After you create one or more key vaults, you'll likely want to monitor how and when your key vaults are accessed, and by whom. Enabling logging for Azure Key Vault saves this information in an Azure storage account that you provide. For step by step guidance, see How to enable Key Vault logging.
You can access your logging information 10 minutes (at most) after the key vault operation. In most cases, it will be quicker. It's up to you to manage your logs in your storage account:
Use standard Azure access control methods in your storage account to secure your logs by restricting who can access them.
Delete logs that you no longer want to keep in your storage account.
When you enable logging, a new container called insights-logs-auditevent is automatically created for your specified storage account. You can use this same storage account for collecting logs for multiple key vaults.
Individual blobs are stored as text, formatted as a JSON blob. Let's look at an example log entry.
The following table lists the field names and descriptions:
Field name
Description
time
Date and time in UTC.
resourceId
Azure Resource Manager resource ID. For Key Vault logs, it is always the Key Vault resource ID.
operationName
Name of the operation, as documented in the next table.
operationVersion
REST API version requested by the client.
category
Type of result. For Key Vault logs, AuditEvent is the single, available value.
resultType
Result of the REST API request.
resultSignature
HTTP status.
resultDescription
More description about the result, when available.
durationMs
Time it took to service the REST API request, in milliseconds. The time does not include the network latency, so the time you measure on the client side might not match this time.
callerIpAddress
IP address of the client that made the request.
correlationId
An optional GUID that the client can pass to correlate client-side logs with service-side (Key Vault) logs.
identity
Identity from the token that was presented in the REST API request. Usually a "user," a "service principal," or the combination "user+appId", for instance when the request comes from an Azure PowerShell cmdlet.
properties
Information that varies based on the operation (operationName). In most cases, this field contains client information (the user agent string passed by the client), the exact REST API request URI, and the HTTP status code. In addition, when an object is returned as a result of a request (for example, KeyCreate or VaultGet), it also contains the key URI (as id), vault URI, or secret URI.
The operationName field values are in ObjectVerb format. For example:
All key vault operations have the Vault<action> format, such as VaultGet and VaultCreate.
All key operations have the Key<action> format, such as KeySign and KeyList.
All secret operations have the Secret<action> format, such as SecretGet and SecretListVersions.
The following table lists the operationName values and corresponding REST API commands:
Certificate near expiry event published. It is logged regardless if an Event Grid subscription exists.
CertificateExpiredEventGridNotification
Certificate expired event published. It is logged regardless if an Event Grid subscription exists.
Use Azure Monitor logs
You can use the Key Vault solution in Azure Monitor logs to review Key Vault AuditEvent logs. In Azure Monitor logs, you use log queries to analyze data and get the information you need.