Keeperは、Azure Sentinel / Log Analytics 環境へのイベントストリーミングに対応しています。本ページでは、2025年に廃止予定の旧方式によるログストリーミング手順について説明しています。代わりに、Azure Monitor方式のご利用を推奨します。
イベントログAPIのトラブルシューティングが必要な場合は、以下のPythonスクリプトを使用して、KeeperのバックエンドシステムがAzure環境にイベントログを送信する動作をシミュレートできます。
テストを行う前に、Workspace IDとWorkspace Keyを適切な値に置き換えてください。
import base64
import datetime
import hmac
import hashlib
import requests
import json
# Configuration
workspace_id = 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx'
workspace_key = 'xxxxxx'
log_type = 'Keeper'
# Sample body
body = [
{
"audit_event": "role_created",
"remote_address": "11.22.33.44",
"category": "policy",
"client_version": "EMConsole.17.0.0",
"username": "user@company.com",
"enterprise_id": 6557,
"timestamp": "2025-01-12T00:03:44.743Z",
"role_id": "28162100560074"
},
{
"audit_event": "role_enforcement_changed",
"remote_address": "11.22.33.55",
"category": "policy",
"client_version": "EMConsole.17.0.0",
"timestamp": "2025-01-13T00:03:44.743Z",
"username": "user@company.com",
"enterprise_id": 6557,
"role_id": "28162100560074",
"enforcement": "RESEND_ENTERPRISE_INVITE_IN_X_DAYS",
"value": "7"
},
{
"audit_event": "role_enforcement_changed",
"remote_address": "11.22.33.66",
"category": "policy",
"client_version": "EMConsole.17.0.0",
"timestamp": "2025-01-14T00:03:44.776Z",
"username": "user@company.com",
"enterprise_id": 6557,
"role_id": "28162100560074",
"enforcement": "SEND_BREACH_WATCH_EVENTS",
"value": "ON"
},
{
"audit_event": "role_enforcement_changed",
"remote_address": "11.22.33.77",
"category": "policy",
"client_version": "EMConsole.17.0.0",
"timestamp": "2025-01-15T00:03:44.835Z",
"username": "user@company.com",
"enterprise_id": 6557,
"role_id": "28162100560074",
"enforcement": "GENERATED_PASSWORD_COMPLEXITY",
"value": "[{\"domains\":[\"_default_\"],\"length\":20,\"lower-use\":false,\"lower-min\":5}]"
},
{
"audit_event": "audit_alert_sent",
"category": "usage",
"client_version": "Keeper Service.1.2.0",
"username": "ALERT",
"enterprise_id": 6557,
"timestamp": "2025-01-16T01:31:11.123Z",
"origin": "admin_permission_added",
"name": "XXX123",
"recipient": "user@company.com,+19165551212",
"username_new": true,
"client_version_new": true
}]
body_json = json.dumps(body)
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body_json)
signature_string = f"{method}\n{content_length}\n{content_type}\nx-ms-date:{rfc1123date}\n{resource}"
decoded_key = base64.b64decode(workspace_key)
signature = base64.b64encode(hmac.new(decoded_key, signature_string.encode('utf-8'), hashlib.sha256).digest()).decode('utf-8')
headers = {
'Content-Type': content_type,
'Authorization': f'SharedKey {workspace_id}:{signature}',
'Log-Type': log_type,
'x-ms-date': rfc1123date
}
uri = f'https://{workspace_id}.ods.opinsights.azure.com/api/logs?api-version=2016-04-01'
response = requests.post(uri, data=body_json, headers=headers)
print(f"Response code: {response.status_code}")
print(f"Response message: {response.text}")
