Description:
Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.
Rationale:
Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account which the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account. This same storage account can be used for collecting logs for multiple key vaults.
From Azure Portal
From Azure CLI
To update an existing 'Diagnostic Settings'
az monitor diagnostic-settings update --name "" --resource --set retentionPolicy.days=90
To create a new 'Diagnostic Settings'
az monitor diagnostic-settings create --name --resource --logs "[{category:AuditEvents,enabled:true,retention-policy:{enabled:true,days:180}}]" --metrics "[{category:AllMetrics,enabled:true,retention-policy:{enabled:true,days:180}}]" <[--event-hub --event-hub-rule | --storage-account |--workspace | --marketplace-partner-id ]>
From PowerShell
Create the 'Log' settings object
$logSettings = @()
$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AuditEvent
Create the 'Metric' settings object
$metricSettings = @()
$metricSettings += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AllMetrics
Create the 'Diagnostic Settings' for each 'Key Vault'
New-AzDiagnosticSetting -Name "" -ResourceId -Log $logSettings -Metric $metricSettings [-StorageAccountId | -EventHubName -EventHubAuthorizationRuleId | -WorkSpaceId | -MarketPlacePartnerId ]