Azure Key Vault 日志记录Azure Key Vault logging
在创建一个或多个 Key Vault 之后,可能需要监视 Key Vault 的访问方式、时间和访问者。After you create one or more key vaults, you'll likely want to monitor how and when your key vaults are accessed, and by whom. 为此,可以启用 Azure Key Vault 日志记录,以便在提供的 Azure 存储帐户中保存信息。You can do this by enabling logging for Azure Key Vault, which saves information in an Azure storage account that you provide. 有关设置此操作的分步指南,请参阅如何启用 Key Vault 日志记录。For step by step guidance on setting this up, see How to enable Key Vault logging.
最多在执行 Key Vault 操作 10 分钟后,就能访问其日志记录信息。You can access your logging information 10 minutes (at most) after the key vault operation. 但大多数情况下不用等待这么长时间。In most cases, it will be quicker than this. 存储帐户中的日志完全由你管理:It's up to you to manage your logs in your storage account:
- 请使用标准的 Azure 访问控制方法限制可访问日志的人员,以此保护日志。Use standard Azure access control methods to secure your logs by restricting who can access them.
- 删除不想继续保留在存储帐户中的日志。Delete logs that you no longer want to keep in your storage account.
有关 Key Vault的概述信息,请参阅什么是 Azure Key Vault?。For overview information about Key Vault, see What is Azure Key Vault?. 有关 Key Vault 可用位置的信息,请参阅定价页。For information about where Key Vault is available, see the pricing page. 有关将 Azure Monitor 用于 Key Vault 的信息。For information about using Azure Monitor for Key Vault.
解释 Key Vault 日志Interpret your Key Vault logs
启用日志记录时,系统会为你指定的存储帐户自动创建一个名为“insights-logs-auditevent”的新容器。When you enable logging, a new container called insights-logs-auditevent is automatically created for your specified storage account. 可以使用此同一个存储帐户来收集多个 Key Vault 的日志。You can use this same storage account for collecting logs for multiple key vaults.
每个 Blob 存储为文本,并格式化为 JSON Blob。Individual blobs are stored as text, formatted as a JSON blob. 让我们看一个示例日志项。Let's look at an example log entry.
{
"records":
[
{
"time": "2016-01-05T01:32:01.2691226Z",
"resourceId": "/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAULT",
"operationName": "VaultGet",
"operationVersion": "2015-06-01",
"category": "AuditEvent",
"resultType": "Success",
"resultSignature": "OK",
"resultDescription": "",
"durationMs": "78",
"callerIpAddress": "104.40.82.76",
"correlationId": "",
"identity": {"claim":{"http://schemas.microsoft.com/identity/claims/objectidentifier":"d9da5048-2737-4770-bd64-XXXXXXXXXXXX","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"live.com#username@outlook.com","appid":"1950a258-227b-4e31-a9cf-XXXXXXXXXXXX"}},
"properties": {"clientInfo":"azure-resource-manager/2.0","requestUri":"https://control-prod-wus.vaultcore.azure.cn/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault?api-version=2015-06-01","id":"https://contosokeyvault.vault.azure.cn/","httpStatusCode":200}
}
]
}
下表列出了字段的名称和描述:The following table lists the field names and descriptions:
字段名称Field name | 说明Description |
---|---|
timetime | 日期和时间 (UTC)。Date and time in UTC. |
resourceIdresourceId | Azure 资源管理器资源 ID。Azure Resource Manager resource ID. 对于密钥保管库日志而言,这始终是密钥保管库资源 ID。For Key Vault logs, this is always the Key Vault resource ID. |
operationNameoperationName | 下一份表格中所述操作的名称。Name of the operation, as documented in the next table. |
operationVersionoperationVersion | 客户端请求的 REST API 版本。REST API version requested by the client. |
categorycategory | 结果的类型。Type of result. 对于 Key Vault 日志而言,AuditEvent 是唯一可用值。For Key Vault logs, AuditEvent is the single, available value. |
resultTyperesultType | REST API 请求的结果。Result of the REST API request. |
resultSignatureresultSignature | HTTP 状态。HTTP status. |
resultDescriptionresultDescription | 有关结果的其他描述(如果有)。Additional description about the result, when available. |
durationMsdurationMs | 为 REST API 请求提供服务所花费的时间,以毫秒为单位。Time it took to service the REST API request, in milliseconds. 此时间不包括网络延迟,因此在客户端上测得的时间可能与此时间不匹配。This does not include the network latency, so the time you measure on the client side might not match this time. |
callerIpAddresscallerIpAddress | 发出请求的客户端的 IP 地址。IP address of the client that made the request. |
correlationIdcorrelationId | 一个可选 GUID,客户端可传递此 GUID 来使客户端日志与服务端 (Key Vault) 日志相关联。An optional GUID that the client can pass to correlate client-side logs with service-side (Key Vault) logs. |
identityidentity | 在 REST API 请求中提供的令牌中的标识。Identity from the token that was presented in the REST API request. 与通过 Azure PowerShell cmdlet 发出请求一样,这通常是“用户”、“服务主体”,或者“用户+应用 ID”的组合。This is usually a "user," a "service principal," or the combination "user+appId," as in the case of a request that results from an Azure PowerShell cmdlet. |
propertiesproperties | 此字段根据操作 (operationName) 包含不同的信息。Information that varies based on the operation (operationName). 在大多数情况下,此字段包含客户端信息(客户端传递的用户代理字符串)、具体 REST API 请求 URI 和 HTTP 状态代码。In most cases, this field contains client information (the user agent string passed by the client), the exact REST API request URI, and the HTTP status code. 此外,在根据请求(例如,KeyCreate 或 VaultGet)返回对象时,此字段还将包含密钥 URI(id 形式)、保管库 URI 或机密 URI。In addition, when an object is returned as a result of a request (for example, KeyCreate or VaultGet), it also contains the key URI (as id ), vault URI, or secret URI. |
operationName 字段值采用 ObjectVerb 格式。The operationName field values are in ObjectVerb format. 例如:For example:
- 所有 Key Vault 操作采用
Vault<action>
格式,例如VaultGet
和VaultCreate
。All key vault operations have theVault<action>
format, such asVaultGet
andVaultCreate
. - 所有密钥操作采用
Key<action>
格式,例如KeySign
和KeyList
。All key operations have theKey<action>
format, such asKeySign
andKeyList
. - 所有机密操作采用
Secret<action>
格式,例如SecretGet
和SecretListVersions
。All secret operations have theSecret<action>
format, such asSecretGet
andSecretListVersions
.
下表列出了 operationName 值和对应的 REST API 命令:The following table lists the operationName values and corresponding REST API commands:
操作名称表Operation names table
operationNameoperationName | REST API 命令REST API command |
---|---|
身份验证Authentication | 通过 Azure Active Directory 终结点进行身份验证Authenticate via Azure Active Directory endpoint |
VaultGetVaultGet | 获取有关密钥保管库的信息Get information about a key vault |
VaultPutVaultPut | 创建或更新密钥保管库Create or update a key vault |
VaultDeleteVaultDelete | 删除密钥保管库Delete a key vault |
VaultPatchVaultPatch | 更新密钥保管库Update a key vault |
VaultListVaultList | 列出资源组中的所有密钥保管库List all key vaults in a resource group |
VaultPurgeVaultPurge | 清除已删除的保管库Purge deleted vault |
VaultRecoverVaultRecover | 恢复已删除的保管库Recover deleted vault |
VaultGetDeletedVaultGetDeleted | 获取已删除的保管库Get deleted vault |
VaultListDeletedVaultListDeleted | 列出已删除的保管库List deleted vaults |
KeyCreateKeyCreate | 创建密钥Create a key |
KeyGetKeyGet | 获取有关密钥的信息Get information about a key |
KeyImportKeyImport | 将密钥导入保管库Import a key into a vault |
KeyDeleteKeyDelete | 删除密钥Delete a key |
KeySignKeySign | 使用密钥签名Sign with a key |
KeyVerifyKeyVerify | 使用密钥验证Verify with a key |
KeyWrapKeyWrap | 包装密钥Wrap a key |
KeyUnwrapKeyUnwrap | 解包密钥Unwrap a key |
KeyEncryptKeyEncrypt | 使用密钥加密Encrypt with a key |
KeyDecryptKeyDecrypt | 使用密钥解密Decrypt with a key |
KeyUpdateKeyUpdate | 更新密钥Update a key |
KeyListKeyList | 列出保管库中的密钥List the keys in a vault |
KeyListVersionsKeyListVersions | 列出密钥的版本List the versions of a key |
KeyPurgeKeyPurge | 清除密钥Purge a key |
KeyBackupKeyBackup | 备份密钥Backup a key |
KeyRestoreKeyRestore | 还原密钥Restore a key |
KeyRecoverKeyRecover | 恢复密钥Recover a key |
KeyGetDeletedKeyGetDeleted | 获取已删除的密钥Get deleted key |
KeyListDeletedKeyListDeleted | 列出保管库中已删除的密钥List the deleted keys in a vault |
CertificateGetCertificateGet | 获取有关证书的信息Get information about a certificate |
CertificateCreateCertificateCreate | 创建证书Create a certificate |
CertificateImportCertificateImport | 将证书导入保管库Import a certificate into a vault |
CertificateUpdateCertificateUpdate | 更新证书Update a certificate |
CertificateListCertificateList | 列出保管库中的证书List the certificates in a vault |
CertificateListVersionsCertificateListVersions | 列出证书的版本List the versions of a certificate |
CertificateDeleteCertificateDelete | 删除证书Delete a certificate |
CertificatePurgeCertificatePurge | 清除证书Purge a certificate |
CertificateBackupCertificateBackup | 备份证书Backup a certificate |
CertificateRestoreCertificateRestore | 还原证书Restore a certificate |
CertificateRecoverCertificateRecover | 恢复证书Recover a certificate |
CertificateGetDeletedCertificateGetDeleted | 获取已删除的证书Get deleted certificate |
CertificateListDeletedCertificateListDeleted | 列出保管库中已删除的证书List the deleted certificates in a vault |
CertificatePolicyGetCertificatePolicyGet | 获取证书策略Get certificate policy |
CertificatePolicyUpdateCertificatePolicyUpdate | 更新证书策略Update certificate policy |
CertificatePolicySetCertificatePolicySet | 创建证书策略Create certificate policy |
CertificateContactsGetCertificateContactsGet | 获取证书联系人Get certificate contacts |
CertificateContactsSetCertificateContactsSet | 设置证书联系人Set certificate contacts |
CertificateContactsDeleteCertificateContactsDelete | 删除证书联系人Delete certificate contacts |
CertificateIssuerGetCertificateIssuerGet | 获取证书颁发者Get certificate issuer |
CertificateIssuerSetCertificateIssuerSet | 设置证书颁发者Set certificate issuer |
CertificateIssuerUpdateCertificateIssuerUpdate | 更新证书颁发者Update certificate issuer |
CertificateIssuerDeleteCertificateIssuerDelete | 删除证书颁发者Delete certificate issuer |
CertificateIssuersListCertificateIssuersList | 列出证书颁发者List the certificate issuers |
CertificateEnrollCertificateEnroll | 注册证书Enroll a certificate |
CertificateRenewCertificateRenew | 续订证书Renew a certificate |
CertificatePendingGetCertificatePendingGet | 检索挂起的证书Retrieve pending certificate |
CertificatePendingMergeCertificatePendingMerge | 挂起证书合并Pending a certificate merge |
CertificatePendingUpdateCertificatePendingUpdate | 挂起证书更新Pending a certificate update |
CertificatePendingDeleteCertificatePendingDelete | 删除挂起的证书Delete pending certificate |
SecretSetSecretSet | 创建机密Create a secret |
SecretGetSecretGet | 获取机密Get a secret |
SecretUpdateSecretUpdate | 更新机密Update a secret |
SecretDeleteSecretDelete | 删除机密Delete a secret |
SecretListSecretList | 列出保管库中的机密List secrets in a vault |
SecretListVersionsSecretListVersions | 列出机密的版本List versions of a secret |
SecretPurgeSecretPurge | 清除机密Purge a secret |
SecretBackupSecretBackup | 备份机密Backup a secret |
SecretRestoreSecretRestore | 还原机密Restore a secret |
SecretRecoverSecretRecover | 恢复机密Recover a secret |
SecretGetDeletedSecretGetDeleted | 获取已删除的机密Get deleted secret |
SecretListDeletedSecretListDeleted | 列出保管库中已删除的机密List the deleted secrets in a vault |
VaultAccessPolicyChangedEventGridNotificationVaultAccessPolicyChangedEventGridNotification | 保管库访问策略更改事件已发布Vault access policy changed event published |
SecretNearExpiryEventGridNotificationSecretNearExpiryEventGridNotification | 机密即将过期事件已发布Secret near expiry event published |
SecretExpiredEventGridNotificationSecretExpiredEventGridNotification | 机密已过期事件已发布Secret expired event published |
KeyNearExpiryEventGridNotificationKeyNearExpiryEventGridNotification | 密钥即将过期事件已发布Key near expiry event published |
KeyExpiredEventGridNotificationKeyExpiredEventGridNotification | 密钥已过期事件已发布Key expired event published |
CertificateNearExpiryEventGridNotificationCertificateNearExpiryEventGridNotification | 证书即将过期事件已发布Certificate near expiry event published |
CertificateExpiredEventGridNotificationCertificateExpiredEventGridNotification | 证书已过期事件已发布Certificate expired event published |
使用 Azure Monitor 日志Use Azure Monitor logs
可以使用 Azure Monitor 日志中的 Key Vault 解决方案查看 Key Vault AuditEvent
日志。You can use the Key Vault solution in Azure Monitor logs to review Key Vault AuditEvent
logs. 在 Azure Monitor 日志中,可以使用日志查询来分析数据并获取所需的信息。In Azure Monitor logs, you use log queries to analyze data and get the information you need.
有关详细信息,包括如何进行设置,请参阅 Azure Monitor 中的 Azure Key Vault。For more information, including how to set this up, see Azure Key Vault in Azure Monitor.
后续步骤Next steps
- 如何启用 Key Vault 日志记录How to enable Key Vault logging
- 有关在 .NET Web 应用程序中使用 Azure Key Vault 的教程,请参阅从 Web 应用程序使用 Azure Key Vault。For a tutorial that uses Azure Key Vault in a .NET web application, see Use Azure Key Vault from a web application.
- 有关编程参考,请参阅 Azure 密钥保管库开发人员指南。For programming references, see the Azure Key Vault developer's guide.
- 有关 Azure Key Vault 的 Azure PowerShell 1.0 cmdlet 列表,请参阅 Azure Key Vault cmdlet。For a list of Azure PowerShell 1.0 cmdlets for Azure Key Vault, see Azure Key Vault cmdlets.