| title | description | services | author | ms.service | ms.subservice | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|
Azure Key Vault logging | Microsoft Docs |
Learn how to monitor access to your key vaults by enabling logging for Azure Key Vault, which saves information in an Azure storage account that you provide. |
key-vault |
msmbaldwin |
azure-key-vault |
general |
how-to |
01/30/2024 |
mbaldwin |
After you create one or more key vaults, you'll likely want to monitor how and when your key vaults are accessed, and by whom. Enabling logging for Azure Key Vault saves this information in an Azure storage account that you provide. For step by step guidance, see How to enable Key Vault logging.
You can access your logging information 10 minutes (at most) after the key vault operation. In most cases, it will be quicker. It's up to you to manage your logs in your storage account:
- Use standard Azure access control methods in your storage account to secure your logs by restricting who can access them.
- Delete logs that you no longer want to keep in your storage account.
For overview information about Key Vault, see What is Azure Key Vault?. For information about where Key Vault is available, see the pricing page. For information about using Azure Monitor for Key Vault.
When you enable logging, a new container called insights-logs-auditevent is automatically created for your specified storage account. You can use this same storage account for collecting logs for multiple key vaults.
Individual blobs are stored as text, formatted as a JSON blob. Let's look at an example log entry.
{
"records":
[
{
"time": "2016-01-05T01:32:01.2691226Z",
"resourceId": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAULT",
"operationName": "VaultGet",
"operationVersion": "2015-06-01",
"category": "AuditEvent",
"resultType": "Success",
"resultSignature": "OK",
"resultDescription": "",
"durationMs": "78",
"callerIpAddress": "104.40.82.76",
"correlationId": "",
"identity": {"claim":{"http://schemas.microsoft.com/identity/claims/objectidentifier":"d9da5048-2737-4770-bd64-XXXXXXXXXXXX","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"live.com#[email protected]","appid":"00001111-aaaa-2222-bbbb-3333cccc4444"}},
"properties": {"clientInfo":"azure-resource-manager/2.0","requestUri":"https://control-prod-wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault?api-version=2015-06-01","id":"https://contosokeyvault.vault.azure.net/","httpStatusCode":200}
}
]
}The following table lists the field names and descriptions:
| Field name | Description |
|---|---|
| time | Date and time in UTC. |
| resourceId | Azure Resource Manager resource ID. For Key Vault logs, it is always the Key Vault resource ID. |
| operationName | Name of the operation, as documented in the next table. |
| operationVersion | REST API version requested by the client. |
| category | Type of result. For Key Vault logs, AuditEvent is the single, available value. |
| resultType | Result of the REST API request. |
| resultSignature | HTTP status. |
| resultDescription | More description about the result, when available. |
| durationMs | Time it took to service the REST API request, in milliseconds. The time does not include the network latency, so the time you measure on the client side might not match this time. |
| callerIpAddress | IP address of the client that made the request. |
| correlationId | An optional GUID that the client can pass to correlate client-side logs with service-side (Key Vault) logs. |
| identity | Identity from the token that was presented in the REST API request. Usually a "user," a "service principal," or the combination "user+appId", for instance when the request comes from an Azure PowerShell cmdlet. |
| properties | Information that varies based on the operation (operationName). In most cases, this field contains client information (the user agent string passed by the client), the exact REST API request URI, and the HTTP status code. In addition, when an object is returned as a result of a request (for example, KeyCreate or VaultGet), it also contains the key URI (as id), vault URI, or secret URI. |
The operationName field values are in ObjectVerb format. For example:
- All key vault operations have the
Vault<action>format, such asVaultGetandVaultCreate. - All key operations have the
Key<action>format, such asKeySignandKeyList. - All secret operations have the
Secret<action>format, such asSecretGetandSecretListVersions.
The following table lists the operationName values and corresponding REST API commands:
| operationName | REST API command |
|---|---|
| Authentication | Authenticate via Microsoft Entra endpoint |
| VaultGet | Get information about a key vault |
| VaultPut | Create or update a key vault |
| VaultDelete | Delete a key vault |
| VaultPatch | Update a key vault |
| VaultList | List all key vaults in a resource group |
| VaultPurge | Purge deleted vault |
| VaultRecover | Recover deleted vault |
| VaultGetDeleted | Get deleted vault |
| VaultListDeleted | List deleted vaults |
| VaultAccessPolicyChangedEventGridNotification | Vault access policy changed event published. It is logged regardless if an Event Grid subscription exists. |
| operationName | REST API command |
|---|---|
| KeyCreate | Create a key |
| KeyGet | Get information about a key |
| KeyImport | Import a key into a vault |
| KeyDelete | Delete a key |
| KeySign | Sign with a key |
| KeyVerify | Verify with a key |
| KeyWrap | Wrap a key |
| KeyUnwrap | Unwrap a key |
| KeyEncrypt | Encrypt with a key |
| KeyDecrypt | Decrypt with a key |
| KeyUpdate | Update a key |
| KeyList | List the keys in a vault |
| KeyListVersions | List the versions of a key |
| KeyPurge | Purge a key |
| KeyBackup | Backup a key |
| KeyRestore | Restore a key |
| KeyRecover | Recover a key |
| KeyGetDeleted | Get deleted key |
| KeyListDeleted | List the deleted keys in a vault |
| KeyNearExpiryEventGridNotification | Key near expiry event published. It is logged regardless if an Event Grid subscription exists. |
| KeyExpiredEventGridNotification | Key expired event published. It is logged regardless if an Event Grid subscription exists. |
| KeyRotate | Rotate key |
| KeyRotateIfDue | Scheduled automated key rotation operation based on defined rotation policy |
| KeyRotationPolicyGet | Get Key Rotation Policy |
| KeyRotationPolicySet | Update Key Rotation Policy |
| operationName | REST API command |
|---|---|
| SecretSet | Create a secret |
| SecretGet | Get a secret |
| SecretUpdate | Update a secret |
| SecretDelete | Delete a secret |
| SecretList | List secrets in a vault |
| SecretListVersions | List versions of a secret |
| SecretPurge | Purge a secret |
| SecretBackup | Backup a secret |
| SecretRestore | Restore a secret |
| SecretRecover | Recover a secret |
| SecretGetDeleted | Get deleted secret |
| SecretListDeleted | List the deleted secrets in a vault |
| SecretNearExpiryEventGridNotification | Secret near expiry event published. It is logged regardless if an Event Grid subscription exists. |
| SecretExpiredEventGridNotification | Secret expired event published. It is logged regardless if an Event Grid subscription exists. |
| operationName | REST API command |
|---|---|
| CertificateGet | Get information about a certificate |
| CertificateCreate | Create a certificate |
| CertificateImport | Import a certificate into a vault |
| CertificateUpdate | Update a certificate |
| CertificateList | List the certificates in a vault |
| CertificateListVersions | List the versions of a certificate |
| CertificateDelete | Delete a certificate |
| CertificatePurge | Purge a certificate |
| CertificateBackup | Backup a certificate |
| CertificateRestore | Restore a certificate |
| CertificateRecover | Recover a certificate |
| CertificateGetDeleted | Get deleted certificate |
| CertificateListDeleted | List the deleted certificates in a vault |
| CertificatePolicyGet | Get certificate policy |
| CertificatePolicyUpdate | Update certificate policy |
| CertificatePolicySet | Create certificate policy |
| CertificateContactsGet | Get certificate contacts |
| CertificateContactsSet | Set certificate contacts |
| CertificateContactsDelete | Delete certificate contacts |
| CertificateIssuerGet | Get certificate issuer |
| CertificateIssuerSet | Set certificate issuer |
| CertificateIssuerUpdate | Update certificate issuer |
| CertificateIssuerDelete | Delete certificate issuer |
| CertificateIssuersList | List the certificate issuers |
| CertificateEnroll | Enroll a certificate |
| CertificateRenew | Renew a certificate |
| CertificatePendingGet | Retrieve pending certificate |
| CertificatePendingMerge | The merger of the certificate is pending |
| CertificatePendingUpdate | The update of the certificate is pending |
| CertificatePendingDelete | Delete pending certificate |
| CertificateNearExpiryEventGridNotification | Certificate near expiry event published. It is logged regardless if an Event Grid subscription exists. |
| CertificateExpiredEventGridNotification | Certificate expired event published. It is logged regardless if an Event Grid subscription exists. |
You can use the Key Vault solution in Azure Monitor logs to review Key Vault AuditEvent logs. In Azure Monitor logs, you use log queries to analyze data and get the information you need.
For more information, including how to set it up, see Azure Key Vault in Azure Monitor.
For understanding how to analyze logs, see Sample Kusto log queries
- How to enable Key Vault logging
- Azure monitor
- For a tutorial that uses Azure Key Vault in a .NET web application, see Use Azure Key Vault from a web application.
- For programming references, see the Azure Key Vault developer's guide.
- For a list of Azure PowerShell 1.0 cmdlets for Azure Key Vault, see Azure Key Vault cmdlets.