Azure Monitor 中的 Azure Key Vault 分析解决方案Azure Key Vault Analytics solution in Azure Monitor

Key Vault 符号

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

可以在 Azure Monitor 中使用 Azure 密钥保管库解决方案来查看 Azure Key Vault AuditEvent 日志。You can use the Azure Key Vault solution in Azure Monitor to review Azure Key Vault AuditEvent logs.

要使用该解决方案,需要启用 Azure Key Vault 诊断的日志记录,并将诊断引导到 Log Analytics 工作区。To use the solution, you need to enable logging of Azure Key Vault diagnostics and direct the diagnostics to a Log Analytics workspace. 不需要将日志写入 Azure Blob 存储。It is not necessary to write the logs to Azure Blob storage.

备注

2017 年 1 月,从 Key Vault 向 Log Analytics 发送日志的受支持方式已发生更改。In January 2017, the supported way of sending logs from Key Vault to Log Analytics changed. 如果所用 Key Vault 解决方案的标题中演示了“(已弃用)”中,请参阅从旧 Key Vault 解决方案迁移,了解需要执行的步骤。If the Key Vault solution you are using shows (deprecated) in the title, refer to migrating from the old Key Vault solution for steps you need to follow.

安装和配置解决方案Install and configure the solution

使用以下说明来安装和配置 Azure 密钥保管库解决方案:Use the following instructions to install and configure the Azure Key Vault solution:

  1. 使用从解决方案库中添加 Azure Monitor 解决方案中所述的流程,将 Azure Key Vault 解决方案添加到 Log Analytics 工作区。Use the process described in Add Azure Monitor solutions from the Solutions Gallery to add the Azure Key Vault solution to your Log Analytics workspace.
  2. 使用门户PowerShell 为要监视的 Key Vault 资源启用诊断日志记录Enable diagnostics logging for the Key Vault resources to monitor, using either the portal or PowerShell

在门户中启用 Key Vault 诊断Enable Key Vault diagnostics in the portal

  1. 在 Azure 门户中,导航到要监视的 Key Vault 资源In the Azure portal, navigate to the Key Vault resource to monitor

  2. 选择“诊断设置”,打开以下页面Select Diagnostics settings to open the following page

    Azure 密钥保管库磁贴的图像

  3. 单击“打开诊断”打开以下页面Click Turn on diagnostics to open the following page

    Azure 密钥保管库磁贴的图像

  4. 为诊断设置提供名称。Give a name to the diagnostic setting.

  5. 单击“发送到 Log Analytics”对应的复选框Click the checkbox for Send to Log Analytics

  6. 选择现有的 Log Analytics 工作区,或创建一个工作区Select an existing Log Analytics workspace, or create a workspace

  7. 若要启用 AuditEvent 日志,请单击“日志”下面的复选框To enable AuditEvent logs, click the checkbox under Log

  8. 单击“保存”,启用在 Log Analytics 工作区中记录诊断日志。Click Save to enable the logging of diagnostics to Log Analytics workspace.

使用 PowerShell 启用 Key Vault 诊断Enable Key Vault diagnostics using PowerShell

以下 PowerShell 脚本提供了如何使用 Set-AzDiagnosticSetting 为 Key Vault 启用资源日志记录的示例:The following PowerShell script provides an example of how to use Set-AzDiagnosticSetting to enable resource logging for Key Vault:

$workspaceId = "/subscriptions/d2e37fee-1234-40b2-5678-0b2199de3b50/resourcegroups/oi-default-CNE2/providers/microsoft.operationalinsights/workspaces/rollingbaskets"

$kv = Get-AzKeyVault -VaultName 'ContosoKeyVault'

Set-AzDiagnosticSetting -ResourceId $kv.ResourceId  -WorkspaceId $workspaceId -Enabled $true

查看 Azure 密钥保管库数据集合详细信息Review Azure Key Vault data collection details

Azure Key Vault 解决方案直接从 Key Vault 收集诊断日志。Azure Key Vault solution collects diagnostics logs directly from the Key Vault. 不需要将日志写入 Azure Blob 存储,且数据收集无需代理。It is not necessary to write the logs to Azure Blob storage and no agent is required for data collection.

下表显示了数据收集方法,以及有关如何为 Azure 密钥保管库收集数据的其他详细信息。The following table shows data collection methods and other details about how data is collected for Azure Key Vault.

平台Platform 直接代理Direct agent Systems Center Operations Manager 代理Systems Center Operations Manager agent AzureAzure 需要 Operations Manager?Operations Manager required? Operations Manager 代理数据通过管理组发送Operations Manager agent data sent via management group 收集频率Collection frequency
AzureAzure 到达时on arrival

使用 Azure 密钥保管库Use Azure Key Vault

安装解决方案后,请在 Azure Monitor 的“概览”页中单击“Key Vault 分析”磁贴,查看 Key Vault 数据。After you install the solution, view the Key Vault data by clicking the Key Vault Analytics tile from the Azure Monitor Overview page. 通过点击“见解”部分下的“更多”,从“Azure Monitor”菜单打开此页面 。Open this page from the Azure Monitor menu by clicking More under the Insights section.

Azure 密钥保管库磁贴的图像

单击“Key Vault 分析”磁贴后,可以查看日志摘要,并钻取以下类别的详细信息:After you click the Key Vault Analytics tile, you can view summaries of your logs and then drill in to details for the following categories:

  • 一段时间内的所有密钥保管库操作量Volume of all key vault operations over time
  • 一段时间内失败的操作量Failed operation volumes over time
  • 按操作显示的平均操作延迟Average operational latency by operation
  • 对于操作数目需要超过 1000 毫秒和操作列表需超过 1000 毫秒的此类操作的服务质量Quality of service for operations with the number of operations that take more than 1000 ms and a list of operations that take more than 1000 ms

Azure 密钥保管库仪表板的图像

Azure 密钥保管库仪表板的图像

查看任何操作的详细信息To view details for any operation

  1. 在“概览”页上,单击“Key Vault 分析”磁贴。 On the Overview page, click the Key Vault Analytics tile.

  2. 在“Azure 密钥保管库”仪表板中,查看其中一个边栏选项卡中的摘要信息,并单击一个以在日志搜索页查看其详细信息。On the Azure Key Vault dashboard, review the summary information in one of the blades, and then click one to view detailed information about it in the log search page.

    在任何日志搜索页上,都可以按时间、详细结果和日志搜索历史记录查看结果。On any of the log search pages, you can view results by time, detailed results, and your log search history. 也可以按方面进行筛选以缩减搜索结果。You can also filter by facets to narrow the results.

Azure Monitor 日志记录Azure Monitor log records

Azure 密钥保管库解决方案可分析从 Azure 诊断中的 AuditEvent 日志收集的类型为 KeyVaults 的记录。The Azure Key Vault solution analyzes records that have a type of KeyVaults that are collected from AuditEvent logs in Azure Diagnostics. 这些记录的属性如下表中所列:Properties for these records are in the following table:

属性Property 说明Description
Type AzureDiagnosticsAzureDiagnostics
SourceSystem AzureAzure
CallerIpAddress 发出请求的客户端 IP 地址IP address of the client who made the request
Category AuditEventAuditEvent
CorrelationId 一个可选 GUID,客户端可传递此 GUID 来使客户端日志与服务端 (Key Vault) 日志相关联。An optional GUID that the client can pass to correlate client-side logs with service-side (Key Vault) logs.
DurationMs 为 REST API 请求提供服务所花费的时间,以毫秒为单位。Time it took to service the REST API request, in milliseconds. 此时间不包括网络延迟,因此在客户端上测得的时间可能与此时间不匹配。This time does not include network latency, so the time that you measure on the client side might not match this time.
httpStatusCode_d 由请求返回的 HTTP 状态代码(例如,200)HTTP status code returned by the request (for example, 200)
id_s 请求的唯一 IDUnique ID of the request
identity_claim_appid_g 应用程序 ID 的 GUIDGUID for the application ID
OperationName Azure 密钥保管库日志记录中所述操作的名称Name of the operation, as documented in Azure Key Vault Logging
OperationVersion 客户端请求的 REST API 版本(例如,2015-06-01)REST API version requested by the client (for example 2015-06-01)
requestUri_s 请求的 URIUri of the request
Resource 密钥保管库的名称Name of the key vault
ResourceGroup 密钥保管库的资源组Resource group of the key vault
ResourceId Azure 资源管理器资源 ID。Azure Resource Manager Resource ID. 对于 Key Vault 日志而言,这是 Key Vault 资源 ID。For Key Vault logs, this is the Key Vault resource ID.
ResourceProvider MICROSOFT.KEYVAULTMICROSOFT.KEYVAULT
ResourceType VAULTSVAULTS
ResultSignature HTTP 状态(例如,确定)HTTP status (for example, OK)
ResultType REST API 请求的结果(例如,成功)Result of REST API request (for example, Success)
SubscriptionId 包含密钥保管库的订阅的 Azure 订阅 IDAzure subscription ID of the subscription containing the Key Vault

从旧 Key Vault 解决方案迁移Migrating from the old Key Vault solution

2017 年 1 月,从 Key Vault 向 Log Analytics 发送日志的受支持方式已发生更改。In January 2017, the supported way of sending logs from Key Vault to Log Analytics changed. 这些更改带来了以下优势:These changes provide the following advantages:

  • 日志将直接写入 Log Analytics 工作区,无需使用存储帐户Logs are written directly to a Log Analytics workspace without the need to use a storage account
  • 从生成日志到在 Log Analytics 中显示日志的延迟时间已缩短Less latency from the time when logs are generated to them being available in Log Analytics
  • 配置步骤更少Fewer configuration steps
  • 所有类型的 Azure 诊断的通用格式A common format for all types of Azure diagnostics

若要使用更新的解决方案,请执行以下操作:To use the updated solution:

  1. 将诊断配置为直接从 Key Vault 发送到 Log Analytics 工作区Configure diagnostics to be sent directly to a Log Analytics workspace from Key Vault
  2. 使用从解决方案库中添加 Azure Monitor 解决方案中所述的过程,启用 Azure Key Vault 解决方案Enable the Azure Key Vault solution by using the process described in Add Azure Monitor solutions from the Solutions Gallery
  3. 更新所有已保存的查询、仪表板或警报,以使用的新数据类型Update any saved queries, dashboards, or alerts to use the new data type
    • 类型从KeyVaults 更改为 AzureDiagnostics。Type is change from: KeyVaults to AzureDiagnostics. 可以使用 ResourceType 筛选 Key Vault 日志。You can use the ResourceType to filter to Key Vault Logs.
    • 不要使用 KeyVaults,应使用 AzureDiagnostics | where ResourceType'=="VAULTS"Instead of: KeyVaults, use AzureDiagnostics | where ResourceType'=="VAULTS"
    • 字段:(字段名称区分大小写)Fields: (Field names are case-sensitive)
    • 对于名称中包含 _s、_d 或 _g 后缀的任何字段,请将第一个字符更改为小写For any field that has a suffix of _s, _d, or _g in the name, change the first character to lower case
    • 对于名称中包含 _o 后缀的任何字段,数据会根据嵌套的字段名称拆分为单个字段。For any field that has a suffix of _o in name, the data is split into individual fields based on the nested field names. 例如,调用方的 UPN 存储在字段 identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_sFor example, the UPN of the caller is stored in a field identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s
    • 字段 CallerIpAddress 已更改为 CallerIPAddressField CallerIpAddress changed to CallerIPAddress
    • 字段 RemoteIPCountry 不再存在Field RemoteIPCountry is no longer present
  4. 删除“Key Vault Analytics (已弃用)”解决方案。Remove the Key Vault Analytics (Deprecated) solution. 如果使用的是 PowerShell,请使用 Set-AzureOperationalInsightsIntelligencePack -ResourceGroupName <resource group that the workspace is in> -WorkspaceName <name of the log analytics workspace> -IntelligencePackName "KeyVault" -Enabled $falseIf you are using PowerShell, use Set-AzureOperationalInsightsIntelligencePack -ResourceGroupName <resource group that the workspace is in> -WorkspaceName <name of the log analytics workspace> -IntelligencePackName "KeyVault" -Enabled $false

在发生此项更改之前收集的数据不会显示在新解决方案中。Data collected before the change is not visible in the new solution. 可以继续使用旧类型和字段名称查询此数据。You can continue to query for this data using the old Type and field names.

故障排除Troubleshooting

排查 Azure 诊断问题Troubleshoot Azure Diagnostics

如果收到以下错误消息,说明未注册 Microsoft.insights 资源提供程序:If you receive the following error message, the Microsoft.insights resource provider is not registered:

Failed to update diagnostics for 'resource'. {"code":"Forbidden","message":"Please register the subscription 'subscription id' with Microsoft.Insights."}

若要注册资源提供程序,请在 Azure 门户中执行以下步骤:To register the resource provider, perform the following steps in the Azure portal:

  1. 在左侧导航窗格中,单击“订阅”In the navigation pane on the left, click Subscriptions
  2. 选择在错误消息中标识的订阅Select the subscription identified in the error message
  3. 单击“资源提供程序”Click Resource Providers
  4. 找到 Microsoft.insights 提供程序Find the Microsoft.insights provider
  5. 单击“注册”链接Click the Register link

注册 microsoft.insights 资源提供程序

注册 Microsoft.insights 资源提供程序以后,可重试配置诊断。Once the Microsoft.insights resource provider is registered, retry configuring diagnostics.

在 PowerShell 中,如果收到以下错误消息,则需更新 PowerShell 版本:In PowerShell, if you receive the following error message, you need to update your version of PowerShell:

Set-AzureRmDiagnosticSetting : A parameter cannot be found that matches parameter name 'WorkspaceId'.

根据 Get started with Azure PowerShell cmdlets(Azure PowerShell cmdlet 入门)一文的说明,将 PowerShell 更新到“2016 年 11 月(v2.3.0)”或更高版本。Update your version of PowerShell to the November 2016 (v2.3.0), or later, release using the instructions in the Get started with Azure PowerShell cmdlets article.

后续步骤Next steps