Azure Key Vault 日志记录Azure Key Vault logging

在创建一个或多个 Key Vault 之后,可能需要监视 Key Vault 的访问方式、时间和访问者。After you create one or more key vaults, you'll likely want to monitor how and when your key vaults are accessed, and by whom. 为此,可以启用 Azure Key Vault 日志记录,以便在提供的 Azure 存储帐户中保存信息。You can do this by enabling logging for Azure Key Vault, which saves information in an Azure storage account that you provide. 有关设置此操作的分步指南,请参阅如何启用 Key Vault 日志记录For step by step guidance on setting this up, see How to enable Key Vault logging.

最多在执行 Key Vault 操作 10 分钟后,就能访问其日志记录信息。You can access your logging information 10 minutes (at most) after the key vault operation. 但大多数情况下不用等待这么长时间。In most cases, it will be quicker than this. 存储帐户中的日志完全由你管理:It's up to you to manage your logs in your storage account:

  • 请使用标准的 Azure 访问控制方法限制可访问日志的人员,以此保护日志。Use standard Azure access control methods to secure your logs by restricting who can access them.
  • 删除不想继续保留在存储帐户中的日志。Delete logs that you no longer want to keep in your storage account.

有关 Key Vault的概述信息,请参阅什么是 Azure Key Vault?For overview information about Key Vault, see What is Azure Key Vault?. 有关 Key Vault 可用位置的信息,请参阅定价页For information about where Key Vault is available, see the pricing page. 有关将 Azure Monitor 用于 Key Vault 的信息。For information about using Azure Monitor for Key Vault.

解释 Key Vault 日志Interpret your Key Vault logs

启用日志记录时,系统会为你指定的存储帐户自动创建一个名为“insights-logs-auditevent”的新容器。When you enable logging, a new container called insights-logs-auditevent is automatically created for your specified storage account. 可以使用此同一个存储帐户来收集多个 Key Vault 的日志。You can use this same storage account for collecting logs for multiple key vaults.

每个 Blob 存储为文本,并格式化为 JSON Blob。Individual blobs are stored as text, formatted as a JSON blob. 让我们看一个示例日志项。Let's look at an example log entry.

    {
        "records":
        [
            {
                "time": "2016-01-05T01:32:01.2691226Z",
                "resourceId": "/SUBSCRIPTIONS/361DA5D4-A47A-4C79-AFDD-XXXXXXXXXXXX/RESOURCEGROUPS/CONTOSOGROUP/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/CONTOSOKEYVAULT",
                "operationName": "VaultGet",
                "operationVersion": "2015-06-01",
                "category": "AuditEvent",
                "resultType": "Success",
                "resultSignature": "OK",
                "resultDescription": "",
                "durationMs": "78",
                "callerIpAddress": "104.40.82.76",
                "correlationId": "",
                "identity": {"claim":{"http://schemas.microsoft.com/identity/claims/objectidentifier":"d9da5048-2737-4770-bd64-XXXXXXXXXXXX","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn":"live.com#username@outlook.com","appid":"1950a258-227b-4e31-a9cf-XXXXXXXXXXXX"}},
                "properties": {"clientInfo":"azure-resource-manager/2.0","requestUri":"https://control-prod-wus.vaultcore.azure.cn/subscriptions/361da5d4-a47a-4c79-afdd-XXXXXXXXXXXX/resourcegroups/contosoresourcegroup/providers/Microsoft.KeyVault/vaults/contosokeyvault?api-version=2015-06-01","id":"https://contosokeyvault.vault.azure.cn/","httpStatusCode":200}
            }
        ]
    }

下表列出了字段的名称和描述:The following table lists the field names and descriptions:

字段名称Field name 说明Description
timetime 日期和时间 (UTC)。Date and time in UTC.
resourceIdresourceId Azure 资源管理器资源 ID。Azure Resource Manager resource ID. 对于密钥保管库日志而言,这始终是密钥保管库资源 ID。For Key Vault logs, this is always the Key Vault resource ID.
operationNameoperationName 下一份表格中所述操作的名称。Name of the operation, as documented in the next table.
operationVersionoperationVersion 客户端请求的 REST API 版本。REST API version requested by the client.
categorycategory 结果的类型。Type of result. 对于 Key Vault 日志而言,AuditEvent 是唯一可用值。For Key Vault logs, AuditEvent is the single, available value.
resultTyperesultType REST API 请求的结果。Result of the REST API request.
resultSignatureresultSignature HTTP 状态。HTTP status.
resultDescriptionresultDescription 有关结果的其他描述(如果有)。Additional description about the result, when available.
durationMsdurationMs 为 REST API 请求提供服务所花费的时间,以毫秒为单位。Time it took to service the REST API request, in milliseconds. 此时间不包括网络延迟,因此在客户端上测得的时间可能与此时间不匹配。This does not include the network latency, so the time you measure on the client side might not match this time.
callerIpAddresscallerIpAddress 发出请求的客户端的 IP 地址。IP address of the client that made the request.
correlationIdcorrelationId 一个可选 GUID,客户端可传递此 GUID 来使客户端日志与服务端 (Key Vault) 日志相关联。An optional GUID that the client can pass to correlate client-side logs with service-side (Key Vault) logs.
identityidentity 在 REST API 请求中提供的令牌中的标识。Identity from the token that was presented in the REST API request. 与通过 Azure PowerShell cmdlet 发出请求一样,这通常是“用户”、“服务主体”,或者“用户+应用 ID”的组合。This is usually a "user," a "service principal," or the combination "user+appId," as in the case of a request that results from an Azure PowerShell cmdlet.
propertiesproperties 此字段根据操作 (operationName) 包含不同的信息。Information that varies based on the operation (operationName). 在大多数情况下,此字段包含客户端信息(客户端传递的用户代理字符串)、具体 REST API 请求 URI 和 HTTP 状态代码。In most cases, this field contains client information (the user agent string passed by the client), the exact REST API request URI, and the HTTP status code. 此外,在根据请求(例如,KeyCreate 或 VaultGet)返回对象时,此字段还将包含密钥 URI(id 形式)、保管库 URI 或机密 URI。In addition, when an object is returned as a result of a request (for example, KeyCreate or VaultGet), it also contains the key URI (as id), vault URI, or secret URI.

operationName 字段值采用 ObjectVerb 格式。The operationName field values are in ObjectVerb format. 例如:For example:

  • 所有 Key Vault 操作采用 Vault<action> 格式,例如 VaultGetVaultCreateAll key vault operations have the Vault<action> format, such as VaultGet and VaultCreate.
  • 所有密钥操作采用 Key<action> 格式,例如 KeySignKeyListAll key operations have the Key<action> format, such as KeySign and KeyList.
  • 所有机密操作采用 Secret<action> 格式,例如 SecretGetSecretListVersionsAll secret operations have the Secret<action> format, such as SecretGet and SecretListVersions.

下表列出了 operationName 值和对应的 REST API 命令:The following table lists the operationName values and corresponding REST API commands:

操作名称表Operation names table

operationNameoperationName REST API 命令REST API command
身份验证Authentication 通过 Azure Active Directory 终结点进行身份验证Authenticate via Azure Active Directory endpoint
VaultGetVaultGet 获取有关密钥保管库的信息Get information about a key vault
VaultPutVaultPut 创建或更新密钥保管库Create or update a key vault
VaultDeleteVaultDelete 删除密钥保管库Delete a key vault
VaultPatchVaultPatch 更新密钥保管库Update a key vault
VaultListVaultList 列出资源组中的所有密钥保管库List all key vaults in a resource group
VaultPurgeVaultPurge 清除已删除的保管库Purge deleted vault
VaultRecoverVaultRecover 恢复已删除的保管库Recover deleted vault
VaultGetDeletedVaultGetDeleted 获取已删除的保管库Get deleted vault
VaultListDeletedVaultListDeleted 列出已删除的保管库List deleted vaults
KeyCreateKeyCreate 创建密钥Create a key
KeyGetKeyGet 获取有关密钥的信息Get information about a key
KeyImportKeyImport 将密钥导入保管库Import a key into a vault
KeyDeleteKeyDelete 删除密钥Delete a key
KeySignKeySign 使用密钥签名Sign with a key
KeyVerifyKeyVerify 使用密钥验证Verify with a key
KeyWrapKeyWrap 包装密钥Wrap a key
KeyUnwrapKeyUnwrap 解包密钥Unwrap a key
KeyEncryptKeyEncrypt 使用密钥加密Encrypt with a key
KeyDecryptKeyDecrypt 使用密钥解密Decrypt with a key
KeyUpdateKeyUpdate 更新密钥Update a key
KeyListKeyList 列出保管库中的密钥List the keys in a vault
KeyListVersionsKeyListVersions 列出密钥的版本List the versions of a key
KeyPurgeKeyPurge 清除密钥Purge a key
KeyBackupKeyBackup 备份密钥Backup a key
KeyRestoreKeyRestore 还原密钥Restore a key
KeyRecoverKeyRecover 恢复密钥Recover a key
KeyGetDeletedKeyGetDeleted 获取已删除的密钥Get deleted key
KeyListDeletedKeyListDeleted 列出保管库中已删除的密钥List the deleted keys in a vault
CertificateGetCertificateGet 获取有关证书的信息Get information about a certificate
CertificateCreateCertificateCreate 创建证书Create a certificate
CertificateImportCertificateImport 将证书导入保管库Import a certificate into a vault
CertificateUpdateCertificateUpdate 更新证书Update a certificate
CertificateListCertificateList 列出保管库中的证书List the certificates in a vault
CertificateListVersionsCertificateListVersions 列出证书的版本List the versions of a certificate
CertificateDeleteCertificateDelete 删除证书Delete a certificate
CertificatePurgeCertificatePurge 清除证书Purge a certificate
CertificateBackupCertificateBackup 备份证书Backup a certificate
CertificateRestoreCertificateRestore 还原证书Restore a certificate
CertificateRecoverCertificateRecover 恢复证书Recover a certificate
CertificateGetDeletedCertificateGetDeleted 获取已删除的证书Get deleted certificate
CertificateListDeletedCertificateListDeleted 列出保管库中已删除的证书List the deleted certificates in a vault
CertificatePolicyGetCertificatePolicyGet 获取证书策略Get certificate policy
CertificatePolicyUpdateCertificatePolicyUpdate 更新证书策略Update certificate policy
CertificatePolicySetCertificatePolicySet 创建证书策略Create certificate policy
CertificateContactsGetCertificateContactsGet 获取证书联系人Get certificate contacts
CertificateContactsSetCertificateContactsSet 设置证书联系人Set certificate contacts
CertificateContactsDeleteCertificateContactsDelete 删除证书联系人Delete certificate contacts
CertificateIssuerGetCertificateIssuerGet 获取证书颁发者Get certificate issuer
CertificateIssuerSetCertificateIssuerSet 设置证书颁发者Set certificate issuer
CertificateIssuerUpdateCertificateIssuerUpdate 更新证书颁发者Update certificate issuer
CertificateIssuerDeleteCertificateIssuerDelete 删除证书颁发者Delete certificate issuer
CertificateIssuersListCertificateIssuersList 列出证书颁发者List the certificate issuers
CertificateEnrollCertificateEnroll 注册证书Enroll a certificate
CertificateRenewCertificateRenew 续订证书Renew a certificate
CertificatePendingGetCertificatePendingGet 检索挂起的证书Retrieve pending certificate
CertificatePendingMergeCertificatePendingMerge 挂起证书合并Pending a certificate merge
CertificatePendingUpdateCertificatePendingUpdate 挂起证书更新Pending a certificate update
CertificatePendingDeleteCertificatePendingDelete 删除挂起的证书Delete pending certificate
SecretSetSecretSet 创建机密Create a secret
SecretGetSecretGet 获取机密Get a secret
SecretUpdateSecretUpdate 更新机密Update a secret
SecretDeleteSecretDelete 删除机密Delete a secret
SecretListSecretList 列出保管库中的机密List secrets in a vault
SecretListVersionsSecretListVersions 列出机密的版本List versions of a secret
SecretPurgeSecretPurge 清除机密Purge a secret
SecretBackupSecretBackup 备份机密Backup a secret
SecretRestoreSecretRestore 还原机密Restore a secret
SecretRecoverSecretRecover 恢复机密Recover a secret
SecretGetDeletedSecretGetDeleted 获取已删除的机密Get deleted secret
SecretListDeletedSecretListDeleted 列出保管库中已删除的机密List the deleted secrets in a vault
VaultAccessPolicyChangedEventGridNotificationVaultAccessPolicyChangedEventGridNotification 保管库访问策略更改事件已发布Vault access policy changed event published
SecretNearExpiryEventGridNotificationSecretNearExpiryEventGridNotification 机密即将过期事件已发布Secret near expiry event published
SecretExpiredEventGridNotificationSecretExpiredEventGridNotification 机密已过期事件已发布Secret expired event published
KeyNearExpiryEventGridNotificationKeyNearExpiryEventGridNotification 密钥即将过期事件已发布Key near expiry event published
KeyExpiredEventGridNotificationKeyExpiredEventGridNotification 密钥已过期事件已发布Key expired event published
CertificateNearExpiryEventGridNotificationCertificateNearExpiryEventGridNotification 证书即将过期事件已发布Certificate near expiry event published
CertificateExpiredEventGridNotificationCertificateExpiredEventGridNotification 证书已过期事件已发布Certificate expired event published

使用 Azure Monitor 日志Use Azure Monitor logs

可以使用 Azure Monitor 日志中的 Key Vault 解决方案查看 Key Vault AuditEvent 日志。You can use the Key Vault solution in Azure Monitor logs to review Key Vault AuditEvent logs. 在 Azure Monitor 日志中,可以使用日志查询来分析数据并获取所需的信息。In Azure Monitor logs, you use log queries to analyze data and get the information you need.

有关详细信息,包括如何进行设置,请参阅 Azure Monitor 中的 Azure Key VaultFor more information, including how to set this up, see Azure Key Vault in Azure Monitor.

后续步骤Next steps