The eventGridEventProperties_data_ObjectName_s property from Azure Key Vault is not appearing in the AzureDiagnostics log analytics query.

Murarisetty Yamuna 140 Reputation points
2024-12-19T13:12:13.6133333+00:00

The eventGridEventProperties_data_ObjectName_s property in KQL for Log Analytics is not appearing. The diagnostics settings for Key Vault are configured as shown below, but only a few properties related to Key Vault operations are being reflected in Log Analytics. To retrieve the secret expiry details, we need the properties eventGridEventProperties_data_ObjectName_s and eventGridEventProperties_data_EXP_d as specified in this documentation https://learn.microsoft.com/en-us/azure/event-grid/event-schema-key-vault?tabs=cloud-event-schema. However, these properties are not appearing, which might be due to an issue with the type of logs being stored. Do I need to make any changes in selecting the categories and groups

User's image

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,396 questions
0 comments No comments
{count} votes

Accepted answer
  1. VINODH KUMAR T D 26,141 Reputation points MVP
    2024-12-21T15:25:46.93+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    From the provided image and context, it seems that the diagnostic settings for Azure Key Vault in the portal are configured to only log Audit Logs and AllMetrics. However, the properties eventGridEventProperties_data_ObjectName_s and eventGridEventProperties_data_EXP_d you are looking for are associated with Event Grid integration with Key Vault.

    To ensure that these properties appear in Log Analytics, you might need to:

    Verify Event Grid Subscription Configuration:

    • Ensure that Key Vault is integrated with Event Grid and that the subscription is configured to send the relevant event types (e.g., Secret Expiry Events).

    Include Additional Log Categories:

      - If Event Grid logs are required for these properties, you might need to configure **Azure Policy Evaluation Details** or other related diagnostic settings. Ensure that you are enabling logs that cover Event Grid events.
      
      **Enable Event Grid Diagnostics**:
      
         - If Event Grid diagnostics are not enabled, you will not see these properties in the logs. Check the Event Grid Topic or Subscription settings and enable diagnostics for them as well.
         
         **Validate Permissions**:
         
            - Ensure that the Log Analytics workspace has appropriate permissions to ingest Event Grid data.
            
            **Update KQL Query**:
            
               - Sometimes, the issue might also be related to how the data is queried. Ensure that the KQL query is targeting the correct table and schema.
               
    
    1. Check Documentation for Updates:

    Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.