如何启用 Key Vault 日志记录How to enable Key Vault logging

在创建一个或多个 Key Vault 之后,可能需要监视 Key Vault 的访问方式、时间和访问者。After you create one or more key vaults, you'll likely want to monitor how and when your key vaults are accessed, and by whom. 有关该功能的完整详细信息,请参阅 Key Vault 日志记录For full details on the feature, see Key Vault logging.

先决条件Prerequisites

要完成本教程,必须满足下列要求:To complete this tutorial, you must have the following:

  • 正在使用的现有密钥保管库。An existing key vault that you have been using.
  • Azure CLI 或 Azure PowerShell。The Azure CLI or Azure PowerShell.
  • 足够的 Azure 存储用于保存密钥保管库日志。Sufficient storage on Azure for your Key Vault logs.

连接到 Key Vault 订阅Connect to your Key Vault subscription

设置密钥日志记录的第一步是连接到包含密钥保管库的订阅。The first step in setting up key logging is connecting to subscription containing your key vault. 这在有多个订阅与帐户相关联的情况下特别重要。This is especially important if you have multiple subscriptions associated with your account.

在 Azure CLI 中,可以使用 az account list 命令查看所有订阅,然后使用 az account set 连接一个订阅:With the Azure CLI, you can view all your subscriptions using the az account list command, and then connect to one using az account set:

az account list

az account set --subscription "<subscriptionID>"

在 Azure PowerShell 中,可以先使用 Get-AzSubscription cmdlet 列出订阅,然后使用 Set-AzContext cmdlet 连接一个订阅:With Azure PowerShell, you can first list your subscriptions using the Get-AzSubscription cmdlet, and then connect to one using the Set-AzContext cmdlet:

Get-AzSubscription

Set-AzContext -SubscriptionId "<subscriptionID>"

为日志创建存储帐户Create a storage account for your logs

尽管可以使用现有的存储帐户来保存日志,但我们将专门创建一个新的存储帐户来保存密钥保管库日志。Although you can use an existing storage account for your logs, we'll create a new storage account dedicated to Key Vault logs.

为了进一步简化管理,我们还使用了包含 Key Vault 的同一个资源组。For additional ease of management, we'll also use the same resource group as the one that contains the key vault. Azure CLI 快速入门Azure PowerShell 快速入门中,此资源组名为 myResourceGroup,位置为 chinanorth。In the Azure CLI quickstart and Azure PowerShell quickstart, this resource group is named myResourceGroup, and the location is chinanorth. 在适当的情况下,请将这些值替换为自己的值。Replace these values with your own, as applicable.

我们还需要提供存储帐户名称。We will also need to provide a storage account name. 存储帐户名称必须唯一的,长度介于 3 到 24 个字符,只能使用数字和小写字母。Storage account names must be unique, between 3 and 24 characters in length, and use numbers and lower-case letters only. 最后,我们将创建“Standard_LRS”SKU 的存储帐户。Lastly, we will be creating a storage account of the "Standard_LRS" SKU.

在 Azure CLI 中,使用 az storage account create 命令。With the Azure CLI, use the az storage account create command.

az storage account create --name "<your-unique-storage-account-name>" -g "myResourceGroup" --sku "Standard_LRS"

在 Azure PowerShell 中使用 New-AzStorageAccount cmdlet。With Azure PowerShell, use the New-AzStorageAccount cmdlet. 你将需要提供与资源组相对应的位置。You will need to provide the location that corresponds to the resource group.

 New-AzStorageAccount -ResourceGroupName myResourceGroup -Name "<your-unique-storage-account-name>" -Type "Standard_LRS" -Location "chinanorth"

无论哪种情况,请注意存储帐户的“id”。In either case, note the "id" of the storage account. Azure CLI 操作在输出中返回“id”。The Azure CLI operation returns the "id" in the output. 若要使用 Azure PowerShell 获取“id”,请使用 Get-AzStorageAccount,然后将输出分配给变量 $sa。To obtain the "id" with Azure PowerShell, use Get-AzStorageAccount and assigned the output to a the variable $sa. 然后,你可以看到具有 $sa.id 的存储帐户。(下文中还将使用“$sa.Context”属性。)You can then see the storage account with $sa.id. (The "$sa.Context" property will also be used, later in this article.)

$sa = Get-AzStorageAccount -Name "<your-unique-storage-account-name>" -ResourceGroup "myResourceGroup"
$sa.id

存储帐户的“id”将采用如下格式:"/subscriptions//resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/"。The "id" of the storage account will be in the format "/subscriptions//resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/".

备注

如果决定使用现有存储帐户,则必须使用与密钥保管库相同的订阅,此外还必须使用 Azure Resource Manager 部署模型而不是经典部署模型。If you decide to use an existing storage account, it must use the same subscription as your key vault, and it must use the Azure Resource Manager deployment model, rather than the classic deployment model.

获取密钥保管库资源 IDObtain your key vault Resource ID

CLI 快速入门PowerShell 快速入门中,你创建了具有唯一名称的密钥。In the CLI quickstart and PowerShell quickstart, you created a key with a unique name. 在以下步骤中再次使用该名称。Use that name again in the steps below. 如果忘记密钥保管库的名称,可以使用 Azure CLI az keyvault list 命令或 Azure PowerShell Get-AzKeyVault cmdlet 将其列出。If you cannot remember the name of your key vault, you can use the Azure CLI az keyvault list command or the Azure PowerShell Get-AzKeyVault cmdlet to list them.

使用密钥保管库的名称查找其资源 ID。Use the name of your key vault to find its Resource ID. 在 Azure CLI 中,使用 az keyvault show 命令。With Azure CLI, use the az keyvault show command.

az keyvault show --name "<your-unique-keyvault-name>"

在 Azure PowerShell 中,使用 Get-AzKeyVault cmdlet。With Azure PowerShell, use the Get-AzKeyVault cmdlet.

Get-AzKeyVault -VaultName "<your-unique-keyvault-name>"

密钥保管库的资源 ID 将采用如下格式:"/subscriptions//resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/"。The Resource ID for your key vault will be on the format "/subscriptions//resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/". 在下一步骤中请注意这一点。Note it for the next step.

使用 Azure PowerShell 启用日志记录Enable logging using Azure PowerShell

为启用 Key Vault 日志记录,我们将使用 Azure CLI az monitor diagnostic-settings create 命令或 Set-AzDiagnosticSetting cmdlet,以及存储帐户 ID 和密钥保管库资源 ID。To enable logging for Key Vault, we'll use the Azure CLI az monitor diagnostic-settings create command, or the Set-AzDiagnosticSetting cmdlet, together with the storage account ID and the key vault Resource ID.

az monitor diagnostic-settings create --storage-account "<storage-account-id>" --resource "<key-vault-resource-id>" --name "Key vault logs" --logs '[{"category": "AuditEvent","enabled": true}]' --metrics '[{"category": "AllMetrics","enabled": true}]'

在 Azure PowerShell 中,我们将使用 Set-AzDiagnosticSetting cmdlet,并将 -Enabled 标志设为 $true,将类别设为 AuditEvent(Key Vault 日志记录的唯一类别) :With Azure PowerShell, we'll use the Set-AzDiagnosticSetting cmdlet, with the -Enabled flag set to $true and the category set to AuditEvent (the only category for Key Vault logging):

Set-AzDiagnosticSetting -ResourceId "<key-vault-resource-id>" -StorageAccountId $sa.id -Enabled $true -Category "AuditEvent"

可以根据需要为日志设置保留策略,确保在指定时间后自动删除较旧的日志。Optionally, you can set a retention policy for your logs, so that older logs are automatically deleted after a specified amount of time. 例如,可以将保留策略设置为自动删除超过 90 天的日志。For example, you could set set retention policy that automatically deletes logs older than 90 days.

在 Azure PowerShell 中,使用 Set-AzDiagnosticSetting cmdlet。With Azure PowerShell, use the Set-AzDiagnosticSetting cmdlet.

Set-AzDiagnosticSetting "<key-vault-resource-id>" -StorageAccountId $sa.id -Enabled $true -Category AuditEvent -RetentionEnabled $true -RetentionInDays 90

记录的内容:What is logged:

  • 所有已经过身份验证的 REST API 请求,包括由于访问权限、系统错误或错误请求而发生的失败请求。All authenticated REST API requests, including failed requests as a result of access permissions, system errors, or bad requests.
  • 对 Key Vault 本身执行的操作,包括创建、删除、设置 Key Vault 访问策略,以及更新 Key Vault 属性(例如标记)。Operations on the key vault itself, including creation, deletion, setting key vault access policies, and updating key vault attributes such as tags.
  • 对 Key Vault 中的密钥和机密执行的操作,包括:Operations on keys and secrets in the key vault, including:
    • 创建、修改或删除这些密钥或机密。Creating, modifying, or deleting these keys or secrets.
    • 签名、验证、加密、解密、包装和解包密钥、获取机密、列出密钥和机密(及其版本)。Signing, verifying, encrypting, decrypting, wrapping and unwrapping keys, getting secrets, and listing keys and secrets (and their versions).
  • 导致出现 401 响应的未经身份验证的请求。Unauthenticated requests that result in a 401 response. 例如,请求不包含持有者令牌、格式不正确或已过期,或者包含无效的令牌。Examples are requests that don't have a bearer token, that are malformed or expired, or that have an invalid token.
  • 即将过期、已过期和保管库访问策略已更改的事件网格通知事件(不记录新版本事件)。Event Grid notification events for near expiry, expired and vault access policy changed (new version event is not logged). 无论是否在密钥保管库上创建了事件订阅,都会记录事件。Events are logged regardless if there is event subscription created on key vault. 有关详细信息,请参阅 Key Vault 的事件网格事件架构For more information see, Event Grid event schema for Key Vault

访问日志Access your logs

Key Vault 日志存储在提供的存储帐户的“insights-logs-auditevent”容器中。Key Vault logs are stored in the "insights-logs-auditevent" container in the storage account that you provided. 若要查看这些日志,必须下载 Blob。To view the logs, you have to download blobs.

首先,列出容器中的所有 Blob。First, list all the blobs in the container. 在 Azure CLI 中,使用 az storage blob list 命令。With the Azure CLI, use the az storage blob list command.

az storage blob list --account-name "<your-unique-storage-account-name>" --container-name "insights-logs-auditevent"

在 Azure PowerShell 中,使用 Get-AzStorageBlob 列出此容器中的所有 Blob,然后输入:With Azure PowerShell, use the Get-AzStorageBlob list all the blobs in this container, enter:

Get-AzStorageBlob -Container "insights-logs-auditevent" -Context $sa.Context

正如 Azure CLI 命令或 Azure PowerShell cmdlet 的输出所示,Blob 名称的格式为 resourceId=<ARM resource ID>/y=<year>/m=<month>/d=<day of month>/h=<hour>/m=<minute>/filename.jsonAs you will see from the output of either the Azure CLI command or the Azure PowerShell cmdlet, the name of the blobs are in the format resourceId=<ARM resource ID>/y=<year>/m=<month>/d=<day of month>/h=<hour>/m=<minute>/filename.json. 日期和时间值使用 UTC。The date and time values use UTC.

由于可以使用相同的存储帐户来收集多个资源的日志,Blob 名称中的完整资源 ID 适合用于仅访问或下载所需 Blob。Because you can use the same storage account to collect logs for multiple resources, the full resource ID in the blob name is useful to access or download just the blobs that you need. 但在这样做之前,让我们先了解如何下载所有 Blob。But before we do that, we'll first cover how to download all the blobs.

在 Azure CLI 中,使用 az storage blob download 命令,向其传递 Blob 名称以及打算用于保存结果的文件的路径。With the Azure CLI, use the az storage blob download command, pass it the names of the blobs, and the path to the file where you wish to save the results.

az storage blob download --container-name "insights-logs-auditevent" --file <path-to-file> --name "<blob-name>" --account-name "<your-unique-storage-account-name>"

在 Azure PowerShell 中,使用 Gt-AzStorageBlobs cmdlet 获取 Blob 列表,然后将其通过管道传输到 Get-AzStorageBlobContent cmdlet,以将日志下载到所选路径。With Azure PowerShell, use the Gt-AzStorageBlobs cmdlet to get a list of the blobs, then pipe that to the Get-AzStorageBlobContent cmdlet to download the logs to your chosen path.

$blobs = Get-AzStorageBlob -Container "insights-logs-auditevent" -Context $sa.Context | Get-AzStorageBlobContent -Destination "<path-to-file>"

在 PowerShell 中运行第二个 cmdlet 时,blob 名称中的 / 分隔符会在目标文件夹下创建完整的文件夹结构。When you run this second cmdlet in PowerShell, the / delimiter in the blob names creates a full folder structure under the destination folder. 你将使用此结构下载 Blob 并将其存储为文件。You'll use this structure to download and store the blobs as files.

若要选择性地下载 Blob,请使用通配符。To selectively download blobs, use wildcards. 例如:For example:

  • 如果有多个密钥保管库,并只想要下载其中名为 CONTOSOKEYVAULT3 的密钥保管库的日志:If you have multiple key vaults and want to download logs for just one key vault, named CONTOSOKEYVAULT3:

    Get-AzStorageBlob -Container "insights-logs-auditevent" -Context $sa.Context -Blob '*/VAULTS/CONTOSOKEYVAULT3
    
  • 如果有多个资源组,并只想要下载其中某个资源组的日志,请使用 -Blob '*/RESOURCEGROUPS/<resource group name>/*'If you have multiple resource groups and want to download logs for just one resource group, use -Blob '*/RESOURCEGROUPS/<resource group name>/*':

    Get-AzStorageBlob -Container "insights-logs-auditevent" -Context $sa.Context -Blob '*/RESOURCEGROUPS/CONTOSORESOURCEGROUP3/*'
    
  • 如果要下载 2019 年 1 月份的所有日志,请使用 -Blob '*/year=2019/m=01/*'If you want to download all the logs for the month of January 2019, use -Blob '*/year=2019/m=01/*':

    Get-AzStorageBlob -Container "insights-logs-auditevent" -Context $sa.Context -Blob '*/year=2016/m=01/*'
    

现在已准备就绪,可以开始查看日志中的内容。You're now ready to start looking at what's in the logs. 但在开始之前,应该了解另外两个命令:But before we move on to that, you should know two more commands:

有关如何读取日志的详细信息,请参阅 Key Vault 日志记录:解释 Key Vault 日志For details on how to read the logs, see Key Vault logging: Interpret your Key Vault logs

使用 Azure Monitor 日志Use Azure Monitor logs

可以使用 Azure Monitor 日志中的 Key Vault 解决方案查看 Key Vault AuditEvent 日志。You can use the Key Vault solution in Azure Monitor logs to review Key Vault AuditEvent logs. 在 Azure Monitor 日志中,可以使用日志查询来分析数据并获取所需的信息。In Azure Monitor logs, you use log queries to analyze data and get the information you need.

有关详细信息,包括如何进行设置,请参阅 Azure Monitor 中的 Azure Key VaultFor more information, including how to set this up, see Azure Key Vault in Azure Monitor.

后续步骤Next steps