-1

I have diagnostic logs enabled for a keyvault in azure. On the keyvault i have a firewall enabled. I am trying to find out which IP tried accessing the key vault using the logs, i run the following query that is already available in azure logs.

// List of callers identified by their IP address with their request count.  
// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services. 
// Filter on ResourceProvider for logs specific to a service.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize count() by CallerIPAddress, TimeGenerated

The above query does not show me the latest results, i.e. the last result it shows me is 12 hrs old whereas this kv is being accessed consistently. Anyone please shed some light on this. thanks.

lavoizer
  • 362
  • 3
  • 6
  • 13
  • There is a lag....12 hours seems a bit excessive. One potentially troubleshooting step is to also send the logs to a storage account to confirm that the logs are actually being tracked. – DreadedFrost Jul 09 '20 at 01:56
  • @DreadedFrost Do you know if we have multiple keyvaults pointing to the same log analytics how can we choose between the different keyvault in the query? – lavoizer Jul 09 '20 at 13:27

1 Answers1

0

Try this to make sure the latest result is on the top:

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize count() by TimeGenerated, CallerIPAddress
| order by TimeGenerated desc

You could try this demo here. It seems to be caused by the lack of sorting.

Do you know if we have multiple keyvaults pointing to the same log analytics how can we choose between the different keyvault in the query?

Add _ResourceId to choose the key vault you want:

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT" and _ResourceId == "{your-keyvault-resoure-id}"
| summarize count() by TimeGenerated, CallerIPAddress
| order by TimeGenerated desc

summarize by _ResourceId:

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize count() by TimeGenerated, CallerIPAddress, _ResourceId
| order by TimeGenerated desc
unknown
  • 6,778
  • 1
  • 5
  • 14
  • Yeah, i did the time sorting on the results too, but the results were same. Do you know if we have multiple keyvaults pointing to the same log analytics how can we choose between the different keyvault in the query? – lavoizer Jul 09 '20 at 13:23
  • @lavoizer The time of `TimeGenerated` uses UTC. Is that what confuses you? – unknown Jul 10 '20 at 02:03
  • @lavoizer I edit the answer about the issue(choose between the different keyvault). – unknown Jul 10 '20 at 06:04