Skip to main content
Jorge Bernhardt Jorge Bernhardt
  1. Posts/

How to configure Azure Key Vault to send logs and metrics to Log Analytics workspace

·787 words·4 mins· 100 views · 5 likes ·
Azure CLI Azure Cloud Shell Azure PowerShell Connect-AzAccount

Hello, Jorge is back. In a previous post, I showed you how to configure Azure Key Vault diagnostic parameters to send logs and metrics to a storage account, but many of you have asked me to show you how to configure Azure Key Vault diagnostic parameters to send to a Log Analytics workspace. Today in this post, I will show you how to configure Azure Key Vault diagnostic parameters to send logs and metrics to a Log Analytics workspace using PowerShell and the Azure CLI.

Prerequisites>

Prerequisites #

  • This tutorial assumes that you already have a Log Analytics Workspace. You can use an existing Workspace, or if you want to create a new one, check out this link.
  • This tutorial assumes that you already have an Azure Key Vault. You can use an existing Key vault, or if you want to create a new one, check out this link.

Important: The Log Analytics workspace does not need to be in the same region as the resource being monitored. In the following examples, I will separately enable event and metric logging for Key Vault. This action can be done with a single command, but I prefer to run them separately to show you more details. Also, I will set the retention policy to 365 days, but if you do not want to apply any retention policy and retain data forever, set retention (days) to 0.

Azure PowerShell Workaround>

Azure PowerShell Workaround #

The simplest way to get started is to sign in interactively at the command line.

Connect-AzAccount

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account. If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Get-AzSubscription
Select-AzSubscription -Subscription "My Subscription"

Once you set your default subscription, you’re ready to start.

Set the variables>

Set the variables #

Here, we define the characteristics of our environment and the resource’s properties.

$resourceGroupName="RG-DEMO-WE"
$keyVaultName="KV-DEMO-WE"
$logAnalyticsName="LAW-DEMO-WE"

To improve the visualization of the following commands, I will store the resources into variables.

$keyvault= Get-AzKeyVault `
    -Name $keyVaultName `
    -ResourceGroupName $ResourceGroupName

$logAnalytics = Get-AzOperationalInsightsWorkspace `
    -Name $logAnalyticsName `
    -ResourceGroupName $resourceGroupName
Sets the logs and metrics settings for the Key Vault>

Sets the logs and metrics settings for the Key Vault #

To send the event log for Key Vault, you must use the Set-AzDiagnosticSetting cmdlet with the following syntax.

Set-AzDiagnosticSetting `
    -ResourceId $keyvault.ResourceId `
    -Enabled $true `
    -WorkspaceId $logAnalytics.ResourceId `
    -Category AuditEvent `
    -RetentionEnabled $true `
    -RetentionInDays 90

Set-AzDiagnosticSetting
If you also want to send the metric record for Key Vault, you must use the Set-AzDiagnosticSetting cmdlet with the following syntax.

Set-AzDiagnosticSetting `
    -ResourceId $keyvault.ResourceId `
    -Enabled $true `
    -WorkspaceId $logAnalytics.ResourceId `
    -MetricCategory AllMetrics `
    -RetentionEnabled $true `
    -RetentionInDays 90

Set-AzDiagnosticSetting
If you want to disable Key Vault logging, you should use the following command.

Set-AzDiagnosticSetting `
    -ResourceId $keyvault.ResourceId `
    -WorkspaceId $logAnalytics.ResourceId `
    -Enabled $false
Azure CLI Workaround>

Azure CLI Workaround #

In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link. First, we define the characteristics of our environment and store the values in variables.

resourceGroupName="RG-DEMO-WE"
keyVaultName="KV-DEMO-WE"
logAnalyticsName="LAW-DEMO-WE"

To improve the visualization of the following commands, I will store the resources into variables.

logAnalyticsid=$(az monitor log-analytics workspace show \
-n $logAnalyticsName \
-g $resourceGroupName \
--query id \
--output tsv)

keyVaultid=$(az keyvault show \
--name $keyVaultName \
--query id \
--output tsv)
Sets the logs and metrics settings for the Key Vault>

Sets the logs and metrics settings for the Key Vault #

To send the event log for Key Vault, you must use the following command.

az monitor diagnostic-settings create \
--workspace $logAnalyticsid  \
--resource $keyVaultid \
--name "Key vault logs" \
--logs '[{"category":"AuditEvent","enabled":true,"retentionPolicy":{"days":"90","enabled":true}}]'

Key Vault Log Analytics
If you also want to send the metric record for Key Vault, you must use the following command.

az monitor diagnostic-settings create \
--workspace $logAnalyticsid  \
--resource $keyVaultid \
--name "Key vault Metrics" \
--metrics '[{"category": "AllMetrics","enabled": true,"retentionPolicy":{"days":"90","enabled":true}}]'

Key Vault Log Analytics
If you want to disable Key Vault logging, you should use the following commands.

az monitor diagnostic-settings create \
--workspace $logAnalyticsid \
--resource $keyVaultid \
--name "Key vault logs" \
--logs '[{"category": "AuditEvent","enabled": false}]'

az monitor diagnostic-settings create \
--workspace $logAnalyticsid  \
--resource $keyVaultid \
--name "Key vault Metrics" \
--metrics '[{"category": "AllMetrics","enabled": false}]'

Thanks for reading my post. I hope you find it helpful.

If you want to know more about Security recommendations for Azure Key vault, check out this link.