|
| 1 | +--- |
| 2 | +title: How to audit Azure Cosmos DB control plane operations |
| 3 | +description: Learn how to audit the control plane operations such as add a region, update throughput, region failover, add a VNet etc. in Azure Cosmos DB |
| 4 | +author: SnehaGunda |
| 5 | +ms.service: cosmos-db |
| 6 | +ms.topic: conceptual |
| 7 | +ms.date: 03/16/2020 |
| 8 | +ms.author: sngun |
| 9 | + |
| 10 | +--- |
| 11 | + |
| 12 | +# How to audit Azure Cosmos DB control plane operations |
| 13 | + |
| 14 | +Control plane operations include changes to the Azure Cosmos account or container. For example, create an Azure Cosmos account, add a region, update throughput, region failover, add a VNet etc. are some of the control plane operations. This article explains how to audit the control plane operations in Azure Cosmos DB. |
| 15 | + |
| 16 | +## Disable key based metadata write access |
| 17 | + |
| 18 | +Before you audit the control plane operations in Azure Cosmos DB, disable the key-based metadata write access on your account. When key based metadata write access is disabled, clients connecting to the Azure Cosmos account through account keys are prevented from accessing the account. You can disable write access by setting the `disableKeyBasedMetadataWriteAccess` property to true. After you set this property, changes to any resource can happen from a user with the proper Role-based access control(RBAC) role and credentials only. To learn more on how to set this property, see the [Preventing changes from SDKs](role-based-access-control.md#preventing-changes-from-cosmos-sdk) article. |
| 19 | + |
| 20 | + Consider the following points when turning off the metadata write access: |
| 21 | + |
| 22 | +* Evaluate and ensure that your applications do not make metadata calls that change the above resources (For example, create collection, update throughput, …) by using the SDK or account keys. |
| 23 | + |
| 24 | +* Currently, the Azure portal uses account keys for metadata operations and hence these operations will be blocked. Alternatively, use the Azure CLI, SDKs, or Resource Manager template deployments to perform such operations. |
| 25 | + |
| 26 | +## Enable diagnostic logs for control plane operations |
| 27 | + |
| 28 | +You can enable diagnostic logs for control plane operations by using the Azure portal. Use the following steps to enable logging on control plane operations: |
| 29 | + |
| 30 | +1. Sign into [Azure portal](https://portal.azure.com) and navigate to your Azure Cosmos account. |
| 31 | + |
| 32 | +1. Open the **Diagnostic settings** pane, provide a **Name** for the logs to create. |
| 33 | + |
| 34 | +1. Select **ControlPlaneRequests** for log type and select the **Send to Log Analytics** option. |
| 35 | + |
| 36 | +You can also store the logs in a storage account or stream to an event hub. This article shows how to send logs to log analytics and then query them. After you enable, it takes a few minutes for the diagnostic logs to take effect. All the control plane operations performed after that point can be tracked. The following screenshot shows how to enable control plane logs: |
| 37 | + |
| 38 | + |
| 39 | + |
| 40 | +## View the control plane operations |
| 41 | + |
| 42 | +After you turn on logging, use the following steps to track down operations for a specific account: |
| 43 | + |
| 44 | +1. Sign into [Azure portal](https://portal.azure.com). |
| 45 | +1. Open the **Monitor** tab from the left hand navigation and then select the **Logs** pane. It opens a UI where you can easily run queries with that specific account in scope. Run the following query to view control plane logs: |
| 46 | + |
| 47 | + ```kusto |
| 48 | + AzureDiagnostics |
| 49 | + | where ResourceProvider=="MICROSOFT.DOCUMENTDB" and Category=="ControlPlaneRequests" |
| 50 | + | where TimeGenerated >= ago(1h) |
| 51 | + ``` |
| 52 | + |
| 53 | +The following screenshots capture logs when a VNET is added to an Azure Cosmos account: |
| 54 | + |
| 55 | + |
| 56 | + |
| 57 | +The following screenshots capture logs when throughput of a Cassandra table is updated: |
| 58 | + |
| 59 | + |
| 60 | + |
| 61 | +## Identify the identity associated to a specific operation |
| 62 | + |
| 63 | +If you want to debug further, you can identify a specific operation in the **Activity log** by using the Activity ID or by the timestamp of the operation. Timestamp is used for some Resource Manager clients where the activity ID is not explicitly passed. The Activity log gives details about the identity with which the operation was initiated. The following screenshot shows ho to use the activity ID and find the operations associated with it in the Activity log: |
| 64 | + |
| 65 | + |
| 66 | + |
| 67 | +## Next steps |
| 68 | + |
| 69 | +* [Explore Azure Monitor for Azure Cosmos DB](../azure-monitor/insights/cosmosdb-insights-overview.md?toc=/azure/cosmos-db/toc.json&bc=/azure/cosmos-db/breadcrumb/toc.json) |
| 70 | +* [Monitor and debug with metrics in Azure Cosmos DB](use-metrics.md) |
0 commit comments