/
Demo - Monitoring with Key Vault.ps1
49 lines (28 loc) · 1.97 KB
/
Demo - Monitoring with Key Vault.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# 1. Check that Azure PS Module is version 1.1.0 or above:"
(Get-Module -Name "Azure" -ListAvailable).Version
# 2. Login to Azure
Login-AzureRmAccount -SubscriptionId "Id"
# 3. Create a new storage account for storing the logs
New-AzureRmStorageAccount -ResourceGroupName "jangelfdez-monitoring" -Name "jangelfdezmonitoring"
Get-AzureRmStorageAccount -ResourceGroupName "jangelfdez-monitoring" -Name "jangelfdezmonitoring"
# 4. Activate logging cappabilities for the vault
$keyVault = Get-AzureRmKeyVault -VaultName "jangelfdez-key-vault"
$storageAccount = Get-AzureRmStorageAccount -ResourceGroupName "jangelfdez-monitoring" -Name "jangelfdezmonitoring"
Set-AzureRmDiagnosticSetting -ResourceId $keyVault.ResourceId -StorageAccountId $storageAccount.id -Enabled $true -Categories AuditEvent
# 5. Viewing the audit logs
$storageAccountName = $storageAccount.StorageAccountName
$storageAccountPrimaryKey = (Get-AzureRmStorageAccountKey -ResourceGroupName "jangelfdez-monitoring" -Name "jangelfdezmonitoring").Key1
$storageContext = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountPrimaryKey
Get-AzureStorageBlob -Container 'insights-logs-auditevent' -Context $storageContext.Context | Select LastModified, Length, Name
# 6. Downloading the audit logs
New-Item -Path "$env:HOMEPATH\Desktop\jangelfdez-key-vault-logs" -ItemType Directory -Force
$blobs = Get-AzureStorageBlob -Container 'insights-logs-auditevent' -Context $storageContext.Context
$blobs | Get-AzureStorageBlobContent -Destination "$env:HOMEPATH\Desktop\jangelfdez-key-vault-logs"
# 7. Showing an example of record
Get-ChildItem -Path "$env:HOMEPATH\Desktop\jangelfdez-key-vault-logs"
notepad.exe "$env:HOMEPATH\Desktop\jangelfdez-key-vault-logs\yourFile"
$rawContent = Get-Content -Path "$env:HOMEPATH\Desktop\jangelfdez-key-vault-logs\yourFile" | Out-String
$json = ConvertFrom-Json $rawContent
$json.records[0].callerIpAddress
$json.records[0].operationName
$json.records[0].time