open-vault/website/content/docs/audit/syslog.mdx

---
layout: docs
page_title: Syslog - Audit Devices
description: The "syslog" audit device writes audit logs to syslog.
---

# Syslog Audit Device

The `syslog` audit device writes audit logs to syslog.

It currently does not support a configurable syslog destination, and always
sends to the local agent. This device is only supported on Unix systems,
and should not be enabled if any standby Vault instances do not support it.

~> **Warning**: Audit messages generated for some operations can be quite
large, and can be larger than a [maximum-size single UDP
packet](https://tools.ietf.org/html/rfc5426#section-3.1). If possible with your
syslog daemon, configure a TCP listener. Otherwise, consider using a `file`
backend and having syslog configured to read entries from the file; or, enable
both `file` and `syslog` so that a failure for a particular message to log
directly to `syslog` will not result in Vault being blocked.

## Examples

Audit `syslog` device can be enabled by the following command:

```shell-session
$ vault audit enable syslog
```

Supply configuration parameters via K=V pairs:

```shell-session
$ vault audit enable syslog tag="vault" facility="AUTH"
```

## Configuration

The `syslog` audit device supports the common configuration options documented on
the [main Audit Devices page](/vault/docs/audit#common-configuration-options), and
these device-specific options:

- `facility` `(string: "AUTH")` - The syslog facility to use.

- `tag` `(string: "vault")` - The syslog tag to use.
website: Adding the syslog audit backend 2015-04-24 18:44:16 +00:00			`---`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`layout: docs`
			`page_title: Syslog - Audit Devices`
			`description: The "syslog" audit device writes audit logs to syslog.`
website: Adding the syslog audit backend 2015-04-24 18:44:16 +00:00			`---`

Audit backend -> device 2017-09-08 02:38:47 +00:00			`# Syslog Audit Device`
website: Adding the syslog audit backend 2015-04-24 18:44:16 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			The `syslog` audit device writes audit logs to syslog.
website: Adding the syslog audit backend 2015-04-24 18:44:16 +00:00
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			`It currently does not support a configurable syslog destination, and always`
Audit backend -> device 2017-09-08 02:38:47 +00:00			`sends to the local agent. This device is only supported on Unix systems,`
website: Adding the syslog audit backend 2015-04-24 18:44:16 +00:00			`and should not be enabled if any standby Vault instances do not support it.`

Add a warning to syslog Ping #3617 2018-06-22 13:00:05 +00:00			`~> Warning: Audit messages generated for some operations can be quite`
			`large, and can be larger than a [maximum-size single UDP`
			`packet](https://tools.ietf.org/html/rfc5426#section-3.1). If possible with your`
			syslog daemon, configure a TCP listener. Otherwise, consider using a `file`
			`backend and having syslog configured to read entries from the file; or, enable`
			both `file` and `syslog` so that a failure for a particular message to log
			directly to `syslog` will not result in Vault being blocked.

Audit backend -> device 2017-09-08 02:38:47 +00:00			`## Examples`
website: Adding the syslog audit backend 2015-04-24 18:44:16 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			Audit `syslog` device can be enabled by the following command:
website: Adding the syslog audit backend 2015-04-24 18:44:16 +00:00
🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Audit backend -> device 2017-09-08 02:38:47 +00:00			`$ vault audit enable syslog`
			```
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`Supply configuration parameters via K=V pairs:`
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00
🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Audit backend -> device 2017-09-08 02:38:47 +00:00			`$ vault audit enable syslog tag="vault" facility="AUTH"`
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			```
website: Adding the syslog audit backend 2015-04-24 18:44:16 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`## Configuration`
website: Adding the syslog audit backend 2015-04-24 18:44:16 +00:00
Add option 'elide_list_responses' to audit backends (#18128) This PR relates to a feature request logged through HashiCorp commercial support. Vault lacks pagination in its APIs. As a result, certain list operations can return very large responses. The user's chosen audit sinks may experience difficulty consuming audit records that swell to tens of megabytes of JSON. In our case, one of the systems consuming audit log data could not cope, and failed. The responses of list operations are typically not very interesting, as they are mostly lists of keys, or, even when they include a "key_info" field, are not returning confidential information. They become even less interesting once HMAC-ed by the audit system. Some example Vault "list" operations that are prone to becoming very large in an active Vault installation are: auth/token/accessors/ identity/entity/id/ identity/entity-alias/id/ pki/certs/ In response, I've coded a new option that can be applied to audit backends, `elide_list_responses`. When enabled, response data is elided from audit logs, only when the operation type is "list". For added safety, the elision only applies to the "keys" and "key_info" fields within the response data - these are conventionally the only fields present in a list response - see logical.ListResponse, and logical.ListResponseWithInfo. However, other fields are technically possible if a plugin author writes unusual code, and these will be preserved in the audit log even with this option enabled. The elision replaces the values of the "keys" and "key_info" fields with an integer count of the number of entries. This allows even the elided audit logs to still be useful for answering questions like "Was any data returned?" or "How many records were listed?". 2023-01-11 21:15:52 +00:00			The `syslog` audit device supports the common configuration options documented on
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`the [main Audit Devices page](/vault/docs/audit#common-configuration-options), and`
Add option 'elide_list_responses' to audit backends (#18128) This PR relates to a feature request logged through HashiCorp commercial support. Vault lacks pagination in its APIs. As a result, certain list operations can return very large responses. The user's chosen audit sinks may experience difficulty consuming audit records that swell to tens of megabytes of JSON. In our case, one of the systems consuming audit log data could not cope, and failed. The responses of list operations are typically not very interesting, as they are mostly lists of keys, or, even when they include a "key_info" field, are not returning confidential information. They become even less interesting once HMAC-ed by the audit system. Some example Vault "list" operations that are prone to becoming very large in an active Vault installation are: auth/token/accessors/ identity/entity/id/ identity/entity-alias/id/ pki/certs/ In response, I've coded a new option that can be applied to audit backends, `elide_list_responses`. When enabled, response data is elided from audit logs, only when the operation type is "list". For added safety, the elision only applies to the "keys" and "key_info" fields within the response data - these are conventionally the only fields present in a list response - see logical.ListResponse, and logical.ListResponseWithInfo. However, other fields are technically possible if a plugin author writes unusual code, and these will be preserved in the audit log even with this option enabled. The elision replaces the values of the "keys" and "key_info" fields with an integer count of the number of entries. This allows even the elided audit logs to still be useful for answering questions like "Was any data returned?" or "How many records were listed?". 2023-01-11 21:15:52 +00:00			`these device-specific options:`

Audit backend -> device 2017-09-08 02:38:47 +00:00			- `facility` `(string: "AUTH")` - The syslog facility to use.

			- `tag` `(string: "vault")` - The syslog tag to use.