您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Monitor 中的日志Logs in Azure Monitor

备注

Azure Monitor 收集的所有数据属于以下两种基本类型之一:指标和日志。All data collected by Azure Monitor fits into one of two fundamental types, Metrics and Logs. 本文介绍日志。This article describes Logs. 有关指标的详细介绍,请参阅 Azure Monitor 中的指标;有关日志与指标的比较,请参阅 Azure Monitor 收集的监视数据Refer to Metrics in Azure Monitor for a detailed description of metrics and to Monitoring data collected by Azure Monitor for a comparison of the two.

针对各种源中的数据执行复杂分析时,Azure Monitor 中的日志特别有用。Logs in Azure Monitor are especially useful for performing complex analysis across data from a variety of sources. 本文将会介绍如何在 Azure Monitor 中构建日志、可对数据执行哪些操作,以及如何识别需要在日志中存储数据的不同数据源。This article describes how Logs are structured in Azure Monitor, what you can do with the data, and identifies different data sources that store data in Logs.

备注

必须将 Azure Monitor 日志与 Azure 中的日志数据源区分开来。It's important to distinguish between Azure Monitor Logs and sources of log data in Azure. 例如,Azure 中的订阅级事件将写入到可以通过 Azure Monitor 菜单查看的活动日志For example, subscription level events in Azure are written to an activity log that you can view from the Azure Monitor menu. 大多数资源会将操作信息写入可转发到不同位置的诊断日志Most resources will write operational information to a diagnostic log that you can forward to different locations. Azure Monitor 日志是一个日志数据平台,它可以收集活动日志和诊断日志以及其他监视数据,以针对整个资源集提供深入分析。Azure Monitor Logs is a log data platform that collects activity logs and diagnostic logs along with other monitoring data to provide deep analysis across your entire set of resources.

什么是 Azure Monitor 日志?What are Azure Monitor Logs?

Azure Monitor 中的日志包含已整理成记录的各种数据,每种数据类型有不同的属性集。Logs in Azure Monitor contain different kinds of data organized into records with different sets of properties for each type. 日志可以包含数字值(例如 Azure Monitor 指标),但通常包含带详细说明的文本数据。Logs can contain numeric values like Azure Monitor Metrics but typically contain text data with detailed descriptions. 日志不同于指标数据之处还在于,日志有结构差异,且通常不按固定时间间隔收集。They further differ from metric data in that they vary in their structure and are often not collected at regular intervals. 与性能数据一样,事件和跟踪等遥测数据也作为 Azure Monitor 日志存储,因此,可将它们合并以进行分析。Telemetry such as events and traces are stored Azure Monitor Logs in addition to performance data so that it can all be combined for analysis.

常见类型的日志项是偶尔收集的事件。A common type of log entry is an event, which is collected sporadically. 事件是由应用程序或服务创建的,通常包含足够的信息,其本身提供的上下文已经很完整。Events are created by an application or service and typically include enough information to provide complete context on their own. 例如,事件可能会指示特定资源已创建或修改、新主机开始响应流量增高的情况,或者在应用程序中检测到了错误。For example, an event can indicate that a particular resource was created or modified, a new host started in response to increased traffic, or an error was detected in an application.

考虑到数据的格式可能有差异,应用程序可以使用所需结构创建自定义日志。Because the format of the data can vary, applications can create custom logs by using the structure that they need. 甚至可以在日志中存储指标数据,以便将其与其他监视数据组合起来,进行趋势推断和其他数据分析。Metric data can even be stored in Logs to combine them with other monitoring data for trending and other data analysis.

可对 Azure Monitor 日志执行哪些操作?What can you do with Azure Monitor Logs?

下表列出了 Azure Monitor 中的日志的不同使用方式。The following table lists the different ways that you can use Logs in Azure Monitor.

分析Analyze 使用 Azure 门户中的 Log Analytics 可以编写日志查询,并通过强大的数据资源管理器分析引擎以交互方式分析日志数据。Use Log Analytics in the Azure portal to write log queries and interactively analyze log data using the powerful Data Explorer analysis engine.
使用 Azure 门户中的 Application Insights 分析控制台可以编写日志查询,并在 Application Insights 中以交互方式分析日志数据。Use the Application Insights analytics console in the Azure portal to write log queries and interactively analyze log data from Application Insights.
可视化Visualize 将以表格或图表形式呈现的查询结果固定到 Azure 仪表板Pin query results rendered as tables or charts to an Azure dashboard.
创建一个工作簿,用于在交互式报表中合并多个数据集。Create a workbook to combine with multiple sets of data in an interactive report.
将查询结果导出到 Power BI,以使用不同的可视化效果并与 Azure 外部的用户共享。Export the results of a query to Power BI to use different visualizations and share with users outside of Azure.
将查询结果导出到 Grafana,以利用其仪表板功能以及合并其他数据源。Export the results of a query to Grafana to leverage its dashboarding and combine with other data sources.
警报Alert 配置日志警报规则,以便在查询结果与特定的结果匹配时发送通知或执行自动化操作Configure a log alert rule that sends a notification or takes automated action when the results of the query match a particular result.
针对作为指标提取的特定日志数据配置指标警报规则Configure a metric alert rule on certain log data logs extracted as metrics.
检索Retrieve 使用 Azure CLI 从命令行访问日志查询结果。Access log query results from a command line using Azure CLI.
使用 PowerShell cmdlet 从命令行访问日志查询结果。Access log query results from a command line using PowerShell cmdlets.
使用 REST API 从自定义应用程序访问日志查询结果。Access log query results from a custom application using REST API.
导出Export 使用逻辑应用生成一个工作流,以检索日志数据并将其复制到外部位置。Build a workflow to retrieve log data and copy it to an external location using Logic Apps.

Azure Monitor 日志中的数据是如何构建的?How is data in Azure Monitor Logs structured?

Azure Monitor 日志收集的数据存储在 Log Analytics 工作区中。Data collected by Azure Monitor Logs is stored in a Log Analytics workspace. 每个工作区包含多个表,每个表存储来自特定源的数据。Each workspace contains multiple tables that each store data from a particular source. 所有表共享一些通用属性,每个表根据它所存储的数据类型具有唯一的属性集。While all tables share some common properties, each has a unique set of properties depending on the kind of data it stores. 新工作区具有标准的表集,不同的监视解决方案以及在工作区中写入数据的其他服务会添加更多的表。A new workspace will have standard set of tables, and more tables will be added by different monitoring solutions and other services that write to the workspace.

Application Insights 中的日志数据使用与工作区相同的 Log Analytics 引擎,但这些数据是针对每个受监视的应用程序单独存储的。Log data from Application Insights uses the same Log Analytics engine as workspaces, but it's stored separately for each monitored application. 每个应用程序使用标准的表集来保存应用程序请求、异常和页面视图等数据。Each application has a standard set of tables to hold data such as application requests, exceptions, and page views.

日志查询将使用 Log Analytics 工作区或 Application Insights 应用程序中的数据。Log queries will either use data from a Log Analytics workspace or an Application Insights application. 可以使用跨资源查询结合其他日志数据来分析应用程序数据,或创建包括多个工作区或应用程序的查询。You can use a cross-resource query to analyze application data together with other log data or to create queries including multiple workspaces or applications.

工作区

日志查询Log queries

Azure Monitor 日志中的日志数据都是使用以 Kusto 查询语言编写的日志查询检索的,这使得你可以快速检索、合并和分析所收集的数据。Data in Azure Monitor Logs is retrieved using a log query written with the Kusto query language, which allows you to quickly retrieve, consolidate, and analyze collected data. 可以在 Azure 门户中使用 Log Analytics 编写和测试日志查询。Use Log Analytics to write and test log queries in the Azure portal. 这可以通过交互方式使用结果,也可以将其固定到某个仪表板,与其他可视化效果一起查看。It allows you to work with results interactively or pin them to a dashboard to view them with other visualizations.

Log Analytics

打开 Application Insights 中的 Log Analytics 可以分析 Application Insights 数据。Open Log Analytics from Application Insights to analyze Application Insights data.

Application Insights Analytics

还可以使用 Log Analytics APIApplication Insights REST API 检索日志数据。You can also retrieve log data by using the Log Analytics API and the Application Insights REST API.

Azure Monitor 日志源Sources of Azure Monitor Logs

Azure Monitor 可从 Azure 和本地资源中的各种源收集日志数据。Azure Monitor can collect log data from a variety of sources both within Azure and from on-premises resources. 下表列出了需要将数据写入 Azure Monitor 日志的不同资源提供的不同数据源。The following tables list the different data sources available from different resources that write data to Azure Monitor Logs. 每个源提供了有关任何所需配置的详细信息的链接。Each has a link to details on any required configuration.

Azure 租户和订阅Azure tenant and subscription

DataData 描述Description
Azure Active Directory 审核日志Azure Active Directory audit logs 通过每个目录的诊断设置进行配置。Configured through Diagnostic settings for each directory. 参阅将 Azure AD 日志与 Azure Monitor 日志集成See Integrate Azure AD logs with Azure Monitor logs.
活动日志Activity logs 默认会单独存储,可用于近实时的警报。Stored separately by default and can be used for near real time alerts. 安装活动 log Analytics 解决方案以写入 Log Analytics 工作区。Install Activity log Analytics solution to write to Log Analytics workspace. 参阅收集和分析 Log Analytics 中的 Azure 活动日志See Collect and analyze Azure activity logs in Log Analytics.

Azure 资源Azure resources

DataData 描述Description
资源诊断Resource diagnostics 配置诊断设置以写入诊断数据,包括将指标写入 Log Analytics 工作区。Configure Diagnostic settings to write to diagnostic data, including metrics to a Log Analytics workspace. 参阅将 Azure 诊断日志流式传输到 Log AnalyticsSee Stream Azure Diagnostic Logs to Log Analytics.
监视解决方案Monitoring solutions 监视解决方案将其收集的数据写入其 Log Analytics 工作区。Monitoring solutions write data they collect to their Log Analytics workspace. 有关解决方案的列表,请参阅 Azure 中的管理解决方案的数据收集详细信息See Data collection details for management solutions in Azure for a list of solutions. 有关安装和使用解决方案的详细信息,请参阅 Azure Monitor 中的监视解决方案See Monitoring solutions in Azure Monitor for details on installing and using solutions.
指标Metrics 将 Azure Monitor 资源的平台指标发送到 Log Analytics 工作区以长期保留日志数据,并使用 Kusto 查询语言对其他数据类型执行复杂分析。Send platform metrics for Azure Monitor resources to a Log Analytics workspace to retain log data for longer periods and to perform complex analysis with other data types using the Kusto query language. 参阅将 Azure 诊断日志流式传输到 Log AnalyticsSee Stream Azure Diagnostic Logs to Log Analytics.
Azure 表存储Azure table storage 从某些 Azure 资源会将监视数据写入到的 Azure 存储中收集数据。Collect data from Azure storage where some Azure resources write monitoring data. 参阅将适用于 IIS 的 Azure Blob 存储和适用于事件的 Azure 表存储与 Log Analytics 配合使用See Use Azure blob storage for IIS and Azure table storage for events with Log Analytics.

虚拟机Virtual Machines

DataData 描述Description
代理数据源Agent data sources WindowsLinux 代理收集的数据源包括事件、性能数据和自定义日志。Data sources collected from Windows and Linux agents include events, performance data, and custom logs. 有关数据源列表和配置详细信息,请参阅 Azure Monitor 中的代理数据源See Agent data sources in Azure Monitor for a list of data sources and details on configuration.
监视解决方案Monitoring solutions 监视解决方案将其从代理收集的数据写入其 Log Analytics 工作区。Monitoring solutions write data they collect from agents to their Log Analytics workspace. 有关解决方案的列表,请参阅 Azure 中的管理解决方案的数据收集详细信息See Data collection details for management solutions in Azure for a list of solutions. 有关安装和使用解决方案的详细信息,请参阅 Azure Monitor 中的监视解决方案See Monitoring solutions in Azure Monitor for details on installing and using solutions.
System Center Operations ManagerSystem Center Operations Manager 将 Operations Manager 管理组连接到 Azure Monitor 可将本地代理中的事件和性能数据收集到日志中。Connect Operations Manager management group to Azure Monitor to collect event and performance data from on-premises agents into logs. 有关此配置的详细信息,请参阅将 Operations Manager 连接到 Log AnalyticsSee Connect Operations Manager to Log Analytics for details on this configuration.

应用程序Applications

DataData 描述Description
请求和异常Requests and exceptions 有关应用程序请求和异常的详细数据包含在 requestspageViewsexceptions 表中。Detailed data about application requests and exceptions are in the requests, pageViews, and exceptions tables. 外部组件的调用包含在 dependencies 表中。Calls to external components are in the dependencies table.
使用情况和性能Usage and performance 应用程序性能数据包含在 requestsbrowserTimingsperformanceCounters 表中。Performance for the application is available in the requests, browserTimings and performanceCounters tables. 自定义指标的数据包含在 customMetrics 表中。Data for custom metrics is in the customMetrics table.
跟踪数据Trace data 分布式跟踪的结果存储在 traces 表中。Results from distributed tracing are stored in the traces table.
可用性测试Availability tests 可用性测试的摘要数据存储在 availabilityResults 表中。Summary data from availability tests is stored in the availabilityResults table. 这些测试的详细数据保存在独立的存储中,可通过 Azure 门户中的 Application Insights 访问。Detailed data from these tests are in separate storage and accessed from Application Insights in the Azure portal.

见解Insights

DataData 描述Description
适用于容器的 Azure MonitorAzure Monitor for containers 用于容器的 Azure Monitor 收集的库存和性能数据。Inventory and performance data collected by Azure Monitor for containers. 有关表的列表,请参阅容器数据收集详细信息See Container data-collection details for a list of the tables.
适用于 VM 的 Azure MonitorAzure Monitor for VMs 用于 VM 的 Azure Monitor 收集的映射和性能数据。Map and performance data collected by Azure Monitor for VMs. 有关查询此数据的详细信息,请参阅如何从用于 VM 的 Azure Monitor 查询日志See How to query logs from Azure Monitor for VMs for details on querying this data.

自定义Custom

DataData 描述Description
REST APIREST API 将任何 REST 客户端中的数据写入 Log Analytics 工作区。Write data to a Log Analytics workspace from any REST client. 有关详细信息,请参阅使用 HTTP 数据收集器 API 将日志数据发送到 Azure MonitorSee Send log data to Azure Monitor with the HTTP Data Collector API for details.
逻辑应用Logic App 使用“Azure Log Analytics 数据收集器”操作将逻辑应用工作流中的任何数据写入 Log Analytics 工作区。Write any data to a Log Analytics workspace from a Logic App workflow with the Azure Log Analytics Data Collector action.

安全性Security

DataData 描述Description
Azure 安全中心Azure Security Center Azure 安全中心将其收集的数据存储在 Log Analytics 工作区中,在该工作区中可以结合其他日志数据对这些收集的数据进行分析。Azure Security Center stores data that it collects in a Log Analytics workspace where it can be analyzed with other log data. 有关工作区配置的详细信息,请参阅 Azure 安全中心内的数据收集See Data collection in Azure Security Center for details on workspace configuration.
Azure SentinelAzure Sentinel Azure Sentinel 将来自数据源的数据存储到 Log Analytics 工作区中。Azure Sentinel stores data from data sources into a Log Analytics workspace. 请参阅连接数据源See Connect data sources.

后续步骤Next steps