Set-AzureRmDiagnosticSetting for KeyVault failing to recognize category AuditEvent

[Ahwleung]

Description

After issue 6833 was resolved I am trying to enable KeyVault logging following the documentation here. However the cmdlet is now failing with an unrecognized category error, even though this should be the only category available for Key Vaults per both the above link and this page.

Script/Steps for Reproduction

#Connect as usual
Connect-AzureRmAccount
Set-AzureRmContext

# Create a RG, key vault and storage account:
New-AzureRmResourceGroup -Name exampleRG -Location 'South Central US'
$sa = New-AzureRmStorageAccount -ResourceGroupName exampleRG -Name examplesa1 -Type Standard_LRS -Location 'South Central US'
$kv = New-AzureRmKeyVault -ResourceGroupName exampleRG -VaultName 'examplekv' -Location 'South Central US'

# Attempt to enable logging
Set-AzureRmDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $true -Categories AuditEvent

#Error message
Set-AzureRmDiagnosticSetting : Exception type: ArgumentException, Message: System.ArgumentException: Log category
'AuditEvent' is not available
   at Microsoft.Azure.Commands.Insights.Diagnostics.SetAzureRmDiagnosticSettingCommand.SetSelectedCategories(Diagnostic
SettingsResource properties)
   at Microsoft.Azure.Commands.Insights.Diagnostics.SetAzureRmDiagnosticSettingCommand.ProcessRecordInternal()
   at Microsoft.Azure.Commands.Insights.MonitorCmdletBase.ExecuteCmdlet(), Code: Null, Status code:Null, Reason
phrase: Null

Module Version

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Set-AzureRmDiagnosticSetting                       5.1.3      AzureRM.Insights

Environment Data

Name                           Value
----                           -----
PSVersion                      5.1.17134.228
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17134.228
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Debug Output

DEBUG: 3:24:44 PM - SetAzureRmDiagnosticSettingCommand begin processing with ParameterSet 'OldSetDiagnosticSetting'.
DEBUG: 3:24:44 PM - using account id '<redacted>@microsoft.com'...
WARNING: 3:24:44 PM - *** The namespace for all the model classes will change from
Microsoft.Azure.Management.Monitor.Management.Models to Microsoft.Azure.Management.Monitor.Models in future releases.
WARNING: 3:24:44 PM - *** The namespace for output classes will be uniform for all classes in future releases to make
it independent of modifications in the model classes.
WARNING: 3:24:44 PM - The arguments Categories and Timegrains now have aliases Category and Timegrain respectively. The
 plural names will be removed in future releases.
DEBUG: 3:24:44 PM - Processing using command line arguments
DEBUG: 3:24:44 PM - Listing existing diagnostics settings for resourceId
'/subscriptions/8d5b1df0-9569-4722-8971-fe24da4b58a0/resourceGroups/exampleRG/providers/Microsoft.KeyVault/vaults/examp
lekv'
DEBUG: [Common.Authentication]: Authenticating using Account: '<redacted>@microsoft.com', environment: 'AzureCloud',
tenant: '72f988bf-86f1-41af-91ab-2d7cd011db47'
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 08/30/2018 22:24:44: d79565f2-7a76-4fc3-b31e-76660fc21531 - AcquireTokenHandlerBase: === Token Acquisition
started:
 Authority: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/
 Resource: https://management.core.windows.net/
 ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
 CacheType: Microsoft.Azure.Commands.Common.Authentication.ProtectedFileTokenCache (3 items)
 Authentication Target: User

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 08/30/2018 22:24:44:  - TokenCache: Deserialized 3 items to token cache.
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 :
DEBUG: 08/30/2018 22:24:44: d79565f2-7a76-4fc3-b31e-76660fc21531 - TokenCache: Looking up cache for a token...
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 08/30/2018 22:24:44: d79565f2-7a76-4fc3-b31e-76660fc21531 - TokenCache: An item matching the requested resource
was found in the cache
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 :
DEBUG: 08/30/2018 22:24:44: d79565f2-7a76-4fc3-b31e-76660fc21531 - TokenCache: 52.12827423 minutes left until token in
cache expires
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 08/30/2018 22:24:44: d79565f2-7a76-4fc3-b31e-76660fc21531 - TokenCache: A matching item (access token or refresh
 token or both) was found in the cache
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 08/30/2018 22:24:44: d79565f2-7a76-4fc3-b31e-76660fc21531 - AcquireTokenHandlerBase: === Token Acquisition
finished successfully. An access token was retuned:
 Access Token Hash: 7q/L/hbphu3RgrHHnxjLh6i5qYgZe2zoAKgX2+jh6BU=
 Refresh Token Hash: Wk1TVSLzu6NJUjk5mXSpOz0v6IFoOb5OLpHSuEDxUyk=
 Expiration Time: 08/30/2018 23:16:52 +00:00
 User Hash: 1IMwgxyuivqWjLZJIOZdCRUF3EgrxBr9iB+9liJdUFk=

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 08/30/2018 22:24:44: 9e3561b6-2fbd-4ed4-a6ec-07ff35d0048e - AcquireTokenHandlerBase: === Token Acquisition
started:
 Authority: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/
 Resource: https://management.core.windows.net/
 ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
 CacheType: Microsoft.Azure.Commands.Common.Authentication.ProtectedFileTokenCache (3 items)
 Authentication Target: User

DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 08/30/2018 22:24:44:  - TokenCache: Deserialized 3 items to token cache.
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 :
DEBUG: 08/30/2018 22:24:44: 9e3561b6-2fbd-4ed4-a6ec-07ff35d0048e - TokenCache: Looking up cache for a token...
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 08/30/2018 22:24:44: 9e3561b6-2fbd-4ed4-a6ec-07ff35d0048e - TokenCache: An item matching the requested resource
was found in the cache
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Verbose: 1 :
DEBUG: 08/30/2018 22:24:44: 9e3561b6-2fbd-4ed4-a6ec-07ff35d0048e - TokenCache: 52.12820758 minutes left until token in
cache expires
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 08/30/2018 22:24:44: 9e3561b6-2fbd-4ed4-a6ec-07ff35d0048e - TokenCache: A matching item (access token or refresh
 token or both) was found in the cache
DEBUG: Microsoft.IdentityModel.Clients.ActiveDirectory Information: 2 :
DEBUG: 08/30/2018 22:24:44: 9e3561b6-2fbd-4ed4-a6ec-07ff35d0048e - AcquireTokenHandlerBase: === Token Acquisition
finished successfully. An access token was retuned:
<redacted>

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com//subscriptions/8d5b1df0-9569-4722-8971-fe24da4b58a0/resourceGroups/exampleRG/providers/Mic
rosoft.KeyVault/vaults/examplekv/providers/microsoft.insights/diagnosticSettings?api-version=2017-05-01-preview

Headers:
x-ms-client-request-id        : 8148565e-83d4-4e06-b1f1-197254211147
accept-language               : en-US

Body:


DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
Strict-Transport-Security     : max-age=31536000; includeSubDomains
x-ms-request-id               : bc3b061b-3148-4e77-a726-016157e990e8
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-correlation-request-id   : e055050f-2ad0-46c0-80d3-637a7490f295
x-ms-routing-request-id       : WESTUS2:20180830T222445Z:e055050f-2ad0-46c0-80d3-637a7490f295
X-Content-Type-Options        : nosniff
Cache-Control                 : no-cache
Date                          : Thu, 30 Aug 2018 22:24:44 GMT
Server                        : Microsoft-IIS/8.5

Body:
{
  "value": []
}

DEBUG: 3:24:45 PM - Diagnostic setting named: 'service' not found in list of 0 settings. Creating a new one.
DEBUG: 3:24:45 PM - Merging data. Existing setting is: not null
DEBUG: 3:24:45 PM - Setting storage account Id
DEBUG: 3:24:45 PM - Setting categories and time grains
DEBUG: 3:24:45 PM - Setting log categories, including Enabled property
Set-AzureRmDiagnosticSetting : Exception type: ArgumentException, Message: System.ArgumentException: Log category
'AuditEvent' is not available
   at Microsoft.Azure.Commands.Insights.Diagnostics.SetAzureRmDiagnosticSettingCommand.SetSelectedCategories(Diagnostic
SettingsResource properties)
   at Microsoft.Azure.Commands.Insights.Diagnostics.SetAzureRmDiagnosticSettingCommand.ProcessRecordInternal()
   at Microsoft.Azure.Commands.Insights.MonitorCmdletBase.ExecuteCmdlet(), Code: Null, Status code:Null, Reason
phrase: Null
At line:1 char:1
+ Set-AzureRmDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccou ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Set-AzureRmDiagnosticSetting], PSInvalidOperationException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Insights.Diagnostics.SetAzureRmDiagnosticSettingCommand

DEBUG: AzureQoSEvent: CommandName - Set-AzureRmDiagnosticSetting; IsSuccess - False; Duration - 00:00:00.6204299;
Exception - System.Management.Automation.PSInvalidOperationException: Exception type: ArgumentException, Message:
System.ArgumentException: Log category 'AuditEvent' is not available
   at
Microsoft.Azure.Commands.Insights.Diagnostics.SetAzureRmDiagnosticSettingCommand.SetSelectedCategories(DiagnosticSettin
gsResource properties)
   at Microsoft.Azure.Commands.Insights.Diagnostics.SetAzureRmDiagnosticSettingCommand.ProcessRecordInternal()
   at Microsoft.Azure.Commands.Insights.MonitorCmdletBase.ExecuteCmdlet(), Code: Null, Status code:Null, Reason phrase:
 Null ---> System.ArgumentException: Log category 'AuditEvent' is not available
   at
Microsoft.Azure.Commands.Insights.Diagnostics.SetAzureRmDiagnosticSettingCommand.SetSelectedCategories(DiagnosticSettin
gsResource properties)
   at Microsoft.Azure.Commands.Insights.Diagnostics.SetAzureRmDiagnosticSettingCommand.ProcessRecordInternal()
   at Microsoft.Azure.Commands.Insights.MonitorCmdletBase.ExecuteCmdlet()
   --- End of inner exception stack trace ---
   at Microsoft.Azure.Commands.Insights.MonitorCmdletBase.ExecuteCmdlet()
   at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
DEBUG: Finish sending metric.
DEBUG: 3:25:08 PM - SetAzureRmDiagnosticSettingCommand end processing.
DEBUG: 3:25:08 PM - SetAzureRmDiagnosticSettingCommand end processing.

[maddieclayton]

@gucalder Can you take a look at this issue?

[Ahwleung]

Confirmed this is working now. Thanks for the fix!