Why there is no AzureDiagnostics table for Azure Key Vault Managed HSM in Log Analytics workspace

Waqas 0

AzureDiagnostics table is available for most resources in Azure and we can see log table in Log Analytics workspace. But for Azure Key Vault Managed HSM there is no AzureDiagnostics table in Log Analytics workspace.

If I change scope in Log Analytics workspace to some AKV, I can see AzureDiagnostics table, but if I change scope to Azure Key Vault Managed HSM, then AzureDiagnostics table is not available.

There is an article about enabling diagnostic settings using az commands, but that sends events to blob storage in json format and it's not clear how to run queries on these events.

https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/logging?source=docs

Vinodh247 20,976 Reputation points

2024-07-25T00:06:28.53+00:00
Hi Waqas,

Thanks for reaching out to Microsoft Q&A.

Azure Key Vault Managed HSM uses a different logging mechanism compared to standard Azure Key Vault instances. This is why you wont see the AzureDiagnostics table for Managed HSM in Log Analytics workspace.

For Azure Key Vault Managed HSM, logs are sent to Azure Monitor Logs using a different schema and table. Instead of the AzureDiagnostics table, Managed HSM logs are stored in a resource-specific table named AzureDiagnostics_CL.

To query logs for Azure Key Vault Managed HSM, you should use the AzureDiagnostics_CL table in your Log Analytics workspace. Here's an example query:

AzureDiagnostics_CL | where ResourceType == "MICROSOFT.KEYVAULT/MANAGEDHSMS" | where TimeGenerated > ago(1d)

This query will retrieve logs from the past day for all Managed HSM instances.

It's important to note that you need to enable diagnostic settings for your Managed HSM to send logs to Log Analytics workspace. You can do this through the Azure portal, Azure CLI, or Azure PowerShell.

If you're not seeing the AzureDiagnostics_CL table, ensure that:

Diagnostic settings are properly configured for your Managed HSM.

You've allowed enough time for logs to be collected and appear in the workspace.

Your Log Analytics workspace is in a supported region for Managed HSM logging.

Regarding the article about enabling diagnostic settings using Azure CLI commands that send events to blob storage in JSON format, this is an alternative logging method. While it doesn't allow for direct querying in Log Analytics, you can use other tools to analyze these logs or import them into a system that allows for querying

https://learn.microsoft.com/lt-lt/azure/key-vault/general/monitor-key-vault-reference.

you might want to consider using Azure Data Explorer or other log analysis tools that can work with JSON-formatted logs, if you're still having issues or need to query logs stored in blob storage,
Vinodh247 20,976 Reputation points

2024-07-25T13:33:51.5166667+00:00

https://learn.microsoft.com/en-us/azure/key-vault/general/monitor-key-vault#collection-and-routing
Vinodh247 20,976 Reputation points

2024-07-27T10:20:37.5966667+00:00

Waqas: Please confirm if we are still connected on this discussion. Let me know if you need more info or help. Also let me know if the above suggestion helped.
Givary-MSFT 32,591 Reputation points Microsoft Employee

2024-07-29T06:16:21.71+00:00

@Waqas Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Waqas 0 Reputation points

2024-07-30T00:21:08.1033333+00:00

Thanks @Vinodh247 and @Givary-MSFT for your response.

It looks like a limitation of Azure Key Vault Managed HSM. I will look in to suggested alternatives.

@Vinodh247 I don't see "AzureDiagnostics_CL" table in my Log Analytics workspace. May be Diagnostic settings are not properly configured for my Managed HSM. I don't see an option in the UI. I will check if Diagnostic settings can be enabled from the command line.

Thanks.
Waqas 0 Reputation points

2024-07-30T00:24:20.66+00:00

Thanks @Vinodh247 and @Givary-MSFT for your response. It looks like a limitation of Azure Key Vault Managed HSM. I will look in to suggested alternatives.

@Vinodh247 I don't see "AzureDiagnostics_CL" table in my Log Analytics workspace. May be Diagnostic settings are not properly configured for my Managed HSM. I don't see an option in the UI. I will check if Diagnostic settings can be enabled from the command line.

Thanks.
Waqas 40 Reputation points

2024-08-02T00:13:39.09+00:00

I don't see "AzureDiagnostics_CL" table in Log Analytics workspace or any mention of this table online or in Azure documentation.

1 answer

Givary-MSFT 32,591 Reputation points Microsoft Employee

2024-07-25T09:08:44.87+00:00

@Waqas Thank you for reaching out to us, As I understand you are looking to manage the logs generated by Azure Key Vault Managed HSM resource using log analytics workspace.

Based on my research (reviewed old support cases with a similar ask), Managed HSM saves information in an Azure storage account, there is no option to send the logs to log analytics workspace directly, also with logs getting stored in storage account in json format, one has to download the each json file to review the operations is challenging as well.

However you can follow this approach where you would need to pull the data into a server or a VM and then give it the correct format in order to ingest it into the log analytics workspace via Log ingestion API - https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Why there is no AzureDiagnostics table for Azure Key Vault Managed HSM in Log Analytics workspace

1 answer

Your answer