Audit logging your Azure Key Vaults is good practice. You need to know who accessed or attempted to access your key vault and you need to be able to set alerts on these metrics. The simplest way to achieve this is by sending your Key Vault audit logs to Application Insights. Include this as part of the ARM template used to create the key vault.
To enable logging, add the following resource to your ARM template in the ‘resources’ section within the Key Vault.
{
"name": "[concat(variables('keyVaultName'),
'/Microsoft.Insights/', parameters('resourceDiagName'))]",
"type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"location": "[resourceGroup().location]",
"dependsOn": [
"[variables('keyVaultName')]"
],
"properties": {
"workspaceId": "[resourceId(parameters('logAnalyticsResourceGroup'),
'Microsoft.OperationalInsights/workspaces',
parameters('logAnalytics'))]",
"metrics": [
{
"category": "AllMetrics",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
},
"timeGrain": null
}
],
"logs": [
{
"category": "AuditEvent",
"enabled": true
}
]
}
}
The essential parts are in the 'workspaceId' property"workspaceId": "[resourceId(parameters('logAnalyticsResourceGroup'),
'Microsoft.OperationalInsights/workspaces', parameters('logAnalytics'))]"
The parameter logAnalyticsresourceGroup is the resource group in which you created your Log Analytics workspace and your Application Insights instance.
The parameter 'logAnalytics' is the name of the Log Analytics workspace where you want your logs to be available.
The full example ARM template is available here https://github.com/blackmob/Key-Vault-With-Logging