您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Monitor Azure Container Registry

When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation. This article describes the monitoring data generated by Azure Container Registry and how you can use the features of Azure Monitor to analyze and alert on this data.

Monitor overview

The Overview page in the Azure portal for each registry includes a brief view of recent resource usage and activity, such as push and pull operations. This high-level information is useful, but only a small amount of the monitoring data is shown there.

Registry metrics overview

What is Azure Monitor?

Azure Container Registry creates monitoring data using Azure Monitor, which is a full stack monitoring service in Azure that provides a complete set of features to monitor your Azure resources in addition to resources in other clouds and on-premises.

Start with the article Monitoring Azure resources with Azure Monitor, which describes the following concepts:

  • What is Azure Monitor?
  • Costs associated with monitoring
  • Monitoring data collected in Azure
  • Configuring data collection
  • Standard tools in Azure for analyzing and alerting on monitoring data

The following sections build on this article by describing the specific data gathered for Azure Container Registry and providing examples for configuring data collection and analyzing this data with Azure tools.

Monitoring data

Azure Container Registry collects the same kinds of monitoring data as other Azure resources that are described in Monitoring data from Azure resources.

See Monitoring Azure Container Registry data reference for detailed information on the metrics and logs created by Azure Container Registry.

Collection and routing

Platform metrics and the Activity log are collected and stored automatically, but can be routed to other locations by using a diagnostic setting.

Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.

See Create diagnostic setting to collect platform logs and metrics in Azure for the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell. When you create a diagnostic setting, you specify which categories of logs to collect. The categories for Azure Container Registry are listed in Azure Container Registry monitoring data reference.

Tip

You can also create registry diagnostic settings by navigating to your registry in the portal. In the menu, select Diagnostic settings under Monitoring.

The following image shows the options when you enable diagnostic setting for a registry.

Diagnostic settings for container registry

The metrics and logs you can collect are discussed in the following sections.

Analyzing metrics (preview)

You can analyze metrics for an Azure container registry with metrics from other Azure services using metrics explorer by opening Metrics from the Azure Monitor menu. See Getting started with Azure Metrics Explorer for details on using this tool.

Tip

You can also go to the metrics explorer by navigating to your registry in the portal. In the menu, select Metrics (preview) under Monitoring.

For a list of the platform metrics collected for Azure Container Registry, see Monitoring Azure Container Registry data reference metrics

For reference, you can see a list of all resource metrics supported in Azure Monitor.

Azure CLI

The following Azure CLI commands can be used to get information about the Azure Container Registry metrics.

REST API

You can use the Azure Monitor REST API to get information programmatically about the Azure Container Registry metrics.

Analyzing logs

Data in Azure Monitor Logs is stored in tables where each table has its own set of unique properties.

All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in Azure Monitor resource log schema. The schema for Azure Container Registry resource logs is found in the Azure Container Registry Data Reference.

The Activity log is a platform log in Azure that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics.

For a list of the types of resource logs collected for Azure Container Registry, see Monitoring Azure Container Registry data reference.

For a list of the tables used by Azure Monitor Logs and queryable by Log Analytics, see Monitoring Azure Container Reference data reference.

Sample Kusto queries

Important

When you select Logs from the Azure Container Registry menu, Log Analytics is opened with the query scope set to the current registry. This means that log queries will only include data from that resource. If you want to run a query that includes data from other registries or data from other Azure services, select Logs from the Azure Monitor menu. See Log query scope and time range in Azure Monitor Log Analytics for details.

For example, the following query retrieves the most recent 24 hours of data from the ContainerRegistryRepositoryEvents table:

ContainerRegistryRepositoryEvents
| where TimeGenerated > ago(1d) 

The following image shows sample output:

Query log data

Following are queries that you can use to help you monitor your registry resource.

Error events from the last hour

union Event, Syslog // Event table stores Windows event records, Syslog stores Linux records
| where TimeGenerated > ago(1h)
| where EventLevelName == "Error" // EventLevelName is used in the Event (Windows) records
	or SeverityLevel== "err" // SeverityLevel is used in Syslog (Linux) records

100 most recent registry events

ContainerRegistryRepositoryEvents
| union ContainerRegistryLoginEvents
| top 100 by TimeGenerated
| project TimeGenerated, LoginServer, OperationName, Identity, Repository, DurationMs, Region , ResultType

Identity of user or object that deleted repository

ContainerRegistryRepositoryEvents
| where OperationName contains "Delete"
| project LoginServer, OperationName, Repository, Identity, CallerIpAddress

Identity of user or object that deleted tag

ContainerRegistryRepositoryEvents
| where OperationName contains "Untag"
| project LoginServer, OperationName, Repository, Tag, Identity, CallerIpAddress

Repository-level operation failures

ContainerRegistryRepositoryEvents 
| where ResultDescription contains "40"
| project TimeGenerated, OperationName, Repository, Tag, ResultDescription

Registry authentication failures

ContainerRegistryLoginEvents 
| where ResultDescription != "200"
| project TimeGenerated, Identity, CallerIpAddress, ResultDescription

Alerts

Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues in your system before your customers notice them. You can set alerts on metrics, logs, and the activity log. Different types of alerts have benefits and drawbacks.

The following table lists common and recommended alert rules for Azure Container Registry.

Alert type Condition Description
metric Signal: Storage used
Operator: Greater than
Aggregation type: Average
Threshold value: 5 GB
Alerts if the registry storage used exceeds a specified value.

Example: Send email alert when registry storage used exceeds a value

  1. In the Azure portal, navigate to your registry.
  2. Select Metrics (preview) under Monitoring.
  3. In the metrics explorer, in Metric, select Storage used.
  4. Select New alert rule.
  5. In Scope, confirm the registry resource for which you want to create an alert rule.
  6. In Condition, select Add condition.
    1. In Signal name, select Storage used.
    2. In Chart period, select Over the last 24 hours.
    3. In Alert logic, in Threshold value, select a value such as 5. In Unit, select a value such as GB.
    4. Accept default values for the remaining settings, and select Done.
  7. In Actions, select Add action groups > + Create action group.
    1. Enter details of the action group.
    2. On the Notifications tab, select Email/SMS message/Push/Voice and enter a recipient such as admin@contoso.com. Select Review + create.
  8. Enter a name and description of the alert rule, and select the severity level.
  9. Select Create alert rule.

Next steps