Issue search
Which component is affected?
Cloud Provider (if applicable)
Steps to Reproduce
-
Configure an Azure Key Vault diagnostic setting that enables the explicit AuditEvent log category.
-
Azure ARM returns the diagnostic setting logs in this shape:
| category |
categoryGroup |
enabled |
AuditEvent |
null |
true |
AzurePolicyEvaluationDetails |
null |
false |
-
Run Prowler for Azure with the keyvault_logging_enabled check.
-
Inspect the result for that Key Vault.
Expected behavior
keyvault_logging_enabled should pass when Key Vault audit logging is enabled through the explicit AuditEvent category.
Actual Result with Screenshots or Logs
Prowler reports the Key Vault as FAIL with a message that the vault does not have a diagnostic setting with audit logging.
The current check implementation only considers category groups:
log.category_group == "audit" and log.enabled
log.category_group == "allLogs" and log.enabled
It does not treat log.category == "AuditEvent" and log.enabled as compliant, even though Azure diagnostic settings may represent Key Vault audit logging with category: AuditEvent and categoryGroup: null.
How did you install Prowler?
From pip package (pip install prowler)
Environment Resource
Workstation / CI runner consuming Prowler OCSF output from Azure scans.
OS used
macOS
Prowler version
Observed on Prowler 5.15.1. The same category-group-only condition is still present on current master at the time of reporting.
Python version
Python 3.12 for local reproduction tests.
Pip version
Not applicable to the upstream code inspection; local validation used the repository uv environment.
Context
The check title and remediation describe Key Vault audit logging / AuditEvent, but the implementation requires audit and allLogs category groups. This can produce false failures where Azure shows AuditEvent logging enabled but does not populate categoryGroup for the diagnostic setting logs.
Issue search
Which component is affected?
Cloud Provider (if applicable)
Steps to Reproduce
Configure an Azure Key Vault diagnostic setting that enables the explicit
AuditEventlog category.Azure ARM returns the diagnostic setting logs in this shape:
AuditEventnulltrueAzurePolicyEvaluationDetailsnullfalseRun Prowler for Azure with the
keyvault_logging_enabledcheck.Inspect the result for that Key Vault.
Expected behavior
keyvault_logging_enabledshould pass when Key Vault audit logging is enabled through the explicitAuditEventcategory.Actual Result with Screenshots or Logs
Prowler reports the Key Vault as
FAILwith a message that the vault does not have a diagnostic setting with audit logging.The current check implementation only considers category groups:
It does not treat
log.category == "AuditEvent" and log.enabledas compliant, even though Azure diagnostic settings may represent Key Vault audit logging withcategory: AuditEventandcategoryGroup: null.How did you install Prowler?
From pip package (pip install prowler)
Environment Resource
Workstation / CI runner consuming Prowler OCSF output from Azure scans.
OS used
macOS
Prowler version
Observed on Prowler 5.15.1. The same category-group-only condition is still present on current
masterat the time of reporting.Python version
Python 3.12 for local reproduction tests.
Pip version
Not applicable to the upstream code inspection; local validation used the repository
uvenvironment.Context
The check title and remediation describe Key Vault audit logging /
AuditEvent, but the implementation requiresauditandallLogscategory groups. This can produce false failures where Azure showsAuditEventlogging enabled but does not populatecategoryGroupfor the diagnostic setting logs.