Azure 活動記錄檔概觀Overview of Azure Activity log

Azure 活動記錄檔提供深入了解在 Azure 中發生的訂用帳戶層級事件。The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. 这包括从 Azure 资源管理器操作数据到服务运行状况事件更新的一系列数据。This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. 活動記錄之前稱做_稽核記錄檔_或是_操作記錄檔_,因為系統管理類別會報告訂用帳戶的控制平面事件。The Activity Log was previously known as Audit Logs or Operational Logs, since the Administrative category reports control-plane events for your subscriptions.

使用活動記錄,來判斷_什麼_,人員,並_時_之任何寫入作業 (PUT、 POST、 DELETE),您的訂用帳戶中的資源上。Use the Activity Log, to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. 您也可以了解作業的狀態和其他相關屬性。You can also understand the status of the operation and other relevant properties.

活動記錄不包含讀取 (GET) 作業,或是使用傳統 /RDFE 模型的資源的作業。The Activity Log does not include read (GET) operations or operations for resources that use the Classic/RDFE model.

診斷記錄的比較Comparison to Diagnostic Logs

會有單一的活動記錄,每個 Azure 訂用帳戶。There is a single Activity Log for each Azure subscription. 它提供有關外部資源作業的資料 (「 控制台 」)。It provides data about the operations on a resource from the outside (the "control plane"). 診斷記錄由資源發出,提供該資源 (「 資料平面 」) 之作業的相關資訊。Diagnostic Logs are emitted by a resource and provide information about the operation of that resource (the "data plane"). 您必須啟用每個資源的診斷設定。You must enable diagnostic settings for each resource.

相較於診斷記錄的活動記錄檔

注意

Azure 活動記錄主要是針對 Azure Resource Manager 中發生的活動。The Azure Activity Log is primarily for activities that occur in Azure Resource Manager. 此記錄不會追蹤使用傳統/RDFE 模型的資源。It does not track resources using the Classic/RDFE model. 某些傳統資源類型在 Azure Resource Manager 中有 Proxy 資源提供者 (例如,Microsoft.ClassicCompute)。Some Classic resource types have a proxy resource provider in Azure Resource Manager (for example, Microsoft.ClassicCompute). 如果您透過使用這些 Proxy 資源提供者的 Azure Resource Manager 來與傳統資源類型互動,則作業會顯示在活動記錄。If you interact with a Classic resource type through Azure Resource Manager using these proxy resource providers, the operations appear in the Activity Log. 如果您在 Azure Resource Manager Proxy 之外與傳統資源類型互動,您的動作將只會記錄於「作業記錄」。If you interact with a Classic resource type outside of the Azure Resource Manager proxies, your actions are only recorded in the Operation Log. 可在入口網站的個別區段中,瀏覽作業記錄。The Operation Log can be browsed in a separate section of the portal.

活動記錄保留Activity Log retention

一旦建立,都不會修改或刪除由系統活動記錄項目。Once created, Activity Log entries are not modified or deleted by the system. 此外,您無法變更它們在介面或以程式設計的方式。Also, you can't change them in the interface or programmatically. 活動記錄檔事件會儲存 90 天。Activity Log events are stored for 90 days. 較長的時間,儲存此資料收集在 Azure 監視器或是將它匯出至儲存體或事件中樞To store this data for longer periods, collect it in Azure Monitor or export it to storage or Event Hubs.

檢視活動記錄檔View the Activity Log

檢視活動記錄檔,所有的資源監視器在 Azure 入口網站中的功能表。View the Activity Log for all resources from the Monitor menu in the Azure portal. 檢視特定資源中的活動記錄檔活動記錄檔該資源的功能表中的選項。View the Activity Log for a particular resource from the Activity Log option in that resource's menu. 您也可以擷取活動記錄檔記錄,使用 PowerShell、 CLI 或 REST API。You can also retrieve Activity Log records with PowerShell, CLI, or REST API. 請參閱檢視,並擷取 Azure 活動記錄事件See View and retrieve Azure Activity log events.

檢視活動記錄檔

收集 Azure 監視器中的活動記錄檔Collect Activity Log in Azure Monitor

收集活動記錄到 Azure 監視器來分析與其他監視資料,但保留超過 90 天的資料中的 Log Analytics 工作區中。Collect the Activity Log into a Log Analytics workspace in Azure Monitor to analyze it with other monitoring data and to retain the data for longer than 90 days. 請參閱收集和分析 Azure 活動記錄檔,在 Azure 監視器中的 Log Analytics 工作區See Collect and analyze Azure activity logs in Log Analytics workspace in Azure Monitor.

查詢活動記錄檔

匯出活動記錄Export Activity Log

將活動記錄匯出到 Azure 儲存體中,以封存或第三方服務或自訂的分析解決方案將它串流至事件中樞以供擷取。Export the Activity Log to Azure Storage for archiving or stream it to an Event Hub for ingestion by a third-party service or custom analytics solution. 請參閱將 Azure 活動記錄檔匯出See Export the Azure Activity Log. 您也可以分析活動記錄事件,在 Power BI 中使用 Power BI 內容套件You can also analyze Activity Log events in Power BI using the Power BI content pack.

在 活動記錄警示Alert on Activity Log

在活動記錄檔中建立特定事件時,您可以建立警示活動記錄警示You can create an alert when particular events are created in the Activity Log with an Activity Log alert. 您也可以建立警示使用記錄檔查詢當活動記錄連線到 Log Analytics 工作區中,但不需費用,以記錄查詢警示。You can also create an alert using a log query when your Activity Log is connected to a Log Analytics workspace, but there is a cost to log query alerts. 沒有任何活動記錄警示的成本。There is no cost for Activity Log alerts.

活動記錄中的類別Categories in the Activity Log

活動記錄中的每個事件都有特定分類下表中所述。Each event in the Activity Log has a particular category that are described in the following table. 如需這些類別結構描述的完整詳細資料,請參閱 Azure 活動記錄事件結構描述For full details on the schemata of these categories, see Azure Activity Log event schema.

CategoryCategory 描述Description
管理Administrative 包含的所有記錄,建立、 更新、 刪除和動作作業執行透過 Resource Manager。Contains the record of all create, update, delete, and action operations performed through Resource Manager. 系統管理事件的範例包括_建立虛擬機器_並_刪除網路安全性群組_。Examples of Administrative events include create virtual machine and delete network security group.

每個使用者或應用程式使用 Resource Manager 所採取的動作會模型化為特定資源類型上的作業。Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. 如果作業類型是_撰寫_,刪除,或_動作_,同時代表起點與成功的記錄 」 或 「 失敗的作業會記錄在系統管理類別。If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. 系統管理事件也會包含訂用帳戶中的角色型存取控制的任何變更。Administrative events also include any changes to role-based access control in a subscription.
服務健康情況Service Health 包含在 Azure 中發生的任何服務健康情況事件的記錄。Contains the record of any service health incidents that have occurred in Azure. 服務健康狀態事件的範例_美國東部的 SQL Azure 發生停機_。An example of a Service Health event SQL Azure in East US is experiencing downtime.

服務健康情況事件有五個種類:所需的動作協助復原事件維護資訊,或_安全性_。Service Health events come in five varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security. 如果您擁有的資源會受到事件訂用帳戶中,只會建立這些事件。These events are only created if you have a resource in the subscription that would be impacted by the event.
資源健全狀況Resource Health 包含對 Azure 資源內發生的任何資源健康狀態事件的記錄。Contains the record of any resource health events that have occurred to your Azure resources. 資源健康狀態事件的範例_虛擬機器健全狀況狀態變更為 無法使用_。An example of a Resource Health event is Virtual Machine health status changed to unavailable.

資源健康狀態事件可以代表其中一個四個健全狀況狀態:可用無法使用降級,和_未知_。Resource Health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. 此外,資源健康情況事件可分類為正在_平台起始_或是_使用者起始_。Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated.
警示Alert 包含 Azure 警示的啟用記錄。Contains the record of activations for Azure alerts. 警示事件的範例_myVM 上的 CPU 百分比已超過 80 過去 5 分鐘_。An example of an Alert event is CPU % on myVM has been over 80 for the past 5 minutes.
AutoscaleAutoscale 包含與作業有關的自動調整引擎,根據您定義您的訂用帳戶中的任何自動調整規模任何的設定事件的記錄。Contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. 自動調整事件的範例_自動調整相應增加動作失敗_。An example of an Autoscale event is Autoscale scale up action failed.
建議Recommendation 包含來自 Azure Advisor 的建議事件。Contains recommendation events from Azure Advisor.
安全性Security 包含 Azure 資訊安全中心所產生的任何警示的記錄。Contains the record of any alerts generated by Azure Security Center. 舉例來說,安全性事件_執行的可疑雙重擴充檔案_。An example of a Security event is Suspicious double extension file executed.
原則Policy 包含所有效果動作所都執行的操作 Azure 原則的記錄。Contains records of all effect action operations performed by Azure Policy. 原則事件的範例包括_稽核_並_拒絕_。Examples of Policy events include Audit and Deny. 原則所採取的每個動作會模型化為資源上的作業。Every action taken by Policy is modeled as an operation on a resource.

後續步驟Next Steps