Azure 診斷記錄概觀Overview of Azure Diagnostic Logs

診斷記錄提供有關 Azure 資源之作業的豐富、 經常性資料。Diagnostic logs provide rich, frequent data about the operation of an Azure resource. Azure 監視器提供兩種類型的診斷記錄:Azure Monitor makes available two types of diagnostic logs:

  • 租用戶記錄 - 這些記錄來自租用戶層級服務,這些服務存在於 Azure 訂用帳戶外部,例如 Azure Active Directory 記錄。Tenant logs - these logs come from tenant-level services that exist outside of an Azure subscription, such as Azure Active Directory logs.

  • 資源記錄 - 這些記錄來自 Azure 服務,可部署 Azure 訂用帳戶內的資源,例如網路安全性群組或儲存體帳戶。Resource logs - these logs come from Azure services that deploy resources within an Azure subscription, such as Network Security Groups or Storage Accounts.

    資源診斷記錄與其他類型的記錄

這些記錄的內容會依 Azure 服務和資源類型而有所不同。The content of these logs varies by the Azure service and resource type. 例如,網路安全性群組規則計數器和 Key Vault 稽核是兩種診斷記錄的類型。For example, Network Security Group rule counters and Key Vault audits are two types of diagnostic logs.

這些記錄檔不同於活動記錄These logs differ from the Activity log. 活動記錄檔提供深入了解您訂用帳戶使用 Resource Manager,例如建立虛擬機器,或刪除邏輯應用程式中的資源執行的作業。The Activity log provides insight into the operations that were performed on resources in your subscription using Resource Manager, for example, creating a virtual machine or deleting a logic app. 活動記錄是訂用帳戶層級記錄。The Activity log is a subscription-level log. 資源層級診斷記錄可讓您深入探索在該資源本身內所執行的作業,例如從 Key Vault 取得密碼。Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault.

這些記錄也與客體 OS 層級診斷記錄不同。These logs also differ from guest OS-level diagnostic logs. 客體 OS 診斷記錄是由虛擬機器內執行的代理程式或其他支援的資源類型所收集的記錄。Guest OS diagnostic logs are those collected by an agent running inside of a virtual machine or other supported resource type. 資源層級診斷記錄不需要代理程式,且會從 Azure 平台本身擷取資源特定的資料,而客體 OS 層級診斷記錄會從虛擬機器上執行的作業系統和應用程式擷取資料。Resource-level diagnostic logs require no agent and capture resource-specific data from the Azure platform itself, while guest OS-level diagnostic logs capture data from the operating system and applications running on a virtual machine.

並非所有資源皆支援此處所述的診斷記錄。Not all services support the diagnostic logs described here. 本文包含一個章節,會列出哪些服務會支援診斷記錄This article contains a section listing which services support diagnostic logs.

診斷記錄的用途What you can do with diagnostic logs

以下是您可以利用診斷記錄進行的事:Here are some of the things you can do with diagnostic logs:

診斷記錄的邏輯位置

  • 將診斷記錄檔儲存到儲存體帳戶以利稽核或手動檢查。Save them to a Storage Account for auditing or manual inspection. 您可以使用資源診斷設定指定保留時間 (以天為單位)。You can specify the retention time (in days) using resource diagnostic settings.
  • Stream 他們事件中樞供第三方服務或自訂的分析解決方案,例如 Power BI 擷取。Stream them to Event Hubs for ingestion by a third-party service or custom analytics solution such as Power BI.
  • 使用 Azure 監視器來分析它們,其中資料會立即寫入至「Azure 監視器」,而無須先將資料寫入至儲存體。Analyze them with Azure Monitor, where the data is written immediately to Azure Monitor with no need to first write the data to storage.

注意

本文最近有所更新,改為使用「Azure 監視器記錄」一詞,而非 Log Analytics。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 記錄資料仍儲存在 Log Analytics 工作區中,並仍由相同的 Log Analytics 服務收集和分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我們會持續更新術語,以更精確地反映 Azure 監視器記錄的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 如需詳細資料,請參閱 Azure 監視器遙測變更See Azure Monitor terminology changes for details.

您可以使用並非發出記錄的同一個訂用帳戶中的儲存體帳戶或事件中樞命名空間。You can use a storage account or Event Hubs namespace that is not in the same subscription as the one emitting logs. 進行此設定的使用者必須具有這兩個訂用帳戶的適當 RBAC 存取權。The user who configures the setting must have the appropriate RBAC access to both subscriptions.

注意

您目前無法將網路流程記錄封存到位在安全虛擬網路後面的儲存體帳戶。You cannot currently archive network flow logs to a storage account that is behind a secured virtual network.

診斷設定Diagnostic settings

資源診斷記錄是使用資源診斷設定進行設定的。Resource diagnostic logs are configured using resource diagnostic settings. 租用戶診斷記錄是使用租用戶診斷設定進行設定的。Tenant diagnostic logs are configured using a tenant diagnostic setting. 服務的診斷設定會控制:Diagnostic settings for a service control:

  • 診斷記錄和計量的傳送位置 (儲存體帳戶、事件中樞和/或 Azure 監視器)。Where diagnostic logs and metrics are sent (Storage Account, Event Hubs, and/or Azure Monitor).
  • 傳送何種記錄類別,以及是否也會傳送計量資料。Which log categories are sent and whether metric data is also sent.
  • 每個記錄類別應該在儲存體帳戶中保留多久。How long each log category should be retained in a storage account.
    • 保留期為 0 天表示會永遠保留記錄。A retention of zero days means logs are kept forever. 否則,值可以是任意數目的 1 到 365 之間的天數。Otherwise, the value can be any number of days between 1 and 365.
    • 如果已設定保留原則,但將儲存體帳戶的記錄儲存停用 (例如,若只選取事件中樞或 Log Analytics 選項),保留原則不會有任何作用。If retention policies are set but storing logs in a Storage Account is disabled (for example, if only Event Hubs or Log Analytics options are selected), the retention policies have no effect.
    • 保留原則是每天套用,因此在一天結束時 (UTC),這一天超過保留原則的記錄會被刪除。Retention policies are applied per-day, so at the end of a day (UTC), logs from the day that is now beyond the retention policy are deleted. 例如,如果您的保留原則為一天,在今天一開始,昨天之前的記錄會被刪除。For example, if you had a retention policy of one day, at the beginning of the day today the logs from the day before yesterday would be deleted. 刪除程序會從 UTC 午夜開始,但是請注意,可能需要長達 24 小時的時間,記錄才會從您的儲存體帳戶中刪除。The delete process begins at midnight UTC, but note that it can take up to 24 hours for the logs to be deleted from your storage account.

這些設定會設定從 診斷設定,在入口網站中,使用 Azure PowerShell 和 CLI 命令,或使用Azure 監視器 REST APIThese settings are configured from the diagnostic settings in the portal, with Azure PowerShell and CLI commands, or using the Azure Monitor REST API.

注意

目前不支援透過診斷設定傳送多維度計量。Sending multi-dimensional metrics via diagnostic settings is not currently supported. 跨維度值所彙總的維度計量會匯出為扁平化單一維度計量。Metrics with dimensions are exported as flattened single dimensional metrics, aggregated across dimension values.

例如:可以依據每個佇列層級來瀏覽及繪製「事件中樞」上的「傳入訊息」計量。For example: The 'Incoming Messages' metric on an Event Hub can be explored and charted on a per queue level. 不過,當您透過診斷設定匯出時,計量將會呈現為事件中樞內所有佇列的所有內送郵件。However, when exported via diagnostic settings the metric will be represented as all incoming messages across all queues in the Event Hub.

診斷記錄支援的服務、類別和結構描述Supported services, categories, and schemas for diagnostic logs

如需支援的服務以及這些服務所使用之記錄類別和結構描述的完整清單,請參閱這篇文章See this article for a complete list of supported services and the log categories and schemas used by those services.

後續步驟Next steps