none
Unable to get Key Vault logs RRS feed

  • Question

  • Hi, all. I've managed to get the ARM logs created, but so far I've been unable to get JSON files in the EventHubJson folder for Key Vault. I setup the Key Vault to log to both a storage account and event hub, and I can see the logs in the storage account and the number of messages in the event hub increase. I think everything should be in place on the Azure side but I'm still not getting anything.

    Question: Is it necessary to use a separate event hub for the Key Vault logs, or can we use the same one that we use for the Activity Log? I've tried both and neither work.

    I'm unable to run the code as-is in the documentation (https://docs.microsoft.com/en-us/azure/security/security-azure-log-integration-keyvault-eventhub#configure-azure-log-integration) because the Get-AzureRmEventHubNamespaceKey was deprecated in the ARM PowerShell module (I'm running 6.2.1). I came up with the following replacement code. I think this _should_ work, but I'm guessing I have something wrong in it.

    $kvName = "kv01"
    $rgname = "rg01"
    $storagename = "sa01"
    $eventHubnamespaceName = "ehub01"
    $location = "usgovvirginia"
    
    $sub = (Get-AzureRmContext).Subscription.Id
    $locations = @('global') + $(Get-AzureRmLocation).location
    
    $eventHubNameSpace = New-AzureRmEventHubNamespace -ResourceGroupName $rgname -NamespaceName $eventHubnamespaceName -Location $locations
    #$eventHubNameSpace = Get-AzureRmEventHubNamespace -ResourceGroupName $rgname -NamespaceName $eventHubnamespaceName
    
    # Setup logging onthe Key Vault to go to the Event Hub
    $kv = Get-AzureRmKeyVault -ResourceGroupName $rgname -VaultName $kvName
    $sbruleid = $eventHubNameSpace.Id +'/authorizationrules/RootManageSharedAccessKey'
    Set-AzureRmDiagnosticSetting -ResourceId $kv.ResourceId -ServiceBusRuleId $sbruleid -Enabled $true -StorageAccountId $storage.Id | Out-Null
    
    # Add the Event Hub as am AzLog source
    $storage = Get-AzureRmStorageAccount -ResourceGroupName $rgname -Name $storagename
    $storagekeys = Get-AzureRmStorageAccountKey -ResourceGroupName $rgname -Name $storagename
    $storagekey = $storagekeys[0].Value
    
    $eventHubKey = Get-AzureRmEventHubKey -ResourceGroupName $rgname -Namespace $eventHubnamespaceName -Name "RootManageSharedAccessKey"
    $eventhubs = Get-AzureRmEventHub -ResourceGroupName $rgname -NamespaceName $eventHubNamespaceName
    $eventhubs.Name | Where-Object {
            Add-AzLogEventSource -Name $sub' - '$_ -StorageAccount $storage.StorageAccountName -StorageKey $storageKey -EventHubConnectionString $eventHubKey.PrimaryConnectionString -EventHubName $_
        }
    

    Has anyone else been able to get this stuff working with AzureRm 6+ PowerShell?


    Brian Laws (Sr. Principal Cloud Computing Engineer, SAIC)

    Tuesday, June 19, 2018 7:41 PM

All replies