Azure Key Vault
Introduction
Azure Key Vault is a Microsoft Azure service for securely storing and managing secrets, encryption keys, and certificates. Monitoring Key Vault ensures availability, performance, and security by tracking access, detecting anomalies, and preventing unauthorized access.
Getting Started
Compatibility
The Azure Key Vault O11ySource supports Azure Key Vault Services within standard lifecycle support.
Data Collection Method
Telemetry data for Azure Key Vault comprises various metrics that monitor event processing performance, resource utilization, and operational health. Our internal agent, deployed within the vuSmartMaps environment, collects these metrics using a pull method.
Prerequisites
Dependent Configuration
To configure this O11ySource, create a 'credential' of type 'azure' under the 'Definition' tab.
Inputs for Configuring Data Source
- Resource Name: Enter the Resource Name of Azure Key Vault
- Resource ID: A unique identifier for the Azure resource.
- Credential: Client ID, Client Secret, Subscription ID and Tenant ID associated to the credential.
- Period (in seconds): Time interval for polling data from the Azure App Gateway. Period should be between 60 seconds – 3000 seconds.
Firewall Requirement
To collect data from this O11ySource, ensure the following ports are opened:
| Source IP | Destination IP | Destination Port | Protocol | Direction |
|---|---|---|---|---|
| vuSmartMaps IP | Azure Monitor IP | 443* | TCP | Outbound |
*Before providing the firewall requirements, please update the port based on the customer environment.
Configuring the Target
Health and performance metrics of Azure Key Vault Services are collected through Azure Monitor service. Thus, Azure Monitor must be enabled in your Azure account. Azure Key Vault Services should have available instances for which monitoring is enabled.
An IAM role or user with the following permissions to access Azure Key Vault metrics through Azure Monitor:
- Grant the Azure AD application, for which you've obtained the Client ID and Client Secret, the "Reader" role or a custom role specifically assigned with the Microsoft.Insights/metrics/read permission.
Configuration Steps
Enablethe O11ySource.- Select the sources tab and press the
+button to add a new instance that has to be monitored. - Provide the required configurations:
- *Resource Name
- *Period (in seconds)
- *Credential
- *Resource ID
- Click
Saveto close the data source window.
Metrics Collected
| Name | Description | Data Type |
|---|---|---|
| @timestamp | Original timestamp of the agent in string format | String |
| timestamp | Precise timestamp of the agent with milliseconds | DateTime64(3) |
| resource_group | Resource group in Azure | String |
| subscription_id | Azure subscription identifier | String |
| resource_name | Name of the Azure resource (Azure Management API) | String |
| name | Metric name of the Azure resource(e.g., capacity, requests etc.) | String |
| minimum | Minimum value of the metric over the period | UInt64 |
| maximum | Maximum value of the metric over the period | UInt64 |
| total | Total value of the metric over the period | UInt64 |
| average | Average value of the metric over the period | Float64 |
| namespace | logical container that organizes and manages related resources | String |
| count | Indicate the number of occurrences or events of a specific type within a given time frame. | UInt64 |
| target | Refers to the specific Azure Key Vault instance being monitored, accessed, or targeted for operations such as key retrieval, secret access, policy updates, or metric collection. | String |
| resource_region | Specifies the Azure geographic location where the Key Vault resource is deployed and hosted. | String |
