diagnostic logs in azure for key vault

0
votes

I have diagnostic logs enabled for a keyvault in azure. On the keyvault i have a firewall enabled. I am trying to find out which IP tried accessing the key vault using the logs, i run the following query that is already available in azure logs.

// List of callers identified by their IP address with their request count.  
// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services. 
// Filter on ResourceProvider for logs specific to a service.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize count() by CallerIPAddress, TimeGenerated

The above query does not show me the latest results, i.e. the last result it shows me is 12 hrs old whereas this kv is being accessed consistently. Anyone please shed some light on this. thanks.

1
azureazure-keyvaultazure-log-analyticsazure-diagnostics
There is a lag....12 hours seems a bit excessive. One potentially troubleshooting step is to also send the logs to a storage account to confirm that the logs are actually being tracked.DreadedFrost
@DreadedFrost Do you know if we have multiple keyvaults pointing to the same log analytics how can we choose between the different keyvault in the query?lavoizer

1 Answers

0
votes

Try this to make sure the latest result is on the top:

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize count() by TimeGenerated, CallerIPAddress
| order by TimeGenerated desc

You could try this demo here. It seems to be caused by the lack of sorting.

Do you know if we have multiple keyvaults pointing to the same log analytics how can we choose between the different keyvault in the query?

Add _ResourceId to choose the key vault you want:

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT" and _ResourceId == "{your-keyvault-resoure-id}"
| summarize count() by TimeGenerated, CallerIPAddress
| order by TimeGenerated desc

summarize by _ResourceId:

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize count() by TimeGenerated, CallerIPAddress, _ResourceId
| order by TimeGenerated desc