Azure Key Vault Logging

, 2019-02-20

Following up from last week’s post on Azure Key Vault in this blog I will show you how to the setup Key Vault logging I mentioned for auditing access and usage of your key vault. Once we walk through the process of enabling your logging, we will configure Azure Log Analytics as a way to analyze that data. Azure Log Analytics uses advanced analytics and machine learning to analyze your azure log files. It adds intelligent insights to your monitored data such as Key Vault usage and access  as well as latency in key retrieval from your Audit Event Logs.

Here is the PowerShell Script you can use to enable logging.

#If you have never used Powershell for Azure you will need to run the below line as Administrator
#Install-Module -Name Az -AllowClobber
#Connect to Your Azure Account (Will prompt you for your azure credentials into Azure)
Connect-AzureRmAccount
#Connect to Azure Subscriptions (To get a list of all your subscription ID's highlight the one you need for next step and copy and past below)
Get-AzureRmSubscription
#Specify Your Subscription You Want to Work With
Set-AzureRmContext -SubscriptionId Your ID Here
#Create Storage Account
# If you need to create a storage account you can use this
$sa = New-AzureRmStorageAccount -ResourceGroupName SQLDB-Development -Name dcackeyvaultstorage -Type Standard_LRS -Location 'East US 2'
#Identify Your Key Vault
$kv = Get-AzureRmKeyVault -VaultName 'DCACAEKeyVaultDemo'
#Enable Logging (uses $kvand $sa parameter from above)
Set-AzureRmDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $true -Categories AuditEvent
#Set Retention Period for Your Logs (uses $kvand $sa parameter from above)
Set-AzureRmDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -RetentionEnabled $true -RetentionInDays 90

 

After logging is enabled these logs can then be easily analyze with Log Analytics. You’ll need to configure it like the below.

Under Diagnostic Setting Choose Edit

In this screen you will validate your storage account where the logs will be stored and your retention period that you setup using the above PowerShell scripts. The next step is to create a Log Analytics Workspace.  Just click Create New Workspace and choose what subscription and resource group you want it located. Just like any other resource within Azure, you will need to choose your location and the pricing tier associated with it. You should note that the first 5 GB of log data per month is free, and there are reasonable costs beyond that. In this case it’s only choice for pricing is Per GB as you can see below. Then it ok and save.

Within 10 minutes of setting up logging and Log Analytics you’ll be able to see your data. Logging will look like this under the Overview Section.

Per MSDN you can view summaries of your logs and then drill in to details for the following categories:

  • Volume of all key vault operations over time
  • Failed operation volumes over time
  • Average operational latency by operation
  • Quality of service for operations with the number of operations that take more than 1000 ms and a list of operations that take more than 1000 ms

Here is what it looks like to drill in.  Since I am not really using my Key Vault in production these examples from MSDN better show what your results will be like.

 

As you can see it’s very easy to set up. If your company is like most, you will want to set up a way to report on Key Vault usage Azure Log Analytics gives you everything you may want. You’ll find costs are minimal and it’s a great an essential piece of your entire key management process.

Rate

Share

Share

Rate

Related content

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

2009-02-23

1,567 reads

Networking - Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I'd like to talk about social networking. We'll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let...

2009-02-17

1,530 reads

Speaking at Community Events - More Thoughts

Last week I posted Speaking at Community Events - Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I've got a few more thoughts on the topic this week, and I look forward to your comments.

2009-02-13

360 reads