Azure Key Vault logging
After you create one or more key vaults, you'll likely want to monitor how and when your key vaults are accessed, and by whom. Enabling logging for Azure Key Vault saves this information in an Azure storage account that you provide. For step by step guidance, see How to enable Key Vault logging.
You can access your logging information 10 minutes (at most) after the key vault operation. In most cases, it will be quicker. It's up to you to manage your logs in your storage account:
- Use standard Azure access control methods in your storage account to secure your logs by restricting who can access them.
- Delete logs that you no longer want to keep in your storage account.
For overview information about Key Vault, see What is Azure Key Vault?. For information about where Key Vault is available, see the pricing page. For information about using Azure Monitor for Key Vault.
Interpret your Key Vault logs
When you enable logging, a new container called insights-logs-auditevent is automatically created for your specified storage account. You can use this same storage account for collecting logs for multiple key vaults.
Individual blobs are stored as text, formatted as a JSON blob. Let's look at an example log entry.
{
"records":
[
{
"time": "2016-01-05T01:32:01.2691226Z",
"resourceId": "/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAULT",
"operationName": "VaultGet",
"operationVersion": "2015-06-01",
"category": "AuditEvent",
"resultType": "Success",
"resultSignature": "OK",
"resultDescription": "",
"durationMs": "78",
"callerIpAddress": "104.40.82.76",
"correlationId": "",
"identity": {"claim":{"http://schemas.microsoft.com/identity/claims/objectidentifier":"d9da5048-2737-4770-bd64-XXXXXXXXXXXX","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"live.com#username@outlook.com","appid":"1950a258-227b-4e31-a9cf-XXXXXXXXXXXX"}},
"properties": {"clientInfo":"azure-resource-manager/2.0","requestUri":"https://control-prod-wus.vaultcore.azure.net/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault?api-version=2015-06-01","id":"https://contosokeyvault.vault.azure.net/","httpStatusCode":200}
}
]
}
The following table lists the field names and descriptions:
| Field name | Description |
|---|---|
| time | Date and time in UTC. |
| resourceId | Azure Resource Manager resource ID. For Key Vault logs, it is always the Key Vault resource ID. |
| operationName | Name of the operation, as documented in the next table. |
| operationVersion | REST API version requested by the client. |
| category | Type of result. For Key Vault logs, AuditEvent is the single, available value. |
| resultType | Result of the REST API request. |
| resultSignature | HTTP status. |
| resultDescription | More description about the result, when available. |
| durationMs | Time it took to service the REST API request, in milliseconds. The time does not include the network latency, so the time you measure on the client side might not match this time. |
| callerIpAddress | IP address of the client that made the request. |
| correlationId | An optional GUID that the client can pass to correlate client-side logs with service-side (Key Vault) logs. |
| identity | Identity from the token that was presented in the REST API request. Usually a "user," a "service principal," or the combination "user+appId", for instance when the request comes from an Azure PowerShell cmdlet. |
| properties | Information that varies based on the operation (operationName). In most cases, this field contains client information (the user agent string passed by the client), the exact REST API request URI, and the HTTP status code. In addition, when an object is returned as a result of a request (for example, KeyCreate or VaultGet), it also contains the key URI (as id), vault URI, or secret URI. |
The operationName field values are in ObjectVerb format. For example:
- All key vault operations have the
Vault<action>format, such asVaultGetandVaultCreate. - All key operations have the
Key<action>format, such asKeySignandKeyList. - All secret operations have the
Secret<action>format, such asSecretGetandSecretListVersions.
The following table lists the operationName values and corresponding REST API commands:
Operation names table
| operationName | REST API command |
|---|---|
| Authentication | Authenticate via Microsoft Entra endpoint |
| VaultGet | Get information about a key vault |
| VaultPut | Create or update a key vault |
| VaultDelete | Delete a key vault |
| VaultPatch | Update a key vault |
| VaultList | List all key vaults in a resource group |
| VaultPurge | Purge deleted vault |
| VaultRecover | Recover deleted vault |
| VaultGetDeleted | Get deleted vault |
| VaultListDeleted | List deleted vaults |
| VaultAccessPolicyChangedEventGridNotification | Vault access policy changed event published. It is logged regardless if an Event Grid subscription exists. |
Use Azure Monitor logs
You can use the Key Vault solution in Azure Monitor logs to review Key Vault AuditEvent logs. In Azure Monitor logs, you use log queries to analyze data and get the information you need.
For more information, including how to set it up, see Azure Key Vault in Azure Monitor.
For understanding how to analyze logs, see Sample Kusto log queries
Next steps
- How to enable Key Vault logging
- Azure monitor
- For a tutorial that uses Azure Key Vault in a .NET web application, see Use Azure Key Vault from a web application.
- For programming references, see the Azure Key Vault developer's guide.
- For a list of Azure PowerShell 1.0 cmdlets for Azure Key Vault, see Azure Key Vault cmdlets.