Unable to get Key Vault logs RRS feed

  • Question

  • Hi, all. I've managed to get the ARM logs created, but so far I've been unable to get JSON files in the EventHubJson folder for Key Vault. I setup the Key Vault to log to both a storage account and event hub, and I can see the logs in the storage account and the number of messages in the event hub increase. I think everything should be in place on the Azure side but I'm still not getting anything.

    Question: Is it necessary to use a separate event hub for the Key Vault logs, or can we use the same one that we use for the Activity Log? I've tried both and neither work.

    I'm unable to run the code as-is in the documentation (https://docs.microsoft.com/en-us/azure/security/security-azure-log-integration-keyvault-eventhub#configure-azure-log-integration) because the Get-AzureRmEventHubNamespaceKey was deprecated in the ARM PowerShell module (I'm running 6.2.1). I came up with the following replacement code. I think this _should_ work, but I'm guessing I have something wrong in it.

    $kvName = "kv01"
    $rgname = "rg01"
    $storagename = "sa01"
    $eventHubnamespaceName = "ehub01"
    $location = "usgovvirginia"
    $sub = (Get-AzureRmContext).Subscription.Id
    $locations = @('global') + $(Get-AzureRmLocation).location
    $eventHubNameSpace = New-AzureRmEventHubNamespace -ResourceGroupName $rgname -NamespaceName $eventHubnamespaceName -Location $locations
    #$eventHubNameSpace = Get-AzureRmEventHubNamespace -ResourceGroupName $rgname -NamespaceName $eventHubnamespaceName
    # Setup logging onthe Key Vault to go to the Event Hub
    $kv = Get-AzureRmKeyVault -ResourceGroupName $rgname -VaultName $kvName
    $sbruleid = $eventHubNameSpace.Id +'/authorizationrules/RootManageSharedAccessKey'
    Set-AzureRmDiagnosticSetting -ResourceId $kv.ResourceId -ServiceBusRuleId $sbruleid -Enabled $true -StorageAccountId $storage.Id | Out-Null
    # Add the Event Hub as am AzLog source
    $storage = Get-AzureRmStorageAccount -ResourceGroupName $rgname -Name $storagename
    $storagekeys = Get-AzureRmStorageAccountKey -ResourceGroupName $rgname -Name $storagename
    $storagekey = $storagekeys[0].Value
    $eventHubKey = Get-AzureRmEventHubKey -ResourceGroupName $rgname -Namespace $eventHubnamespaceName -Name "RootManageSharedAccessKey"
    $eventhubs = Get-AzureRmEventHub -ResourceGroupName $rgname -NamespaceName $eventHubNamespaceName
    $eventhubs.Name | Where-Object {
            Add-AzLogEventSource -Name $sub' - '$_ -StorageAccount $storage.StorageAccountName -StorageKey $storageKey -EventHubConnectionString $eventHubKey.PrimaryConnectionString -EventHubName $_

    Has anyone else been able to get this stuff working with AzureRm 6+ PowerShell?

    Brian Laws (Sr. Principal Cloud Computing Engineer, SAIC)

    Tuesday, June 19, 2018 7:41 PM

All replies

  • Does AzLog write application logs anywhere? Any logs that I can dive into?

    Brian Laws (Sr. Principal Cloud Computing Engineer, SAIC)

    Tuesday, June 19, 2018 7:51 PM
  • Hello Brian, some important information about Azlog Integration.

    Azure Log integration will be deprecated by June 1, 2019.  As of June 27<sup>th</sup>, 2018, AzLog downloads have been disabled. All Az log features are supported in Azure Monitor.

    For guidance on how to use Azure monitor to integrate Azure logs with SIEM tools, review the official blog post https://azure.microsoft.com/blog/use-azure-monitor-to-integrate-with-siem-tools/

    • Proposed as answer by Femisulu-MSFT Tuesday, July 3, 2018 7:38 AM
    Tuesday, July 3, 2018 7:38 AM