Azure 活動記錄的總覽Overview of Azure Activity log

Azure 活動記錄可讓您深入瞭解 azure 中發生的訂用帳戶層級事件。The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. 所涵蓋的資料範圍從 Azure Resource Manager 作業資料到服務健康情況事件的更新。This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. 活動記錄先前稱為「審核記錄」或「作業_記錄_」,因為「系統管理」類別會針對您的訂用帳戶報告控制平面事件。The Activity Log was previously known as Audit Logs or Operational Logs, since the Administrative category reports control-plane events for your subscriptions.

使用活動記錄來_判斷對訂_用帳戶中的資源所採取的任何寫入作業(PUT、 POST、DELETE)的_內容_、物件和時機。Use the Activity Log, to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. 您也可以了解作業的狀態和其他相關屬性。You can also understand the status of the operation and other relevant properties.

活動記錄不包含讀取(GET)作業,或是使用傳統/RDFE 模型之資源的作業。The Activity Log does not include read (GET) operations or operations for resources that use the Classic/RDFE model.

與資源記錄檔的比較Comparison to resource logs

每個 Azure 訂用帳戶都有單一活動記錄。There is a single Activity Log for each Azure subscription. 它會從外部(「控制平面」)提供有關資源之作業的資料。It provides data about the operations on a resource from the outside (the "control plane"). 資源記錄是由資源發出,並提供該資源作業的相關資訊(「資料平面」)。Resource Logs are emitted by a resource and provide information about the operation of that resource (the "data plane"). 您必須為每個資源建立診斷設定,以收集資源記錄。You must create a diagnostic setting for each resource to collect resource logs.

與資源記錄相較之下的活動記錄

注意

Azure 活動記錄主要是針對 Azure Resource Manager 中發生的活動。The Azure Activity Log is primarily for activities that occur in Azure Resource Manager. 此記錄不會追蹤使用傳統/RDFE 模型的資源。It does not track resources using the Classic/RDFE model. 某些傳統資源類型在 Azure Resource Manager 中有 Proxy 資源提供者 (例如,Microsoft.ClassicCompute)。Some Classic resource types have a proxy resource provider in Azure Resource Manager (for example, Microsoft.ClassicCompute). 如果您透過使用這些 Proxy 資源提供者的 Azure Resource Manager 來與傳統資源類型互動,則作業會顯示在活動記錄。If you interact with a Classic resource type through Azure Resource Manager using these proxy resource providers, the operations appear in the Activity Log. 如果您在 Azure Resource Manager Proxy 之外與傳統資源類型互動,您的動作將只會記錄於「作業記錄」。If you interact with a Classic resource type outside of the Azure Resource Manager proxies, your actions are only recorded in the Operation Log. 可在入口網站的個別區段中,瀏覽作業記錄。The Operation Log can be browsed in a separate section of the portal.

活動記錄檔保留期Activity Log retention

建立之後,系統不會修改或刪除活動記錄專案。Once created, Activity Log entries are not modified or deleted by the system. 此外,您也無法在介面中或以程式設計方式變更它們。Also, you can't change them in the interface or programmatically. 活動記錄事件會儲存90天。Activity Log events are stored for 90 days. 若要將此資料儲存較長的時間,請在 Azure 監視器中將其收集,或將它匯出至儲存體或事件中樞To store this data for longer periods, collect it in Azure Monitor or export it to storage or Event Hubs.

查看活動記錄View the Activity Log

從 Azure 入口網站中的 監視 功能表,查看所有資源的活動記錄。View the Activity Log for all resources from the Monitor menu in the Azure portal. 從該資源功能表中的 [活動記錄] 選項,查看特定資源的活動記錄檔。View the Activity Log for a particular resource from the Activity Log option in that resource's menu. 您也可以使用 PowerShell、CLI 或 REST API 來取出活動記錄檔記錄。You can also retrieve Activity Log records with PowerShell, CLI, or REST API. 請參閱View and 取出 Azure 活動記錄事件See View and retrieve Azure Activity log events.

查看活動記錄

收集 Azure 監視器中的活動記錄Collect Activity Log in Azure Monitor

將活動記錄收集到 Log Analytics 工作區的 Azure 監視器中,以使用其他監視資料進行分析,並保留超過90天的資料。Collect the Activity Log into a Log Analytics workspace in Azure Monitor to analyze it with other monitoring data and to retain the data for longer than 90 days. 請參閱在 Azure 監視器中收集和分析 Log Analytics 工作區中的 Azure 活動記錄See Collect and analyze Azure activity logs in Log Analytics workspace in Azure Monitor.

查詢活動記錄

匯出活動記錄Export Activity Log

將活動記錄檔匯出至 Azure 儲存體進行封存,或將它串流至事件中樞,以供協力廠商服務或自訂分析解決方案進行內嵌。Export the Activity Log to Azure Storage for archiving or stream it to an Event Hub for ingestion by a third-party service or custom analytics solution. 請參閱匯出 Azure 活動記錄See Export the Azure Activity Log. 您也可以使用Power BI 內容套件,在 Power BI 中分析活動記錄事件。You can also analyze Activity Log events in Power BI using the Power BI content pack.

活動記錄警示Alert on Activity Log

您可以在活動記錄中建立具有活動記錄警示的特定事件時建立警示。You can create an alert when particular events are created in the Activity Log with an Activity Log alert. 當您的活動記錄連接到 Log Analytics 工作區時,您也可以使用記錄查詢來建立警示,但記錄查詢警示需要成本。You can also create an alert using a log query when your Activity Log is connected to a Log Analytics workspace, but there is a cost to log query alerts. 活動記錄警示不會產生任何費用。There is no cost for Activity Log alerts.

活動記錄中的類別Categories in the Activity Log

活動記錄中的每個事件都具有下表中所述的特定類別。Each event in the Activity Log has a particular category that are described in the following table. 如需這些類別結構描述的完整詳細資料,請參閱 Azure 活動記錄事件結構描述For full details on the schemata of these categories, see Azure Activity Log event schema.

CategoryCategory 描述Description
系統管理Administrative 包含透過 Resource Manager 執行的所有建立、更新、刪除和動作作業的記錄。Contains the record of all create, update, delete, and action operations performed through Resource Manager. 系統管理事件的範例包括 [建立虛擬機器] 和 [刪除網路安全性群組]。Examples of Administrative events include create virtual machine and delete network security group.

使用 Resource Manager 的使用者或應用程式所採取的每個動作,都會在特定資源類型上模型化為作業。Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. 如果作業類型為 [寫入]、[刪除] 或 [動作],該作業的 [啟動] 和 [成功] 或 [失敗] 記錄都會記錄在 [系統管理] 類別中。If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. 系統管理事件也包括對訂用帳戶中的角色型存取控制所做的任何變更。Administrative events also include any changes to role-based access control in a subscription.
服務健康狀態Service Health 包含 Azure 中發生之任何服務健康狀態事件的記錄。Contains the record of any service health incidents that have occurred in Azure. _美國東部的 SQL Azure_服務健康狀態事件的範例是發生停機。An example of a Service Health event SQL Azure in East US is experiencing downtime.

服務健康狀態事件分為六種:必要動作、_協助_復原、事件維護資訊_或_安全性Service Health events come in Six varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security. 只有當您的訂用帳戶中有會受到事件影響的資源時,才會建立這些事件。These events are only created if you have a resource in the subscription that would be impacted by the event.
資源健康狀態Resource Health 包含 Azure 資源已發生之任何資源健康狀態事件的記錄。Contains the record of any resource health events that have occurred to your Azure resources. 資源健康狀態事件的一個範例是_虛擬機器健全狀況狀態已變更為 [無法使用_]。An example of a Resource Health event is Virtual Machine health status changed to unavailable.

資源健康狀態事件可以代表四種健全狀況狀態之一:可用無法使用、已_降級_和_不明_。Resource Health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. 此外,資源健康狀態事件可以分類為已_起始平臺_或_使用者起始_。Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated.
警示Alert 包含 Azure 警示的啟用記錄。Contains the record of activations for Azure alerts. 警示事件的範例是_myVM 上的 CPU% 在過去5分鐘內已超過 80_。An example of an Alert event is CPU % on myVM has been over 80 for the past 5 minutes.
自動調整Autoscale 包含根據您在訂用帳戶中定義的自動調整規模設定,與自動調整引擎作業相關之任何事件的記錄。Contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. 自動調整規模事件的一個範例是 [自動調整相應增加] 動作失敗An example of an Autoscale event is Autoscale scale up action failed.
建議Recommendation 包含來自 Azure Advisor 的建議事件。Contains recommendation events from Azure Advisor.
安全性Security 包含 Azure 資訊安全中心所產生之任何警示的記錄。Contains the record of any alerts generated by Azure Security Center. 安全性事件的範例是_執行可疑的雙重擴充_檔案。An example of a Security event is Suspicious double extension file executed.
原則Policy 包含 Azure 原則所執行之所有效果動作作業的記錄。Contains records of all effect action operations performed by Azure Policy. 原則事件的範例包括_Audit_和_Deny_。Examples of Policy events include Audit and Deny. 原則所採取的每個動作會模型化為資源上的作業。Every action taken by Policy is modeled as an operation on a resource.

後續步驟Next Steps