open-vault/website/source/docs/audit/file.html.md

---
layout: "docs"
page_title: "File - Audit Devices"
sidebar_title: "File"
sidebar_current: "docs-audit-file"
description: |-
  The "file" audit device writes audit logs to a file.
---

# File Audit Device

The `file` audit device writes audit logs to a file. This is a very simple audit
device: it appends logs to a file.

The device does not currently assist with any log rotation. There are very
stable and feature-filled log rotation tools already, so we recommend using
existing tools.

Sending a `SIGHUP` to the Vault process will cause `file` audit devices to close
and re-open their underlying file, which can assist with log rotation needs.

## Examples

Enable at the default path:

```text
$ vault audit enable file file_path=/var/log/vault_audit.log
```

Enable at a different path. It is possible to enable multiple copies of an audit
device:

```text
$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log
```

## Configuration

Note the difference between `audit enable` command options and the `file` backend
configuration options. Use `vault audit enable -help` to see the command options.
Following are the configuration options available for the backend.

<dl class="api">
  <dt>Backend configuration options</dt>
  <dd>
    <ul>
      <li>
        <span class="param">file_path</span>
        <span class="param-flags">required</span>
            The path to where the audit log will be written. If this
            path exists, the audit backend will append to it. Specify `"stdout"` to write audit log to standard output; specify `"discard"` to discard output (useful in testing scenarios).
      </li>
      <li>
        <span class="param">log_raw</span>
        <span class="param-flags">optional</span>
            A string containing a boolean value ('true'/'false'), if set, logs
            the security sensitive information without hashing, in the raw
            format. Defaults to `false`.
      </li>
      <li>
        <span class="param">hmac_accessor</span>
        <span class="param-flags">optional</span>
            A string containing a boolean value ('true'/'false'), if set,
            enables the hashing of token accessor. Defaults
            to `true`. This option is useful only when `log_raw` is `false`.
      </li>
      <li>
        <span class="param">mode</span>
        <span class="param-flags">optional</span>
            A string containing an octal number representing the bit pattern
            for the file mode, similar to `chmod`. This option defaults to
            `0600`. Specifying mode of `0000` will disable Vault's setting any mode on the file.
      </li>
      <li>
        <span class="param">format</span>
        <span class="param-flags">optional</span>
            Allows selecting the output format. Valid values are `json` (the
            default) and `jsonx`, which formats the normal log entries as XML.
      </li>
      <li>
        <span class="param">prefix</span>
        <span class="param-flags">optional</span>
            Allows a customizable string prefix to write before the actual log
            line. Defaults to an empty string.
      </li>
    </ul>
  </dd>
</dl>
website: audit backends 2015-04-20 05:59:39 +00:00			`---`
			`layout: "docs"`
Audit backend -> device 2017-09-08 02:38:47 +00:00			`page_title: "File - Audit Devices"`
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads 2018-10-19 15:40:11 +00:00			`sidebar_title: "File"`
website: audit backends 2015-04-20 05:59:39 +00:00			`sidebar_current: "docs-audit-file"`
			`description: \|-`
Audit backend -> device 2017-09-08 02:38:47 +00:00			`The "file" audit device writes audit logs to a file.`
website: audit backends 2015-04-20 05:59:39 +00:00			`---`

Audit backend -> device 2017-09-08 02:38:47 +00:00			`# File Audit Device`
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			The `file` audit device writes audit logs to a file. This is a very simple audit
			`device: it appends logs to a file.`
Update changelog and website for GH-1958 2016-09-30 19:08:38 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`The device does not currently assist with any log rotation. There are very`
Update changelog and website for GH-1958 2016-09-30 19:08:38 +00:00			`stable and feature-filled log rotation tools already, so we recommend using`
			`existing tools.`

Audit backend -> device 2017-09-08 02:38:47 +00:00			Sending a `SIGHUP` to the Vault process will cause `file` audit devices to close
			`and re-open their underlying file, which can assist with log rotation needs.`
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`## Examples`
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`Enable at the default path:`
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			```text
			`$ vault audit enable file file_path=/var/log/vault_audit.log`
			```
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`Enable at a different path. It is possible to enable multiple copies of an audit`
			`device:`
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			```text
			`$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log`
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			```

Audit backend -> device 2017-09-08 02:38:47 +00:00			`## Configuration`
website: audit backends 2015-04-20 05:59:39 +00:00
Cleanup of deprecated commands in tests, docs (#3788) 2018-01-15 20:19:28 +00:00			Note the difference between `audit enable` command options and the `file` backend
			configuration options. Use `vault audit enable -help` to see the command options.
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			`Following are the configuration options available for the backend.`
website: audit backends 2015-04-20 05:59:39 +00:00
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			`<dl class="api">`
			`<dt>Backend configuration options</dt>`
			`<dd>`
			`<ul>`
			`<li>`
Rename id to path and path to file_path, print audit backend paths 2016-03-14 21:15:07 +00:00			`<span class="param">file_path</span>`
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			`<span class="param-flags">required</span>`
			`The path to where the audit log will be written. If this`
Add 'discard' target to file audit backend (#3262) Fixes #seth 2017-08-30 23:16:47 +00:00			path exists, the audit backend will append to it. Specify `"stdout"` to write audit log to standard output; specify `"discard"` to discard output (useful in testing scenarios).
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			`</li>`
			`<li>`
			`<span class="param">log_raw</span>`
			`<span class="param-flags">optional</span>`
doc: change data type from boolean to string (#1997) the api doesn't accept the boolean value. it needs a string containing a boolean value. 2016-10-26 15:28:00 +00:00			`A string containing a boolean value ('true'/'false'), if set, logs`
			`the security sensitive information without hashing, in the raw`
			format. Defaults to `false`.
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			`</li>`
			`<li>`
s/hash_accessor/hmac_accessor/g 2016-03-14 18:52:29 +00:00			`<span class="param">hmac_accessor</span>`
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			`<span class="param-flags">optional</span>`
doc: change data type from boolean to string (#1997) the api doesn't accept the boolean value. it needs a string containing a boolean value. 2016-10-26 15:28:00 +00:00			`A string containing a boolean value ('true'/'false'), if set,`
			`enables the hashing of token accessor. Defaults`
Transit and audit enhancements 2016-09-21 14:29:42 +00:00			to `true`. This option is useful only when `log_raw` is `false`.
website documentation update 2016-10-07 19:48:29 +00:00			`</li>`
doc: change data type from boolean to string (#1997) the api doesn't accept the boolean value. it needs a string containing a boolean value. 2016-10-26 15:28:00 +00:00			`<li>`
changes for 'mode' 2016-10-08 23:52:49 +00:00			`<span class="param">mode</span>`
website documentation update 2016-10-07 19:48:29 +00:00			`<span class="param-flags">optional</span>`
address feedback 2016-10-10 02:23:30 +00:00			`A string containing an octal number representing the bit pattern`
			for the file mode, similar to `chmod`. This option defaults to
Conditionally set file audit log mode (#3649) 2017-12-07 16:44:15 +00:00			`0600`. Specifying mode of `0000` will disable Vault's setting any mode on the file.
Transit and audit enhancements 2016-09-21 14:29:42 +00:00			`</li>`
			`<li>`
			`<span class="param">format</span>`
			`<span class="param-flags">optional</span>`
			Allows selecting the output format. Valid values are `json` (the
			default) and `jsonx`, which formats the normal log entries as XML.
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			`</li>`
audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`<li>`
			`<span class="param">prefix</span>`
			`<span class="param-flags">optional</span>`
			`Allows a customizable string prefix to write before the actual log`
			`line. Defaults to an empty string.`
			`</li>`
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			`</ul>`
			`</dd>`
			`</dl>`