您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

查看活动日志以审核对资源的操作View activity logs to audit actions on resources

通过活动日志,可以确定:Through activity logs, you can determine:

  • 对订阅中的资源执行了什么操作what operations were taken on the resources in your subscription
  • 谁启动的操作(虽然由后端服务启动的操作不返回用户作为调用方)who initiated the operation (although operations initiated by a backend service do not return a user as the caller)
  • 操作何时发生when the operation occurred
  • 操作的状态the status of the operation
  • 其他可能有助于研究操作的属性的值the values of other properties that might help you research the operation

活动日志包含针对资源执行的所有写入操作(PUT、POST、DELETE)。The activity log contains all write operations (PUT, POST, DELETE) performed on your resources. 它不包含读取操作 (GET)。It does not include read operations (GET). 有关资源操作的列表,请参阅 Azure 资源管理器资源提供程序操作For a list of resource actions, see Azure Resource Manager Resource Provider operations. 在进行故障排除或监视组织中的用户如何修改资源时,可以使用审核日志来查找错误。You can use the audit logs to find an error when troubleshooting or to monitor how a user in your organization modified a resource.

活动日志将保留 90 天。Activity logs are retained for 90 days. 可以查询任何日期范围,只要开始日期不早于过去 90 天。You can query for any range of dates, as long as the starting date is not more than 90 days in the past.

可以通过门户、PowerShell、Azure CLI、Insights REST API 或 Insights .NET 库检索活动日志中的信息。You can retrieve information from the activity logs through the portal, PowerShell, Azure CLI, Insights REST API, or Insights .NET Library.

门户Portal

  1. 若要通过门户查看活动日志,请选择“监视”。To view the activity logs through the portal, select Monitor.

    选择活动日志

    或者,若要自动筛选特定资源或资源组的活动日志,请选择“活动日志”。Or, to automatically filter the activity log for a particular resource or resource group, select Activity log. 请注意,将通过所选资源对活动日志进行自动筛选。Notice that the activity log is automatically filtered by the selected resource.

    按资源筛选

  2. 在“活动日志”中,可以看到最近操作的摘要。In the Activity Log, you see a summary of recent operations.

    显示操作

  3. 若要限制显示的操作的数量,请选择不同条件。To restrict the number of operations displayed, select different conditions. 例如,下图显示更改“时间跨度”和“事件发起者”字段,以查看过去一个月内由特定用户或应用程序执行的操作。For example, the following image shows the Timespan and Event initiated by fields changed to view the actions taken by a particular user or application for the past month. 选择“应用”,查看查询结果。Select Apply to view the results of your query.

    设置筛选选项

  4. 如果稍后需要重新运行查询,请选择“保存”,并为该查询命名。If you need to run the query again later, select Save and give the query a name.

    保存查询

  5. 若要快速运行查询,可以选择一个内置的查询,例如失败的部署。To quickly run a query, you can select one of the built-in queries, such as failed deployments.

    选择查询

    所选查询会自动设置所需的筛选器值。The selected query automatically sets the required filter values.

    查看部署错误

  6. 选择其中一个操作以查看事件的摘要。Select one of the operations to see a summary of the event.

    查看操作

PowerShellPowerShell

  1. 若要检索日志条目,请运行 Get-AzureRmLog 命令。To retrieve log entries, run the Get-AzureRmLog command. 可以提供附加参数来筛选条目列表。You provide additional parameters to filter the list of entries. 如果未指定开始和结束时间,将返回最后一个小时的条目。If you do not specify a start and end time, entries for the last hour are returned. 例如,若要检索过去一小时针对某个资源组的操作,请运行:For example, to retrieve the operations for a resource group during the past hour run:

    Get-AzureRmLog -ResourceGroup ExampleGroup
    

    以下示例演示了如何使用活动日志来调查在指定时间内执行的操作。The following example shows how to use the activity log to research operations taken during a specified time. 开始日期和结束日期以日期格式指定。The start and end dates are specified in a date format.

    Get-AzureRmLog -ResourceGroup ExampleGroup -StartTime 2015-08-28T06:00 -EndTime 2015-09-10T06:00
    

    或者,可以使用 date 函数来指定日期范围,例如过去 14 天。Or, you can use date functions to specify the date range, such as the last 14 days.

    Get-AzureRmLog -ResourceGroup ExampleGroup -StartTime (Get-Date).AddDays(-14)
    
  2. 根据指定的开始时间,前面的命令可能会返回对该资源组执行的一长串操作。Depending on the start time you specify, the previous commands can return a long list of operations for the resource group. 可以提供搜索条件,以筛选所要查找的结果。You can filter the results for what you are looking for by providing search criteria. 例如,若要调查 Web 应用的停止方式,可运行以下命令:For example, if you are trying to research how a web app was stopped, you could run the following command:

    Get-AzureRmLog -ResourceGroup ExampleGroup -StartTime (Get-Date).AddDays(-14) | Where-Object OperationName -eq Microsoft.Web/sites/stop/action
    

    就此示例来说,该命令显示 someone@contoso.com 执行了停止操作。Which for this example shows that a stop action was performed by someone@contoso.com.

    Authorization     :
    Scope     : /subscriptions/xxxxx/resourcegroups/ExampleGroup/providers/Microsoft.Web/sites/ExampleSite
    Action    : Microsoft.Web/sites/stop/action
    Role      : Subscription Admin
    Condition :
    Caller            : someone@contoso.com
    CorrelationId     : 84beae59-92aa-4662-a6fc-b6fecc0ff8da
    EventSource       : Administrative
    EventTimestamp    : 8/28/2015 4:08:18 PM
    OperationName     : Microsoft.Web/sites/stop/action
    ResourceGroupName : ExampleGroup
    ResourceId        : /subscriptions/xxxxx/resourcegroups/ExampleGroup/providers/Microsoft.Web/sites/ExampleSite
    Status            : Succeeded
    SubscriptionId    : xxxxx
    SubStatus         : OK
    
  3. 可以查看特定用户针对某个资源组执行的操作,即使该资源组不再存在。You can look up the actions taken by a particular user, even for a resource group that no longer exists.

    Get-AzureRmLog -ResourceGroup deletedgroup -StartTime (Get-Date).AddDays(-14) -Caller someone@contoso.com
    
  4. 可以筛选失败的操作。You can filter for failed operations.

    Get-AzureRmLog -ResourceGroup ExampleGroup -Status Failed
    
  5. 可以专注于一个错误,只需查看该条目的状态消息即可。You can focus on one error by looking at the status message for that entry.

     ((Get-AzureRmLog -Status Failed -ResourceGroup ExampleGroup -DetailedOutput).Properties[1].Content["statusMessage"] | ConvertFrom-Json).error
    

    将返回:Which returns:

     code           message                                                                        
     ----           -------                                                                        
     DnsRecordInUse DNS record dns.westus.cloudapp.azure.com is already used by another public IP. 
    

Azure CLIAzure CLI

若要检索日志条目,请运行 az monitor activity-log list 命令。To retrieve log entries, run the az monitor activity-log list command.

az monitor activity-log list --resource-group <group name>

REST APIREST API

用于处理活动日志的 REST 操作是 Insights REST API 的一部分。The REST operations for working with the activity log are part of the Insights REST API. 若要检索活动日志事件,请参阅列出订阅中的管理事件To retrieve activity log events, see List the management events in a subscription.

后续步骤Next steps