|
| 1 | +--- |
| 2 | +title: Monitor Key Vault with Azure Monitor for Key Vault (preview)| Microsoft Docs |
| 3 | +description: This article describes the Azure Monitor for Key Vaults. |
| 4 | +services: azure-monitor |
| 5 | +ms.topic: conceptual |
| 6 | +author: mrbullwinkle |
| 7 | +ms.author: mbullwin |
| 8 | +ms.date: 04/13/2019 |
| 9 | + |
| 10 | +--- |
| 11 | + |
| 12 | +# Monitoring your key vault service with Azure Monitor for Key Vault (preview) |
| 13 | +Azure Monitor for Key Vault (preview) provides comprehensive monitoring of your key vaults by delivering a unified view of your Key Vault requests, performance, failures, and latency. |
| 14 | +This article will help you understand how to onboard and customize the experience of Azure Monitor for Key Vault (preview). |
| 15 | + |
| 16 | +## Introduction to Azure Monitor for Key Vault (preview) |
| 17 | + |
| 18 | +Before jumping into the experience, you should understand how it presents and visualizes information. |
| 19 | +- **At scale perspective** showing a snapshot view of performance based on the requests, breakdown of failures, and an overview of the operations and latency. |
| 20 | +- **Drill down analysis** of a particular key vault to perform detailed analysis. |
| 21 | +- **Customizable** where you can change which metrics you want to see, modify or set thresholds that align with your limits, and save your own workbook. Charts in the workbook can be pinned to Azure dashboards. |
| 22 | + |
| 23 | +Azure Monitor for Key Vault combines both logs and metrics to provide a global monitoring solution. All users can access the metrics-based monitoring data, however the inclusion of logs-based visualizations may require users to [enable logging of their Azure Key Vault](https://docs.microsoft.com/azure/key-vault/key-vault-logging). |
| 24 | + |
| 25 | +## Configuring your key vaults for monitoring |
| 26 | + |
| 27 | +> [!NOTE] |
| 28 | +> Enabling logs is a paid-service that provides additional monitoring capabilities. |
| 29 | +
|
| 30 | +1. The Operations & Latency tab helps you determine how many and which key vaults are enabled. To begin collecting, select the **Enable** button, which will bring you to a separate workbook that lists out the key vaults that require enabling diagnostic logs. |
| 31 | + |
| 32 | +  |
| 33 | + |
| 34 | +2. To enable diagnostic logs, click on the **Enable** link underneath the actions column, and create a new diagnostics setting that sends logs to a Log Analytics workspace. It is recommended to send all the logs to the same workspace. |
| 35 | + |
| 36 | +3. Once the diagnostic settings are saved, you will be able to view all the log-based charts and visualizations underneath the Key Vault Insights. Please note that it may take several minutes to hours to begin populating the logs. |
| 37 | + |
| 38 | +4. For additional assistance on how to enable diagnostic logs for your Key Vault service, read the [full guide](https://docs.microsoft.com/azure/key-vault/key-vault-logging). |
| 39 | + |
| 40 | +## View from Azure Monitor |
| 41 | + |
| 42 | +From Azure Monitor, you can view request, latency, and failure details from multiple key vaults in your subscription, and help identify performance problems and throttling scenarios. |
| 43 | + |
| 44 | +To view the utilization and operations of your storage accounts across all your subscriptions, perform the following steps: |
| 45 | + |
| 46 | +1. Sign into the [Azure portal](https://portal.azure.com/) |
| 47 | + |
| 48 | +2. Select **Monitor** from the left-hand pane in the Azure portal, and under the Insights section, select **Key Vaults (preview)**. |
| 49 | + |
| 50 | + |
| 51 | + |
| 52 | +## Overview workbook |
| 53 | + |
| 54 | +On the Overview workbook for the selected subscription, the table displays interactive key vault metrics for key vaults grouped within the subscription. You can filter results based on the options you select from the following drop-down lists: |
| 55 | + |
| 56 | +* Subscriptions – only subscriptions that have key vaults are listed. |
| 57 | + |
| 58 | +* Key Vaults – by default only up to 5 key vaults are pre-selected. If you select all or multiple key vaults in the scope selector, up to 200 key vaults will be returned. For example, if you had a total of 573 key vaults across three subscriptions that you've selected, only 200 vaults will be displayed. |
| 59 | + |
| 60 | +* Time Range – by default, displays the last 24 hours of information based on the corresponding selections made. |
| 61 | + |
| 62 | +The counter tile, under the drop-down list, rolls-up the total number of key vaults in the selected subscriptions and reflects how many are selected. There are conditional color-coded heatmaps for the columns of the workbook that report request, failures, and latency metrics. The deepest color has the highest value and a lighter color is based on the lowest values. |
| 63 | + |
| 64 | +## Failures workbook |
| 65 | + |
| 66 | +Select **Failures** at the top of the page and the Failures tab opens. It shows you the API hits, frequency over time, along with the amount of certain response codes. |
| 67 | + |
| 68 | + |
| 69 | + |
| 70 | +There is conditional color-coding or heatmaps for columns in the workbook that report API hits metrics with a blue value. The deepest color has the highest value and a lighter color is based on the lowest values. |
| 71 | + |
| 72 | +The workbook displays Successes (2xx status codes), Authentication Errors (401/403 status codes), Throttling (429 status codes), and Other Failures (4xx status codes). |
| 73 | + |
| 74 | +To better understand what each of the status codes represent, we recommend reading through the documentation on [Azure Key Vault status and response codes](https://docs.microsoft.com/azure/key-vault/authentication-requests-and-responses). |
| 75 | + |
| 76 | +## Operations & latency workbook |
| 77 | + |
| 78 | +Select **Operations & Latency** at the top of the page and the **Operations & Latency** tab opens. This tab enables you to onboard your key vaults for monitoring. For more detailed steps see the [Configuring your key vaults for Monitoring](#configuring-your-key-vaults-for-monitoring) section. |
| 79 | + |
| 80 | +You can see how many of your key vaults are enabled for the logging. If at least one vault has been configured properly, then you will be able to see tables that display the operations and status codes for each of your key vaults. You can click into the details section for a row to get additional information on the individual operation. |
| 81 | + |
| 82 | + |
| 83 | + |
| 84 | +If you are not seeing any data for this section, reference the top section on how to enable logs for Azure Key Vault, or check the troubleshooting section below. |
| 85 | + |
| 86 | +## View from a Key Vault resource |
| 87 | + |
| 88 | +To access Azure Monitor for Key Vault directly from a key Vault: |
| 89 | + |
| 90 | +1. In the Azure portal, select Key Vaults. |
| 91 | + |
| 92 | +2. From the list, choose a key vault. In the monitoring section, choose Insights (preview). |
| 93 | + |
| 94 | +These views are also accessible by selecting the resource name of a key vault from the Azure Monitor level workbook. |
| 95 | + |
| 96 | + |
| 97 | + |
| 98 | +On the **Overview** workbook for the key vault, it shows several performance metrics that help you quickly assess: |
| 99 | + |
| 100 | +- Interactive performance charts showing the most essential details related to key vault transactions, latency, and availability. |
| 101 | + |
| 102 | +- Metrics and status tiles highlighting service availability, total count of transactions to the key vault resource, and overall latency. |
| 103 | + |
| 104 | +Selecting any of the other tabs for **Failures** or **Operations** opens the respective workbooks. |
| 105 | + |
| 106 | + |
| 107 | + |
| 108 | +The failures workbook breakdowns the results of all key vault requests in the selected time frame, and provides categorization on Successes (2xx), Authentication Errors (401/403), Throttling (429), and other failures. |
| 109 | + |
| 110 | + |
| 111 | + |
| 112 | +The Operations workbook allows users to deep dive into the full details of all transactions, which can be filtered by the Result Status using the top level tiles. |
| 113 | + |
| 114 | + |
| 115 | + |
| 116 | +Users can also scope out views based on specific transaction types in the upper table, which dynamically updates the lower table, where users can view full operation details in a pop up context pane. |
| 117 | + |
| 118 | +>[!NOTE] |
| 119 | +> Note that users must have the diagnostic settings enabled to view this workbook. To learn more about enabling diagnostic setting, read more about [Azure Key Vault Logging](https://docs.microsoft.com/azure/key-vault/general/logging). |
| 120 | +
|
| 121 | +## Pin and export |
| 122 | + |
| 123 | +You can pin any one of the metric sections to an Azure dashboard by selecting the pushpin icon at the top right of the section. |
| 124 | + |
| 125 | +The multi-subscription and key vaults overview or failures workbooks support exporting the results in Excel format by selecting the download icon to the left of the pushpin icon. |
| 126 | + |
| 127 | + |
| 128 | + |
| 129 | +## Customize Azure Monitor for Key Vault |
| 130 | + |
| 131 | +This section highlights common scenarios for editing the workbook to customize in support of your data analytics needs: |
| 132 | +* Scope the workbook to always select a particular subscription or key vault(s) |
| 133 | +* Change metrics in the grid |
| 134 | +* Change the requests threshold |
| 135 | +* Change the color rendering |
| 136 | + |
| 137 | +You can begin customizations by enabling the editing mode, by selecting the **Customize** button from the top toolbar. |
| 138 | + |
| 139 | + |
| 140 | + |
| 141 | +Customizations are saved to a custom workbook to prevent overwriting the default configuration in our published workbook. Workbooks are saved within a resource group, either in the My Reports section that is private to you or in the Shared Reports section that's accessible to everyone with access to the resource group. After you save the custom workbook, you need to go to the workbook gallery to launch it. |
| 142 | + |
| 143 | + |
| 144 | + |
| 145 | +### Specifying a subscription or key vault |
| 146 | + |
| 147 | +You can configure the multi-subscription and key vault Overview or Failures workbooks to scope to a particular subscription(s) or key vault(s) on every run, by performing the following steps: |
| 148 | + |
| 149 | +1. Select **Monitor** from the portal and then select **Key Vaults (preview)** from the left-hand pane. |
| 150 | +2. On the **Overview** workbook, from the command bar select **Edit**. |
| 151 | +3. Select from the **Subscriptions** drop-down list one or more subscriptions you want yo use as the default. Remember, the workbook supports selecting up to a total of 10 subscriptions. |
| 152 | +4. Select from the **Key Vaults** drop-down list one or more accounts you want it to use as the default. Remember, the workbook supports selecting up to a total of 200 storage accounts. |
| 153 | +5. Select **Save as** from the command bar to save a copy of the workbook with your customizations, and then click **Done editing** to return to reading mode. |
| 154 | + |
| 155 | +## Troubleshooting |
| 156 | + |
| 157 | +This section will help you with the diagnosis and troubleshooting of some of the common issues you may encounter when using Azure Monitor for Key Vault (preview). Use the list below to locate the information relevant to your specific issue. |
| 158 | + |
| 159 | +### Resolving performance issues or failures |
| 160 | + |
| 161 | +To help troubleshoot any key vault related issues you identify with Azure Monitor for Key Vault (preview), see the [Azure Key Vault documentation](https://docs.microsoft.com/azure/key-vault/). |
| 162 | + |
| 163 | +### Why can I only see 200 key vaults? |
| 164 | + |
| 165 | +There is a limit of 200 key vaults that can be selected and viewed. Regardless of the number of selected subscriptions, the number of selected key vaults has a limit of 200. |
| 166 | + |
| 167 | +### What will happen when a pinned item is clicked? |
| 168 | + |
| 169 | +When a pinned item on the dashboard is clicked, it will open one of two things: |
| 170 | +* If the Insights were saved – it will open the insights instance that the pin was saved from. |
| 171 | +* If the insights were unsaved – it will open a new default insights instance. |
| 172 | + |
| 173 | +### Why don't I see all my subscriptions in the subscription picker? |
| 174 | + |
| 175 | +We only show subscriptions that contain key vaults, chosen from the selected subscription filter, which are selected in the "Directory + Subscription" in the Azure portal header. |
| 176 | + |
| 177 | + |
| 178 | + |
| 179 | +### I am getting an error message that the "query exceeds the maximum number of workspaces/regions allowed", what to do now? |
| 180 | + |
| 181 | +Currently, there is a limit to 25 regions and 200 workspaces, to view your data, you will need to reduce the number of subscriptions and/or resource groups. |
| 182 | + |
| 183 | +### I want to make changes or add additional visualizations to Key Vault Insights, how do I do so? |
| 184 | + |
| 185 | +To make changes, select the "Edit Mode" to modify the workbook, then you can save your work as a new workbook that is tied to a designated subscription and resource group. |
| 186 | + |
| 187 | +### What is the time-grain once we pin any part of the Workbooks? |
| 188 | + |
| 189 | +We utilize the "Auto" time grain, therefore it depends on what time range is selected. |
| 190 | + |
| 191 | +### What is the time range when any part of the workbook is pinned? |
| 192 | + |
| 193 | +The time range will depend on the dashboard settings. |
| 194 | + |
| 195 | +### Why do I not see any data for my Key Vault under the Operations & Latency sections? |
| 196 | + |
| 197 | +To view your logs-based data, you will need to enable logs for each of the key vaults you want to monitor. This can be done under the diagnostic settings for each key vault. You will need to send your data to a designated Log Analytics workspace. |
| 198 | + |
| 199 | +### I have already enabled logs for my Key Vault, why am I still unable to see my data under Operations & Latency? |
| 200 | + |
| 201 | +Currently, diagnostic logs do not work retroactively, so the data will only start appearing once there have been actions taken to your key vaults. Therefore, it may take some time, ranging from hours to a day, depending on how active your key vault is. |
| 202 | + |
| 203 | +In addition, if you have a high number of key vaults and subscriptions selected, you may not be able to view your data due to query limitations. In order to view your data, you may need to reduce the number of selected subscriptions or key vaults. |
| 204 | + |
| 205 | +### What if I want to see other data or make my own visualizations? How can I make changes to the Key Vault Insights? |
| 206 | + |
| 207 | +You can edit the existing workbook, through the use of the edit mode, and then save your work as a new workbook that will have all your new changes. |
| 208 | + |
| 209 | +## Next steps |
| 210 | + |
| 211 | +Learn the scenarios workbooks are designed to support, how to author new and customize existing reports, and more by reviewing [Create interactive reports with Azure Monitor workbooks](https://docs.microsoft.com/azure/azure-monitor/app/usage-workbooks). |
0 commit comments