我为天蓝色的密钥库启用了诊断日志。在密钥库上,我启用了防火墙。我试图找出哪个IP尝试使用日志访问密钥库,我运行了以下查询,这些查询在天蓝色日志中已经可用。
// List of callers identified by their IP address with their request count.
// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services.
// Filter on ResourceProvider for logs specific to a service.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize count() by CallerIPAddress, TimeGenerated
上面的查询没有向我显示最新结果,即它向我显示的最后结果是12小时大,而此kv始终在访问中。任何人都请对此有所了解。谢谢。
答案 0 :(得分:0)
尝试执行此操作以确保最新结果位于顶部:
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize count() by TimeGenerated, CallerIPAddress
| order by TimeGenerated desc
您可以尝试此演示here。这似乎是由于缺乏排序所致。
您知道我们是否有多个指向同一日志分析的键库,如何在查询中的不同键库之间进行选择?
添加_ResourceId以选择所需的密钥库:
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT" and _ResourceId == "{your-keyvault-resoure-id}"
| summarize count() by TimeGenerated, CallerIPAddress
| order by TimeGenerated desc
总结_ResourceId:
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize count() by TimeGenerated, CallerIPAddress, _ResourceId
| order by TimeGenerated desc