 代理是否已安装。If the virtual machine already exists, verify that the VM Agent is already installed.

    • 在 Azure 门户中,导航到虚拟机、选择“可选配置” 、选择“诊断” ,然后将“状态” 设置为“开” 。In the Azure portal, navigate to the virtual machine, select Optional Configuration, then Diagnostics and set Status to On.

      完成后,VM 已安装 Azure 诊断扩展,并且该扩展正在运行。Upon completion, the VM has the Azure Diagnostics extension installed and running. 此扩展将负责收集诊断数据。This extension is responsible for collecting your diagnostics data.

  2. 在现有 VM 中启用监视,并配置事件日志记录。Enable monitoring and configure event logging on an existing VM. 可以启用 VM 级别的诊断。You can enable diagnostics at the VM level. 若要启用诊断并配置事件日志记录,请执行以下步骤:To enable diagnostics and then configure event logging, perform the following steps:

    1. 选择 VM。Select the VM.
    2. 单击“监视” 。Click Monitoring.
    3. 单击“诊断” 。Click Diagnostics.
    4. 将“状态” 设置为“开” 。Set the Status to ON.
    5. 选择想要收集的每个诊断日志。Select each diagnostics log that you want to collect.
    6. 单击“确定”。 Click OK.

在 Web 角色中为 IIS 日志和事件收集启用 Azure 诊断Enable Azure diagnostics in a Web role for IIS log and event collection

有关启用 Azure 诊断的常规步骤,请参阅如何在云服务中启用诊断Refer to How To Enable Diagnostics in a Cloud Service for general steps on enabling Azure diagnostics. 下面的说明使用此信息并进行自定义以用于 Log Analytics。The instructions below use this information and customize it for use with Log Analytics.

在 Azure 诊断已启用的情况下:With Azure diagnostics enabled:

  • 默认存储 IIS 日志,日志数据按 scheduledTransferPeriod 传输间隔进行传输。IIS logs are stored by default, with log data transferred at the scheduledTransferPeriod transfer interval.
  • 默认情况下,不会传输 Windows 事件日志。Windows Event Logs are not transferred by default.

启用诊断To enable diagnostics

若要启用 Windows 事件日志,或要更改 scheduledTransferPeriod,可使用 XML 配置文件 (diagnostics.wadcfg) 配置 Azure 诊断,如步骤 4:创建诊断配置文件并安装扩展中所示To enable Windows Event Logs, or to change the scheduledTransferPeriod, configure Azure Diagnostics using the XML configuration file (diagnostics.wadcfg), as shown in Step 4: Create your Diagnostics configuration file and install the extension

以下示例配置文件从应用程序日志和系统日志中收集 IIS 日志和所有事件:The following example configuration file collects IIS Logs and all Events from the Application and System logs:

    <?xml version="1.0" encoding="utf-8" ?>
    <DiagnosticMonitorConfiguration xmlns="http://schemas.microsoft.com/ServiceHosting/2010/10/DiagnosticsConfiguration"
          configurationChangePollInterval="PT1M"
          overallQuotaInMB="4096">

      <Directories bufferQuotaInMB="0"
         scheduledTransferPeriod="PT10M">  
        <!-- IISLogs are only relevant to Web roles -->
        <IISLogs container="wad-iis" directoryQuotaInMB="0" />
      </Directories>

      <WindowsEventLog bufferQuotaInMB="0"
         scheduledTransferLogLevelFilter="Verbose"
         scheduledTransferPeriod="PT10M">
        <DataSource name="Application!*" />
        <DataSource name="System!*" />
      </WindowsEventLog>

    </DiagnosticMonitorConfiguration>

确保 ConfigurationSettings 指定了存储帐户,如以下示例中所示:Ensure that your ConfigurationSettings specifies a storage account, as in the following example:

    <ConfigurationSettings>
       <Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="DefaultEndpointsProtocol=https;AccountName=<AccountName>;AccountKey=<AccountKey>"/>
    </ConfigurationSettings>

可以在 Azure 门户中的存储帐户仪表板的“管理访问密钥”下找到 AccountNameAccountKey 值。The AccountName and AccountKey values are found in the Azure portal in the storage account dashboard, under Manage Access Keys. 连接字符串的协议必须为 httpsThe protocol for the connection string must be https.

更新的诊断配置应用到云服务并且该服务正在将诊断写入到 Azure 存储后,可以配置 Log Analytics 工作区。Once the updated diagnostic configuration is applied to your cloud service and it is writing diagnostics to Azure Storage, then you are ready to configure the Log Analytics workspace.

使用 Azure 门户从 Azure 存储中收集日志Use the Azure portal to collect logs from Azure Storage

可以使用 Azure 门户将 Azure Monitor 中的 Log Analytics 工作区配置为收集以下 Azure 服务的日志:You can use the Azure portal to configure a Log Analytics workspace in Azure Monitor to collect the logs for the following Azure services:

  • Service Fabric 群集Service Fabric clusters
  • 虚拟机Virtual Machines
  • Web/辅助角色Web/Worker Roles

在 Azure 门户中,导航到 Log Analytics 工作区,并执行以下任务:In the Azure portal, navigate to your Log Analytics workspace and perform the following tasks:

  1. 单击“存储帐户日志” Click Storage accounts logs
  2. 单击“添加” 任务Click the Add task
  3. 选择包含诊断日志的存储帐户Select the Storage account that contains the diagnostics logs
    • 此帐户可以是经典存储帐户或 Azure 资源管理器存储帐户This account can be either a classic storage account or an Azure Resource Manager storage account
  4. 选择要收集的日志的数据类型Select the Data Type you want to collect logs for
    • 选项包括 IIS 日志、事件、Syslog (Linux)、ETW 日志、Service Fabric 事件The choices are IIS Logs; Events; Syslog (Linux); ETW Logs; Service Fabric Events
  5. 将基于数据类型自动填充源的值,不能更改The value for Source is automatically populated based on the data type and cannot be changed
  6. 单击“确定”保存配置Click OK to save the configuration

对于其他存储帐户和想要收集到工作区中的数据类型,请重复执行步骤 2 到步骤 6。Repeat steps 2-6 for additional storage accounts and data types that you want to collect into the workspace.

在大约 30 分钟过后,能够在 Log Analytics 工作区中看到存储帐户中的数据。In approximately 30 minutes, you are able to see data from the storage account in the Log Analytics workspace. 在应用了配置后,只能看到写入到存储中的数据。You will only see data that is written to storage after the configuration is applied. 工作区不会从存储帐户中读取预先存在的数据。The workspace does not read the pre-existing data from the storage account.

备注

该门户不会验证源是否存在于存储帐户中,或者是否正在写入新数据。The portal does not validate that the Source exists in the storage account or if new data is being written.

使用 PowerShell 在虚拟机中为事件日志和 IIS 日志收集启用 Azure 诊断Enable Azure diagnostics in a virtual machine for event log and IIS log collection using PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

通过将 Azure Monitor 配置为编制 Azure 诊断索引中的步骤,将 PowerShell 用于从写入表存储的 Azure 诊断读取。Use the steps in Configuring Azure Monitor to index Azure diagnostics to use PowerShell to read from Azure diagnostics that are written to table storage.

使用 Azure PowerShell 可以更精确地指定要写入 Azure 存储的事件。Using Azure PowerShell you can more precisely specify the events that are written to Azure Storage. 有关详细信息,请参阅在 Azure 虚拟机中启用诊断For more information, see Enabling Diagnostics in Azure Virtual Machines.

可以使用以下 PowerShell 脚本启用和更新 Azure 诊断。You can enable and update Azure diagnostics using the following PowerShell script. 还可以将此脚本与自定义日志记录配置结合使用。You can also use this script with a custom logging configuration. 修改脚本以便设置存储帐户、服务名称和虚拟机名称。Modify the script to set the storage account, service name, and virtual machine name. 脚本将 cmdlet 用于经典虚拟机。The script uses cmdlets for classic virtual machines.

查看以下脚本示例、复制它、根据需要修改它、将该示例保存为 PowerShell 脚本文件,然后运行该脚本。Review the following script sample, copy it, modify it as needed, save the sample as a PowerShell script file, and then run the script.

    #Connect to Azure
    Add-AzureAccount

    # settings to change:
    $wad_storage_account_name = "myStorageAccount"
    $service_name = "myService"
    $vm_name = "myVM"

    #Construct Azure Diagnostics public config and convert to config format

    # Collect just system error events:
    $wad_xml_config = "<WadCfg><DiagnosticMonitorConfiguration><WindowsEventLog scheduledTransferPeriod=""PT1M""><DataSource name=""System!* "" /></WindowsEventLog></DiagnosticMonitorConfiguration></WadCfg>"

    $wad_b64_config = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($wad_xml_config))
    $wad_public_config = [string]::Format("{{""xmlCfg"":""{0}""}}",$wad_b64_config)

    #Construct Azure diagnostics private config

    $wad_storage_account_key = (Get-AzStorageKey $wad_storage_account_name).Primary
    $wad_private_config = [string]::Format("{{""storageAccountName"":""{0}"",""storageAccountKey"":""{1}""}}",$wad_storage_account_name,$wad_storage_account_key)

    #Enable Diagnostics Extension for Virtual Machine

    $wad_extension_name = "IaaSDiagnostics"
    $wad_publisher = "Microsoft.Azure.Diagnostics"
    $wad_version = (Get-AzureVMAvailableExtension -Publisher $wad_publisher -ExtensionName $wad_extension_name).Version # Gets latest version of the extension

    (Get-AzureVM -ServiceName $service_name -Name $vm_name) | Set-AzureVMExtension -ExtensionName $wad_extension_name -Publisher $wad_publisher -PublicConfiguration $wad_public_config -PrivateConfiguration $wad_private_config -Version $wad_version | Update-AzureVM

后续步骤Next steps