以编程方式读取没有客户端机密的Azure App Insights日志吗? [英] Programmatically read Azure App Insights logs without a client secret?
问题描述
我有一个C#应用程序,它使用Microsoft.ApplicationInsights和TelemetryClient类将跟踪和异常写入Azure Application Insights.
I have a C# application that writes traces and exceptions to Azure Application Insights using Microsoft.ApplicationInsights and the TelemetryClient class.
我想使用C#以编程方式搜索AI跟踪和异常日志,而不是必须使用Kusto查询.我读过的每一篇有关如何执行此操作的文章似乎都要求我知道该资源的客户机密".但是我无法获得此证书,因为我无权在我们的环境中创建证书和机密. (不过,我确实拥有ApplicationInsights.config文件中的InstrumentationKey).
I want to programmatically search the AI trace and exception logs using C#, as opposed to having to use Kusto queries. Every article I've read on how to do this seems to require that I know the Client Secret for the resource. But I am unable to obtain this, as I don't have authorization to create certificates and secrets in our environment. (I do, however, possess the InstrumentationKey from the ApplicationInsights.config file).
我敢肯定,有 种方法可以不使用秘密-对吗?毕竟,TelemetryClient不需要密码就可以写入到AI日志中(它只需要前面提到的InstrumentationKey)即可;因此,(由于读取操作的安全性比写入操作的风险小),我假设存在一种以编程方式 read 且仅使用InstrumentationKey且没有客户端密码的方法.你能告诉我该怎么做吗?
I'm sure there has to be a way to do this without using a secret - right? After all, TelemetryClient doesn't require a secret to write to AI logs (it just needs the aforementioned InstrumentationKey); therefore (since reading is a less risky operation security-wise than writing), I would assume that there's a way to programmatically read the logs with just an InstrumentationKey and without a client secret. Can you please tell me how to do this?
推荐答案
此处的基本错误假设.
因为从安全角度来讲阅读比在写作上风险要小
since reading is a less risky operation security-wise than writing
您正在编写可能包含安全性关键信息的应用程序操作日志(当记录URL,记录异常,将变量写入服务器时).因此,在这种情况下,写入并不重要-您可以提交伪造的数据,但事实并非如此.
You are writing logs of application operations that may include security critical information (when URL's get logged, exceptions get logged ,variables are written to the server). So in this case WRITING is NOT critical - you can submit fake data, but that it is.
但是,阅读对安全至关重要,因为您确实会通过阅读来公开受法律保护的数据(即,可能也是最有可能的人的私人信息).
But READING is security critical because you DO expose legally protected data through reading (i.e. possibly and most likely private information of people).
从假设阅读中得出的其余问题与安全性相关性较小,因此所有结论都是错误的.
The rest of your question flows from the assumption reading is less security relevant, so all your conclusions are bad.
这就是为什么您只需要一个检测密钥即可读取,而只需读取一个客户机密的原因.
This is why you need only an instrumentation key to write, but a client secret to read.
这篇关于以编程方式读取没有客户端机密的Azure App Insights日志吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
