Azure Key Vault Logging

Following up from last week’s post on Azure Key Vault in this blog I will show you how to the setup Key Vault logging I mentioned for auditing access and usage of your key vault. Once we walk through the process of enabling your logging, we will configure Azure Log Analytics as a way to analyze that data. Azure Log Analytics uses advanced analytics and machine learning to analyze your azure log files. It adds intelligent insights to your monitored data such as Key Vault usage and access  as well as latency in key retrieval from your Audit Event Logs.

Here is the PowerShell Script you can use to enable logging.

#If you have never used Powershell for Azure you will need to run the below line as Administrator

#Install-Module -Name Az -AllowClobber


#Connect to Your Azure Account (Will prompt you for your azure credentials into Azure)

Connect-AzureRmAccount


#Connect to Azure Subscriptions (To get a list of all your subscription ID's highlight the one you need for next step and copy and past below)

Get-AzureRmSubscription


#Specify Your Subscription You Want to Work With

Set-AzureRmContext -SubscriptionId Your ID Here


#Create Storage Account

# If you need to create a storage account you can use this

$sa = New-AzureRmStorageAccount -ResourceGroupName SQLDB-Development -Name dcackeyvaultstorage -Type Standard_LRS -Location 'East US 2'


#Identify Your Key Vault

$kv = Get-AzureRmKeyVault -VaultName 'DCACAEKeyVaultDemo'


#Enable Logging (uses $kvand $sa parameter from above)

Set-AzureRmDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $true -Categories AuditEvent


#Set Retention Period for Your Logs (uses $kvand $sa parameter from above)

Set-AzureRmDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -RetentionEnabled $true -RetentionInDays 90


 

After logging is enabled these logs can then be easily analyze with Log Analytics. You’ll need to configure it like the below.

Under Diagnostic Setting Choose Edit

In this screen you will validate your storage account where the logs will be stored and your retention period that you setup using the above PowerShell scripts. The next step is to create a Log Analytics Workspace.  Just click Create New Workspace and choose what subscription and resource group you want it located. Just like any other resource within Azure, you will need to choose your location and the pricing tier associated with it. You should note that the first 5 GB of log data per month is free, and there are reasonable costs beyond that. In this case it’s only choice for pricing is Per GB as you can see below. Then it ok and save.

Within 10 minutes of setting up logging and Log Analytics you’ll be able to see your data. Logging will look like this under the Overview Section.

Per MSDN you can view summaries of your logs and then drill in to details for the following categories:

  • Volume of all key vault operations over time
  • Failed operation volumes over time
  • Average operational latency by operation
  • Quality of service for operations with the number of operations that take more than 1000 ms and a list of operations that take more than 1000 ms

Here is what it looks like to drill in.  Since I am not really using my Key Vault in production these examples from MSDN better show what your results will be like.

 

As you can see it’s very easy to set up. If your company is like most, you will want to set up a way to report on Key Vault usage Azure Log Analytics gives you everything you may want. You’ll find costs are minimal and it’s a great an essential piece of your entire key management process.

About Monica Rathbun

Monica Rathbun lives in Virginia, is a Microsoft MVP for Data Platform and Microsoft Certified Solutions Expert. She has nearly two decades of experience working with a wide variety of database platforms with a focus on SQL Server and the Microsoft Data Platform. She is a frequent speaker at IT industry conferences on topics including performance tuning and configuration management. She is the Leader of the Hampton Roads SQL Server User Group. She is passionate about SQL Server and the SQL Server community, doing anything she can to give back. Monica can always be found on Twitter (@sqlespresso) handing out helpful tips. You can find Monica blogging at sqlespresso.com 
Bookmark the permalink.

Comments are closed.